Lloyds TSB plugs security gap at last

A security hole in Lloyds TSB's internet banking service is finally to be fixed, nearly two months after a customer alerted the bank to the problem.

The hole was discovered in August by prominent IT services analyst Richard Holway, whose company is a Lloyds customer.

"The first thing I did was to telephone the customer care people, all the way up through these stupid lackeys giving me this party line that I could turn it off if I wished and that was up to me," he said.

"They only responded differently when I identified myself as an industry analyst."

Holway finally received a letter from Lloyds TSB dated 13 October saying that after an investigation, the 'AutoSave Password' feature is to be disabled from its service.

The flaw occurs if the AutoSave Password feature on a customer's desktop is enabled. A cookie that stores the Lloyds TSB account username and password allows anyone with access to the PC to enter the account.

"After logging in once, the username and password were automatically remembered. In other words, anyone using my PC had unrestricted access to my account," said Holway.

The flaw is similar to one discovered by Barclays' online customers in August, whereby using a browser's back button after logging out still took customers back into the account, without the need for logging in again.

Barclays said at the time it was working on a process to automatically delete the cache after logging out, but a spokeswoman this week said this would not be done until the next website update, sometime before the end of the year.

"It is something we are developing, and it will go live with our next release of software," she said.

First published in Computing