Lloyds Banking Group fixes HBOS security flaw that exposed customers' online banking records

Name, date of birth and the address were all it needed to get access to customers' accounts

Lloyds Banking Group has fixed a critical security flaw that could have exposed tens of thousands of customers' banking records, or been exploited to conduct identity theft or money laundering.

The flaw was discovered last week not by security experts, but by the finance website founded by Martin Lewis, MoneySavingExpert.com. Lloyds claims that it is now fixed.

"Worryingly, anyone who knew how to break in – and it didn't require any sophisticated computer knowledge – could have accessed bank, savings, credit card, loan or mortgage account numbers, balances and transactions," claims MoneySavingExpert managing editor Guy Anker.

"We delayed publication until HBOS told us the problem was fixed, and gave assurances the wider Lloyds group was unaffected. HBOS – which has reported the breach to the relevant authorities – says it is "confident" no customers were defrauded as a result. Following our intervention, it has overhauled how new customers apply online," he added.

According to Anker, attackers required only three pieces of information: a correct name, date of birth and postal address to set up a Halifax or Bank of Scotland savings or current account online. Answers to further questions during the account set-up did not need to be correct.

As soon as the account was set up, the user was granted instant access to it online, without a password or additional security, and able to link up all their other products with either Halifax or the Bank of Scotland.

Hence, with just three easily obtainable items of information, an attacker could gain access to their target's bank account. The organisation claims it was possible for attackers only to view account details and not transfer money or set up standing orders. It is not clear whether they were able to apply for credit in their targets' names.

"HBOS states at-risk accounts were those where a customer had a product(s) with either Halifax or Bank of Scotland (not both), and where a new application was made with the brand they didn't originally have an account with, ie, they were a Halifax customer and someone applied for a Bank of Scotland account in their name," according to Anker.

Investigations initially indicated that the glaring flaw has been running since at least January 2009, although the banking group since suggested that it was introduced only in 2013.

Lloyds Banking Group claims the flaw affected only its Halifax Bank of Scotland (HBOS) arm, and did not affect customers of Lloyds Bank, Birmingham Midshires and Scottish Widows.