[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 5 November, 2004, 13:23 GMT
Cahoot hit by web security scare
Cahoot website screen grab
Cahoot says it has fixed the problem
A security loophole at internet bank Cahoot briefly allowed customers to access other people's accounts, a BBC investigation has revealed.

The website, run by Abbey bank, was closed down for 10 hours on Thursday to carry out urgent repairs.

The site has now reopened and the bank says the problem, which was caused by a system upgrade, has been fixed.

Cahoot apologised for the breach, but said hackers would not have been able to move money between accounts.

The investigation, by BBC Breakfast, followed a tip-off from a viewer, who found he could access the site with only a user name.

I believe that we need to look closely at our processes
Tim Sawyer, head of Cahoot bank

Cahoot has 650,000 customers and was launched four years ago.

Tim Sawyer, head of Cahoot bank, said it needed to learn lessons from the security breach, which he said had been caused during a system upgrade 12 days ago.

"I believe that we need to look closely at our processes because this has not been our greatest moment," Mr Sawyer said.

"We did not fail as an organisation because there was no risk of financial loss, but we do need to learn lessons from this."

Data protection

Cahoot is likely to face an investigation from the Information Commissioner's Office, the organisation that oversees data protection.

A spokesman for the Information Commissioner told BBC News that by allowing customers to view other people's financial details, Cahoot had breached the Data Protection Act,

It could not confirm if it had received complaints from any banking customers, but said it would investigate if customers did complain.

"I'm sure people will get in touch and we would look into it to ensure it did not happen again," a spokesman said.

Net fears

Internet banking has become increasingly popular in recent years, with an estimated 12 million people now using the net to manage their financial affairs.

Cahoot's security breach is the latest glitch to hit internet banking.

Most recently, customers of HFC bank were furious after an e-mail error revealed their personal details to thousands of other people.

HFC bank sent "urgent" e-mails to 2,600 people but an error meant that each address was visible to everyone else on the list.

The problem was compounded when customers' "out-of-office" messages began to respond, many containing home and mobile telephone numbers.

The bank admitted it was in breach of data protection law and has credited affected people's accounts with 50 compensation.

Phishing menace

And over the past few years, UK banking customers have been targeted by a surge in "phishing" scams.

The scams are perpetrated by fraudsters who send random e-mails to internet users asking them to update their banking details for security reasons.

But the e-mails direct users to spoof websites - at times very convincing replicas of real banking websites - to harvest the details of the banking customer's password and pin.

If customers fall for the scam, the fraudsters can gain access to their bank accounts or use them to launder money.

Were you affected by the security loophole? Are you banking online - either with Cahoot or other banks? Tell us your experiences

I do all my banking via the internet and wouldn't have it any other way. If there were a way to pay cheques and cash in via the keyboard I would probably never set foot inside a bank again. I have a Cahoot account and this incident will not stop me using it or any other of my accounts. It would be interesting, though, to know the reason: bad programming, operating system flaw?
Keith Richardson, Southend-on-Sea, UK

I have been a long term customer of Cahoot and I am extremely disappointed with this news but pleased that the BBC highlighted it. As a Cahoot customer I am very disappointed that they offered no apology via email direct to their customers. I have always told friends and family how great online banking was and that it was as secure as telephone banking. However now I feel betrayed by Cahoot. Thanks to the BBC for highlighting the problem, I wonder how many other security loopholes in internet banking go undetected with no publication or apology?
Name withheld, Bristol

Um .. I'm a Cahoot customer and this is the first I've heard about it! I realised their site went down for maintenance on Thursday but I never received any communication from them informing me why or that there was a potential security risk. It annoys me that I have to rely on the media to inform me about security flaws with my own bank account.
Rich, UK

I bank with Cahoot and haven't noticed this when I've logged in over the last two weeks. Their upgrade supposedly improved their security by using drop down lists rather than keyboard entry to avoid keystrokes being recorded. It won't do a lot to inspire confidence in online banking although it won't stop me as their service is so convenient.
Andrew James, Maidstone, UK

I have banked with Cahoot for several years, and this incident will not change my opinion about the value of online banking. Potential security risks exist in all systems, online or not. I believe that details of my account are safer online than in paper statements posted by mail - think how regularly post is misdirected.

Being a Cahoot customer I find this security loophole very worrying. I am also a customer of a High street bank and was recently put through to someone else's bank details on telephone banking without even having to enter a password. I phoned the bank three times to inform them and didn't get an explanation, let alone an apology.
Rosie, London

I work in information security and for many years I have been using Internet banks for my personal banking. Of course there are risks but there are risks in all financial transactions. I would suggest that handing your Switch card to a waiter in a restaurant creates far more risk than Internet banking and, certainly, the convenience of on-line banking is well worth the risk posed by an occasional incident such as this at Cahoot.
Keith Cordon, Nottingham UK

I am a Cahoot customer and although I don't think this is a hugely serious security breach I am particularly aggrieved to have to find this out from the BBC rather than from Cahoot. I'd expect better than this from them.
Simon, UK

I may well have been affected by this but, of course, I've no way of knowing. It's quite astounding to me that Cahoot has not informed its own customers of this severe breach of privacy. There is not even a notice on the login page.
Tim Waugh, Guildford

They are not a small company looking after a local sailing club database
Tod Coates, Farnham, Surrey

Cahoot has so many security systems within the account that hackers may have been able to see how much - or indeed how little cash I had in my account, but they would never have been able to transfer money out of the account. Mind you if they fancied paying off my debts while they were in there then all well and good. I am happy with Cahoot's service and will not be changing because of a slight hiccup...
Richard Stokoe, London, UK

The bit I find worrying is that the upgrade was done 12 days ago and they only made changes yesterday, on the back of information received from an outside source. Where was the testing of this implementation /upgrade?! This would not stop me using internet banking though, as I feel I'm as much at risk using normal banking, with paper statements, cards being skimmed and so on. It would be nice to see some proper direction and accountability from banking institutions in cases like this, instead of informing customers through the media.
Name withheld, London

Internet banking is far more secure than telephone or even branch banking. Anyone who knows your date of birth, address and other basic facts can access phone banking. Last week my sister went into one of the big four banks to pay off my credit card. After giving just my name and address they gave her my credit card number. Also pure internet banks are much more secure than high street banks because it is their sole source of business.
Lee, London

Whilst Cahoot has been unlucky, these incidents occur frequently. However, the Banks respond immediately to any identified threat or risk. Online users are more at risk to "questionable" internet cafes around the world, that may be running "spyware software" which not only can capture all key strokes, but also take snap shots of the screen therefore capturing drop down lists etc. I would not recommend anyone to "online e-commerce" from a device they do not own or control.
Andy Brimson, London

I am concerned about the security of internet banking but would be reluctant to change. The service from the High Street banks is so poor now. My own bank doesn't open until 10 am on Wednesdays, has a tiny notice about this on its door and it happy to watch queues of customers gathering outside it's smart glass doors watching the staff have their team meeting.
Theresa, Hants

I've been a Cahoot customer since they opened and I'm staggered that they appear not to have made any attempt to mention this serious lapse to customers, let alone make an apology. It's unbelievable that such a simple flaw should get through to a live customer server - what kind of offline/pre-update testing did they do? Not much by the look of it... Not entirely confidence inspiring to say the least.
Nick Price, Oxfordshire

Cahoot as a bank is no exception. It was Sainsbury's vouchers a few days ago. As we move towards a streamline, use friendly, do-it-all, end to end technology lifestyle, this type of incident are inevitable. Technology is growing at a rapid rate, so are the number of variables on testing these applications. I would rather use the internet for my banking needs than spending hours in a queue and no where to park at most bank branches.
Name Withheld, Enfield London

Cahoot customers shouldn't be shaken by the potential security risk, more by the lack of feedback to them from Cahoot
Guy Wilshaw, Essex

I too am a Cahoot customer. Point 1: Yes, they have failed as an organisation if they allow such personal information to become public. Point 2: I work in I.T. and have no sympathies for them. They are not a small company looking after a local sailing club database; this is a national financial system used by a great many people and they should have caught any problems in testing.
Tod Coates, Farnham, Surrey

Cahoot need to urgently review their internal controls with regard to software upgrades and releases.
Tetsou, Essex

When receiving my new "chip and pin" card the bank sent me a "reminder" of my pin number. This means that the banks are keeping the PIN number in a retrievable form which is incredibly unsafe. Any IT system should store passwords using a one-way encryption algorithm. When I asked the bank about this security loophole they said that they were following standard industry practice. So the next time the bank tells you that no one can access your PIN number, they are probably not telling the truth.
Stuart Barlow, Edinburgh

I use Cahoot - and noticed the new login system when it went live. Apart from worse graphics, it is less secure. Now anyone watching me gets to find out two letters of my password every time I login. How stupid is that? Potentially if they see my login in five times, without doing anything they know my password. Not happy - considering leaving.
A Finlay, London

Although I do not use Cahoot, one thought that occurred to me this morning was that all the world's phishers & scammers would now target Cahoot customers with their emails. A reminder - if you receive an email purporting to come from Cahoot (or any online bank for that matter) asking you to go to a "new/revised" website and re-enter your username & password it is likely to be fraudulent and you should report it to the bank's Customer Service department ASAP.
Anthony Wallenda, London

This would most likely be caused by a flaw in the coding, causing the security set up to accidentally overlook the password requirement. Hence, the ability to enter just a user name. Despite flaws like this occurring, internet banking is harder to steal details from, and insanely safer than giving out a card after a meal out. Cahoot customers shouldn't be shaken by the potential security risk, more by the lack of feedback to them from Cahoot.
Guy Wilshaw, Essex

These security flaws aren't really a big deal. Any customer who is a victim of fraud will be fully-reimbursed. The only people who will suffer are Cahoot, as a result of customers going elsewhere due to the bad publicity.

The most annoying thing is not the security breach, these things happen whether online or in a high street branch, but that Cahoot have not apologised, or acknowledged this in any way, to their customers. An email to say "oops, sorry, we're working on it", followed by another "oops, sorry, we've fixed it", would go a long way to placate customers' worries. And it would cost next to nothing.
Anthony, Stockport

Cahoot seem to be suggesting that as it was not possible to transfer money out of accounts that no real harm was done. The fact that someone could see my bank and savings accounts with my address concerns me. When a systems upgrade takes place it is their duty to test the system before allowing access.
Darius, London

I do not use internet banking for the fear of my identity being stolen, even from my own home computer. The number of miscellaneous programs coming out every day is to great to risk it. I wonder how many people who use internet banking actually have antivirus/firewall/spy ware removal programs installed on their machines. I have them all installed and still from time to time some nasty thing manages to get in to my computer.
Alex, UK

Although disappointing that Cahoot did not inform its own customers this should not be an incident to dissuade people from switching to internet banking. The service provided by Cahoot is on a completely different level to the large high street banks who, quite frankly, will continue to take the apathetic public to the cleaners with the poor service, high charges and lack of flexibility. After 2 years with Cahoot I would never go back to a high street bank.
David, Cheshire

Your E-mail address
Town & Country

The BBC may edit your comments and not all emails will be published. Your comments may be published on any BBC media worldwide.

How the loophole was discovered

Q&A: Safe online banking
05 Nov 04 |  Business
E-mail scam hits MBNA customers
25 Feb 04 |  Technology
NatWest targeted by e-mail scam
09 Dec 03 |  Business
Lloyds TSB e-mail scam alert
24 Sep 03 |  Business
How to avoid the phishing bug
23 Jan 04 |  Technology


The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific