[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Tuesday, 9 November, 2004, 09:53 GMT
Bank moves to close web loophole
Credit card image
Morgan Stanley acted quickly to close the loophole
A security loophole at a bank allowed easy access to sensitive credit card information, the BBC has found.

The Morgan Stanley website allowed users to access account details after entering just the first digit of a credit card number.

The shortcut would only work if the account holder had set up the computer to automatically save passwords.

Password saving should not be available on financial websites and Morgan Stanley has now disabled the facility.

Shortcut

The problem came to light after a viewer contacted BBC breakfast.

If the fraud was not your fault and you took all reasonable precautions to avoid it, banks will generally reimburse users.

David Reece, from Cleveland, was shocked when he was able to log into his Morgan Stanley account online using only the first digit of his credit card.

"I could not believe it and thought maybe it was something I was doing wrong, a quirk in the system, but I tried it and tried it again...and the same thing happened," Mr Reece told the BBC.

Mr Reece was able to access his account, transfer money and even change his personal details as a result of setting up automatic password entry, a system called Autocomplete, on his computer.

Autocomplete allows computer users to shortcut security checks by saving data such as user id's and passwords.

However, the autocomplete system should not work on secure financial sites, according to guidelines issued by the Association for Payment Clearing Services (Apacs), the body that oversees the banking payments system.

When told of the loophole, technical staff at Morgan Stanley fixed the problem on Monday night.

The BBC contacted the majority of UK banks offering online accounts and found that none allowed Autocomplete.

Your comments:

If the user decides to set up auto-complete on their machine then it is their problem. The techniques to stop this working are far from watertight anyway. It is surely the users responsibility not safeguard their own usernames and passwords. If you don't want all your passwords stored in your machine, don't use auto-complete. Easy!
H Miller, Glasgow Scotland

What this means is that anyone using your own computer would be able to log-on to your bank account. If a criminal is sitting in your house, logged on to your personal computer, then his having access to your bank account is probably the least of your problems.
Andrew Ward, London, UK

I wouldn't touch internet banking. Secure connections are all very well, but there are too many stories about security breaches like this.
Andrew, UK

The only time this would be a problem is if you accessed your bank from a laptop and the laptop was subsequently stolen. That is why security professionals recommend that you don't use autocomplete on laptops.
Antony King, Sittingbourne, UK

The biggest risk from Autocomplete is not really from your own computer (unless it's stolen), but if you access your account from a public machine, like in a library or internet cafe, you could unwittingly leave the information for another user to get into your account. I think online banking is safe (apart from when companies do daft things like this!).
Mark, Shropshire

Internet banking is great, I use it all the time and find it very valuable, but I do think that consumers have to take some responsibility for their own security measures, our lack of common sense is not the banks fault.
Lorna, England

Internet banking is a great way forward and we all need to get familiar with this. Some people are not so familiar with computer setups and struggle to understand auto-complete etc. the real risk is people who have trojans on your computer and can remotely access info. That why this was a real problem.
Ash, London, UK

I use Internet Banking from both home and my office desk and would not dream of putting my log-in or password into any facility such as autocomplete.
David Faulks , North Lincolnshire.UK

I disagree that using autocomplete is the fault of the user. Not all users can be expected to understand the implications, or even how to disable it. Have you heard for example of the vbscript error that allows overwriting of the hosts table, seamlessly replacing your bank's website with a false one set up by criminals? Is it your fault if you haven't? The banks and software manufacturers should take responsibility for this.
Crispin, UK




BBC NEWS: VIDEO AND AUDIO
How the apparent security gap was discovered



RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific