By Bob Howard
Reporter, Radio 4's Money Box
Banking security has been an area of concern
A system used by a High Street banking group to help customers who have forgotten their card Pin number has major security flaws, the BBC learns.
Lloyds TSB has told Radio 4's Money Box programme that it allows credit card customers to text requests for Pin reminders on any phone.
Security experts say this could allow fraudsters to order and intercept Pins.
Lloyds insisted it had adequate security measures in place to prevent fraudsters doing this.
In order to request a Pin reminder, customers simply have to text 'PIN' and their card number to the bank. The phone does not have to have been registered with the bank for the purposes of telephone banking.
The customer immediately receives a reply text confirming the request which says if it is successful the bank will send the Pin reminder to the customer's home address within three working days.
A Lloyds TSB customer called Malcolm, from Buckinghamshire, who did not want to give his full name, believed his Pin was stolen this way.
He said fraudsters recently used his credit card details to try and steal around £300.
The bank blocked the transactions, but he was shocked when staff explained to him how the thieves had apparently got hold of his Pin.
"They said a Pin reminder had been sent out to my cardholder's address which I did not request. If someone intercepts a bank statement, they can get your card number and they can request your Pin and they have everything they need to breach the security," he said.
Steven Murdoch, an expert of chip and pin security at Cambridge University's Computer Lab, said there were various ways criminals could intercept people's mail in order to obtain Pins.
"They could set up a 'redirect' and temporarily redirect all your mail somewhere else," he said.
He added that the fraudsters could tell the bank they had moved house.
"The banks' fraud investigation teams really need to look into this carefully," he said.
Lloyds Banking Group insisted customers found its service helpful and convenient and it had no plans to change it.
"We have a wide range of security measures in place to ensure that the Pin is received safely by the cardholder. These include not sending the Pin if the phone that the request is received from has made multiple Pin requests in the past, if the card is reported lost or stolen, or if there has been a recent change of address on the account," a bank spokesman said.
"Unfortunately, fraudsters are sometimes able to intercept the post and if a customer suffers fraud on their account as a result of this type of fraud, we would always refund them in full."
Royal Bank of Scotland/Natwest, Barclays and the Co-op Bank said their customers must go through their normal telephone banking security system and identify themselves with passwords before they would send out Pin reminders.