Page last updated at 23:02 GMT, Friday, 16 October 2009 00:02 UK

Pin reminder security scrutinised

By Bob Howard
Reporter, Radio 4's Money Box

Keyboard and lock
Banking security has been an area of concern

A system used by a High Street banking group to help customers who have forgotten their card Pin number has major security flaws, the BBC learns.

Lloyds TSB has told Radio 4's Money Box programme that it allows credit card customers to text requests for Pin reminders on any phone.

Security experts say this could allow fraudsters to order and intercept Pins.

Lloyds insisted it had adequate security measures in place to prevent fraudsters doing this.

'Stolen'

In order to request a Pin reminder, customers simply have to text 'PIN' and their card number to the bank. The phone does not have to have been registered with the bank for the purposes of telephone banking.

We have a wide range of security measures in place to ensure that the Pin is received safely by the cardholder
Lloyds Banking Group

The customer immediately receives a reply text confirming the request which says if it is successful the bank will send the Pin reminder to the customer's home address within three working days.

A Lloyds TSB customer called Malcolm, from Buckinghamshire, who did not want to give his full name, believed his Pin was stolen this way.

He said fraudsters recently used his credit card details to try and steal around £300.

The bank blocked the transactions, but he was shocked when staff explained to him how the thieves had apparently got hold of his Pin.

"They said a Pin reminder had been sent out to my cardholder's address which I did not request. If someone intercepts a bank statement, they can get your card number and they can request your Pin and they have everything they need to breach the security," he said.

Security measures

Steven Murdoch, an expert of chip and pin security at Cambridge University's Computer Lab, said there were various ways criminals could intercept people's mail in order to obtain Pins.

"They could set up a 'redirect' and temporarily redirect all your mail somewhere else," he said.

He added that the fraudsters could tell the bank they had moved house.

"The banks' fraud investigation teams really need to look into this carefully," he said.

Lloyds Banking Group insisted customers found its service helpful and convenient and it had no plans to change it.

"We have a wide range of security measures in place to ensure that the Pin is received safely by the cardholder. These include not sending the Pin if the phone that the request is received from has made multiple Pin requests in the past, if the card is reported lost or stolen, or if there has been a recent change of address on the account," a bank spokesman said.

"Unfortunately, fraudsters are sometimes able to intercept the post and if a customer suffers fraud on their account as a result of this type of fraud, we would always refund them in full."

Royal Bank of Scotland/Natwest, Barclays and the Co-op Bank said their customers must go through their normal telephone banking security system and identify themselves with passwords before they would send out Pin reminders.



Print Sponsor


Money Box


SEARCH MONEY BOX:
 

Podcast

Download or subscribe to this programme's podcast

Podcast Help



RELATED INTERNET LINKS
The BBC is not responsible for the content of external internet sites


FEATURES, VIEWS, ANALYSIS
Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

BBC navigation

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific