E- security measures all to easy to breach

Two of Britain's biggest companies are failing to take e-commerce security seriously, according to IT managers who have contacted...

Two of Britain's biggest companies are failing to take e-commerce security seriously, according to IT managers who have contacted computerweekly.com.

Antony Savvas

The complaints centre around BT Openworld's practice of including usernames and passwords in the same letter and on Lloyds TSB's failure to prevent its mailing house from posting e-banking usernames to the wrong address.

Retired IT manager Andrew Clarke complained to ADSL provider BT Openworld after receiving confirmation of his full registration and log-on details through the post in the same letter. The details were contained in an ordinary envelope printed with BT Openworld company logo.

More worrying for Clarke was the fact that he then received the same details in a letter notifying him of the date an engineer would visit to install the high-speed Internet access service, but the envelope was damaged.

The tear strip had been torn, suggesting it had already been opened. Because of the sensitive information contained in the correspondence, it would have been possible for anyone to hack into Clarke's electronic accounts and ADSL service.

Clarke said, "I have no idea why BT has to send clearly identifiable mail containing all my personal details with a password through the normal post.

As, like probably most people, I use the same password for things like electronic banking, my personal details along with the password could be used to gain access to my bank account."

Clarke continued, "I contacted the BT Openworld helpdesk and they could only say that what was sent out after registration was not their responsibility, which is totally unacceptable. They even put the phone down on me when I asked to speak to someone senior about it."

A BT Openworld spokesperson failed to return any calls before our deadline.

In a further incident, IT security expert Phil Cracknell was sent another customer's user ID for electronic banking by Lloyds TSB. Cracknell, who heads security at e-commerce integrator Scient.com, was sent a woman's user ID in the same envelope as his own. When he contacted the Lloyds TSB helpdesk they were dismissive of the security implications because the woman's user ID did not come with a password.

It did however come with her full name. Cracknell has since checked the bank's website, and discovered that the only details he would need to gain full access to the woman's account is her daytime phone number and her date of birth. Using them, he would be able to set up a different password for her account, which Lloyds allows users to do online when they've lost their existing one.

Cracknell said: "I have her user ID, and her full name. If I was to trace her and contact her I could pose as someone from the bank and easily get these remaining details from her, in return for giving her the user ID she needs to use the service."

A spokeswoman from the Lloyds TSB press office said the bank was not aware of this sort of mix-up happening before, and put the problem down to its mailing house. She added that if someone approached the bank equipped only with the user ID and asked for a password, they would be asked a number of personal questions to validate the request.

Read more on IT jobs and recruitment