Security fears over Lloyds website flaw

A potential security flaw has been detected by a user of the personal banking website run by Lloyds Banking Group (LBG).

A potential security flaw has been detected by a user of the personal banking website run by Lloyds Banking Group (LBG).

After accessing the internet banking facility ran by LBG from a colleague's laptop, account holder Will Sturgeon moved on to access other websites, only to find that he could access this account again by hitting the Back button of the browser.

The issue was then flagged up by Sturgeon to a customer services representative at the bank, who allegedly said that LBG was dealing with "a lot of bugs" due to the transition from the old set-up onto a new platform that encompasses former HBOS customers.

The customer services agent then informed the customer that it could take "one or two weeks" for the issues to be fixed.

A spokeswoman at LBG said internet banking sessions only expire after nine minutes and added that the bank finds it is "helpful" to allow customers to resume their online banking activity after accessing another website.

"Lloyds TSB customers who navigate away from their internet banking session without logging off can press the back button and re-access their session. We encourage all of our customers to log off once they have finished their session, however if customers do not log-off they will be automatically timed out in nine minutes," the bank said in a statement.

"We are not aware of any fraud relating to our current process and customer feedback has indicated they are satisfied with this set-up," LBG said.

Nine minutes is a "very generous" time limit to log customers off automatically, said financial Services technology principal analyst at Ovum, Alex Kwiatkowski.

"There has been a large transformation going on at Lloyds, which predates the merger with HBOS. From a customer service standpoint, the goal is to make the experience several degrees better, but it seems that they have missed the trick here," said Kwiatkowski.

"Given the sensitivity of online banking, customers should ensure they have logged out from their sessions appropriately and particularly if they are not using their own computer. But it also means that if one gets a little distracted within that nine-minute timeframe, they could potentially expose their data and allow access to their account," he added.

According to Kwiatkowski, a possible way to reduce security threats would be to log customers off in a shorter amount of time - five minutes at the most, rather than nearly 10 minutes - or display warnings to customers that their session is still active and the remaining connection time.

"Such examples only place the emphasis on customers following the right procedures when using online banking to avoid potential risks."

Read more on IT risk management