Further questions have been raised about how careful banks are with their online operations, after Morgan Stanley admitted today that it had to fix a loophole in its customer registration system that bypassed security checks and allowed immediate access to someone's account.
The UK bank was made aware of a vulnerability late yesterday afternoon that allowed someone immediate access - including moving funds - by typing just the first digit of their password. The bank managed to close the loophole within a few hours, but following a similar revelation by online bank Cahoot last week, concerns over the safety of online banking have resurfaced.
In one respect, the Morgan Stanley problem was far less serious than Abbey National's Cahoot, because it worked through password AutoComplete. A malicious attacker would need access to a machine the victim had used to access the bank and that user would have had to ask the machine to remember the password.
However, if a victim's laptop were stolen or even if someone sat down at their PC for a short while, the bug would have allowed a stranger to swiftly gain complete access to the victim's bank account. Likewise if someone accessed their account from a public PC, a strong risk that a future user could gain full access to an account would remain.
Cahoot's bug - which took 10 hours for the company to fix - enabled anyone access to someone's account simply by inputting their username. Cahoot took said the site down immediately and said the problem had been caused by a system upgrade 12 days earlier.
Unlike Morgan Stanley though, Cahoot claimed that no one was able to move funds about if they used the security hole. The reporter that covered the story admitted however that he did not attempt to move funds while the hole was still active.
A spokesperson for Morgan Stanley said it did not need to take the site down at any time: "It was a quick job, we just disabled AutoComplete."
The AutoComplete capability is cookie-based and thus specific to the computer from which the website was accessed. Nevertheless, Vik Desai, CEO of application security vendor Kavado, is just one person who is worried: "I was using a hotel kiosk to access my online account when on holiday, and they had a pop-up with spaces for username and password. However, the default setting was ‘Remember’, which had to be disabled to avoid someone else using them. Laptop theft would also be a real problem in this scenario."
The real error in this case is the bank’s, which should never have allowed Autocomplete functions to be accepted by its systems in the first place.