 A viewer told Breakfast about the problem with Cahoot's site |
A Breakfast investigation has revealed a major security breach at the Abbey Bank's Cahoot website. After being contacted by a Breakfast viewer, our reporter Max Foster uncovered a loophole which meant customers could log in to other people's accounts using just a user-name and bypassing any security information.
The site was closed down temporarily and made safe by Cahoot yesterday. This major security breach was exposed when a Cahoot customer contacted BBC Breakfast.
He said he'd stumbled upon a way of getting into his account with just his username. He didn't put in his password and he skipped through the other security questions.
 Max Foster investigates online banking |
Our reporter Max Foster tried the same process on a friend's computer - and found he could access her Cahoot account details, too.
When Cahoot was informed yesterday, they closed the site down temporarily.
Engineers worked late into the night and tracked the loophole down to a system upgrade 12 days ago.
The company has apologised and added that if hackers had discovered the flaw they wouldn't have been able to move money between accounts.
How safe is online banking?
We talked to the head of Cahoot, Tim Sawyer.
 Cahoot says money could not have been moved from accounts |
"This was a serious matter, but for someone to get access to another Cahoot customer account, they would have needed the secure ID," he told Breakfast. "Even then a fraudster could not have done any financial transactions. "
The glitch happened when Cahoot updated its software 12 days ago, he said:
"We have done a complete review of the site and we are confident there are no other issues."
Breakfast talked to Sandra Quinn of the bank clearing service APACS. "The good news is is that there's nothing to worry about, " she told us. "Cahoot did the right thing. They closed down the site and made sure that the problem was fixed."
How to avoid online fraud The biggest threat to your online bank account is replying to a fake e-mail, according to Ken Clayton of internet security firm Ref Tech Services.
You should never give your bank details in an e-mail, any more than you'd hand over your house keys to a stranger.
And, you should never follow a link to a bank from an e-mail, in case it's a fake website.
One-Minute World News 
News services
E-mail this to a friend 
Printable version 
The man from Cahoot says you'd have to tell someone your'difficult' security ID to someone before accounts could be accessed. My Cahoot ID is my name. Is this 'difficult'? I'm not so sure. 
watch Max Foster's investigation in full 
