New blow to Internet banking security

[Paul Howell]

At http://www.guardian.co.uk/internetnews/story/0,7369,372676,00.html

Antony Barnett, public affairs editor
Sunday September 24, 2000
The Observer

The future of internet banking was thrown into chaos last night
after a British computer expert accessed bank account details
of millions of Americans from his home in the Isle of Man
during a routine check on his US bank account. 

Ralph Dressel, a 28-year-old software analyst at Royal
Skandia lnvestment bank, contacted The Observer having
obtained bank security details that allowed him to 'walk'
straight into internet bank accounts at institutions across the
US. 

Once in, German-born Dressel was free to carry out a wide
range of financial transactions, including transferring funds,
changing PIN numbers and paying bills. 

Dressel came across the information via the website of the US
company Fiserv, a software firm which runs internet banking
programs for dozens of banks, including the Abbey National in
Britain. 

After a few keystrokes he obtained something called the
'access log' which had all the security information needed to
access any of the internet accounts run by Fiserv. The US
company says it runs more than 200 million accounts on-line,
looking after more than £15bn of customers' money. 

Dressel said: 'I was just checking details of my US bank
account and was playing around looking to see how secure
the system was. I was amazed there didn't seem to be any
protection at all and within five minutes I had obtained full
access to account details of hundreds of thousands of people.
Anybody who has basic internet skills could have done it. I
guess if I wanted to I could have transferred $50m into my
account.' 

Dressel contacted the FBI in Boston and his local police
station in the Isle of Man. 

Dressel printed details of three accounts from customers
which have been seen by The Observer. These were from the
Amalgamated Bank of Chicago, Bank of Oklahoma and the
Sovereign Bank in Connecticut. The print-outs included
account numbers and balances. It also gave options to
change PIN numbers, view the history of the account, pay bills
and transfer funds. 

Dressel, who looks after computer security where he works,
said: 'This is a major scandal and needs to be exposed before
people start losing their money.' 

This is the latest in a number of security scandals over
internet financial services that have cast doubt over the safety
of using on-line banking. On Friday five people were charged in
connection with attempting to defraud Egg, the web bank set
up by Prudential nearly two years. 

Last month Barclays was forced to shut down its on-line
banking service for several hours after customers were
confronted with details of other people's accounts when they
logged on. Earlier in the summer electricity and gas supplier
Powergen parted with the financial details and addresses of
thousands of customers without any hacking.