Morgan Stanley website breach

R.A. Hettinga rah at shipwright.com
Tue Nov 9 20:02:38 PST 2004 

<http://www.guardian.co.uk/print/0,3858,5059129-103676,00.html>

 Guardian |

 Morgan Stanley website breach

Rupert Jones
Wednesday November 10, 2004

The Guardian
A credit card company with more than 1 million customers has closed an
online security loophole that could have allowed people to access account
holders' details and move money about.

 Yesterday it emerged that the Morgan Stanley website had allowed users to
access their credit card information after entering just the first digit of
their credit card number.

 The incident comes four days after internet bank Cahoot closed down its
website for 10 hours following a tip-off that users could view other
customers' private details.

 Cyber crime experts said banks and other companies must take more
responsibility for providing their online customers with security or run
the risk that people will steer clear of these services.

 Morgan Stanley had permitted customers to let their PC "remember" their
password so they only had to enter the first digit of their card number
before the "autocomplete" facility provided the rest.

 This meant that someone using the same computer could potentially access
another's accounts. The Association for Payment Clearing Services (Apacs)
recommends that companies disable the auto function to remove the risk of
this happening.

 The problem was reported to Morgan Stanley by the BBC after a viewer
contacted a programme about the flaw.

 A Morgan Stanley spokeswoman said it had "taken immediate steps to turn
off the auto function to ensure there are no possible security issues".

 "Morgan Stanley has received no customer complaints or calls on this issue
to date, and to our knowledge no accounts have been accessed improperly,"
she said.

 But Philippsohn Crawfords Berwald, a city law firm, said the loophole
"potentially enabled users to shift money across accounts with incredible
ease".

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the Testlist mailing list