TSB Customers Are Warned That Their Passwords Could Be Exposed

It's the 21st century, and for a variety of different reasons, stashing away money under the mattress is not a good idea. Like it or not, you have to pick a financial institution and trust it with handling your cash responsibly. Apparently, around 5 million people have trusted TSB with just that, but over the last few months, the British bank's management and IT teams have been finding fascinating new ways of destroying this trust.

Migration disaster and subsequent blunders

Troubles began in April when a major IT migration operation went horribly wrong. Customers lost online access to their money, and when some of them called TSB to ask what's going on, they were put on hold and left there for more than half an hour. The problems caused by the migration went on for a few weeks, and some clients understandably decided that they had had enough.

In the UK, when a person switches to a new bank, they can have all their incoming and outgoing payments redirected automatically. For many now-former TSB clients, this worked fine, but some were put in the curious position of having to explain that they're not dead. Apparently, when their TSB accounts were being closed, someone at the bank canceled all their direct debits and informed a host of service providers that the account owner had sadly passed away. For the affected, what should have been a fairly automated process turned into a long series of phone calls and explanations of things that should be fairly obvious.

Even after all these blunders, some customers decided that they'll soldier on and will give TSB another chance. Recently, they had to endure a few outages, but there wasn't anything major. Yesterday, however, TSB might have given its customers a reason to seriously consider whether sticking with the bank is the right call.

Not just your average outage

People found themselves cut out of their accounts again yesterday. The login form at the desktop website and on the mobile app did load, but there was an error saying "{{woboError}}". At first, it seemed like just another system outage, but when some people ignored the error and tried to log in, they found something strange.

The attempt was obviously unsuccessful, and the login form along with the "{{woboError}}" message were reloaded. The URL did change, however, and it contained the username and password that had been entered into the form just seconds earlier. The credentials were visible in the browser's address bar and were in completely readable form.

As of the time of writing, the service appears to be back to normal, but people are still outraged. Are they overreacting or is there a genuine cause for concern?

We wish we had some information straight from the source, but by the looks of things, TSB is actively ignoring the security-related questions that so many people are asking. Some users on Twitter reckon that the pasting of passwords in the URL and the "{{woboError}}" message are connected, but without a confirmation from the bank, nobody can really say whether this is the case. Even with the error, TSB's website was loaded over HTTPS, so in theory, a man-in-the-middle attack should be discounted as a possibility. On the whole, the potential damage was limited because the sensitive information was only visible to the people who can see the address bar.

The fact doesn't change, however, that something in TSB's IT infrastructure broke for the umpteenth time in just a few months. Worse still, the people responsible for keeping the internet banking going once again failed to explain what went wrong and what they've done to minimize the chances of it happening again.

Will this be the last straw for TSB's clients? Everybody needs to decide for themselves. One thing is certain – people are especially edgy when it comes to their money, and TSB has had quite a few slipups in an extremely limited time span.