An error at S Bank allowed customers to use other people’s online banking services

A SYSTEM ERROR at S Bank, Finland’s first so-called supermarket bank, enabled a few hundred customers to access other customers’ online banking services over a period of almost four months earlier this year, between April 20 and August 5.

S Bank reported on Tuesday that the error had been exploited for wrongdoing, such as unauthorized payments and access to third-party online services, in a very small number of cases.

The error, he pointed out, was related to the malfunctioning of a single software component of online banking, meaning it was not caused by external factors. It was rectified as soon as it was detected on August 5.

Carl Edvard HolmbergS Bank’s director of digital services, declined to comment on the value of unauthorized payments when contacted by Helsingin Sanomat on Tuesday.

“We filed an offense report with the police. Unfortunately, we cannot comment on the sums externally,” he explained. “S Bank has 3.1 million customers and S Bank’s online banking credentials are used to log into various services 20 million times a month. This is partly why it took so long to detect the error and identify the customer transactions relevant to the error.

He repeated that the error only affected a small part of the customer base, a few hundred customers.

“Only a small group of them logged into other people’s online banks, and of those who did, only a very small group engaged in wrongdoing,” he said.

S Bank has asked the police to investigate the unfolding of events and determine whether customers who exploited the system error may have committed any offences.

The bank pledged to compensate all customers who suffered direct economic loss as a result of the system error, saying it will proactively contact all customers affected by the error in this way.

Holmberg told Helsingin Sanomat that most of the compensation has already been paid to customers.

“We apologize for the situation to our customers. We will assume our responsibility and compensate any possible direct damage. Customers themselves do not have to do anything to receive the compensation,” he said. “We have been in contact with all customers affected by the situation. If we have not been in contact with a customer, the error has not affected them and the incident does not require any action on their part.

System error is the data security skid of the year, Petteri Jarvinenan author specializing in data security, Helsingin Sanomat told Helsingin on Tuesday.

“This is no ordinary slip-up, as it is related to knowledge society services. We’re used to thinking of online banking credentials as the foundation for authentication that always works and is always trusted. All other services are built on them, such as relationships with Kela and Omakanta – as well as money transfer services from banks,” he said.

The problems of online banking identifiers thus eat away at the very foundations of modern society. Citizens are somewhat prisoners of the bank identification systems they use, according to Järvinen.

“Banks have an increased responsibility for the reliability of identification because they have insisted on retaining identification and each has developed its own procedure for this,” he said.

Aleksi Teivainen – HT