Skip to content
Naked Security Naked Security

Digital piggy bank sevice broken into by cybercrooks

A financial proivider that gives loans but locks them down to turn them into savings... didn't lock down its own network.

Saving money, at least in modest amounts, used to be a very simple business.
The easiest approach – many of us still do it, even in this online age – is the coin jar (or piggy bank, if you’re really old-school).
Instead of frittering away your small change on daily inconsequentials, you dump unused coins in the big glass jar in the corner of the living room, and just before it’s too heavy to pick up and move altogether…
…you drag it down to the bank and are often be pleasantly surprised how much money has accumulated in there.
But that’s a very 1990s approach! Why not put your money into a digital piggy bank, instead?
And, better yet, why not choose a piggy bank that deliberately starts out in debt?
It sounds bizarre – you essentially take out a loan you can’t touch, and clock up your “savings” by paying it off.
At the end of the period – a year, say – you’ve paid off the loan, so you not only get access to your loan capital as your “savings”, but also have a year’s worth of loan repayments that boost your credit rating.
By deliberately racking up debt to save against, your savings end up acting both as credit and as credit history.
That’s the business model of UK company Loqbox, which says it keeps the service free due to the affiliate fees it gets from the banks into which its customers release their funds after paying off a loan:

After making monthly payments for a year, your loan is repaid and you leave LOQBOX with an improved credit score and your money back into a new account for free.
[…]
We get paid by our partner banks for opening a new account for you, which is how we keep LOQBOX free. But if you’d prefer, you can opt for our Flexi Unlock premium add-on and unlock into an existing account for £30.


So far, so good…
…except that there’s a lot riding on you being able to keep up your “savings” payments for the period of the loan.
If you raid the coin jar every now and then (we’ve all done it – it’s part of the game!), the worst that can happen is you end up with nothing saved, or you take longer to fill the jar than you hoped.
But even though you can take an early exit from debt-based savings systems like Loqbox’s, and get back what you you’ve put in so far, you won’t then have finished the loan process in full, as – as the company warns – unlocking early could harm your credit history.
And you can’t just skip payments at will, in the same way that you can go a few weeks without putting coins in the jar, because that really would harm your credit history.
In other words, as well as keeping up your side of the repayments, and taking care of your online account, you’d better hope nothing bad happens to your account data at the other end.

Crooks in the piggy bank

Unfortunately, according to customer tweets and news reports, Loqbox has just suffered a data breach that uncovered enough personal data to make most affected customers uncomfortable, apparently including names, emails, phone numbers, postal addresses and dates of birth.
Additionally, partial bank account and card number details were stolen, too.
UK IT publication The Register claims that this “external attack” got at bank account sort codes plus two digits of the account number, as well as credit card expiry dates plus 10 digits’ worth of the card number.
Fortunately, those numbers don’t identify customers’ accounts or cards precisely enough to let them be abused directly.
Sort codes generally identify the bank and a branch, which crooks could guess at from your home address anyway; UK bank account numbers are usually eight digits long; and credit cards typically have 16 digits.
Also, the 10 card digits stolen apparently include the parts of the number that are often disclosed or can be figured out anyway, namely:

  • The first six digits, which identify the financial provider. These digits make up what’s called the BIN, short for Bank Identification Number. A glance at your credit card’s colour or design is often enough to figure out those numbers anyway.
  • The last four digits, which are routinely printed on receipts or sent in unencrypted emails. These are pretty much used as semi-public “check digits” to make it easy for you to see which card you used for what transactions.

In short, the breach sounds bad, but not that bad.
There’s no mention of passwords or password hashes being stolen, which almost certainly means that the crooks can’t use the breached data to wander into your Loqbox online account with ease, and there’s no mention of any transactional data or other credit history information being accessed.

What to do?

Loqbox doesn’t seem have any information about the breach on its own website or blog so we’re assuming that affected customers will hear by email.
Note that it doesn’t mean you are entirely off the hook if you haven’t yet heard from Loqbox – breach investigations can take quite some time to complete.
And even if you have heard from Loqbox already, the company may need to contact you again in the future as investigations continue – and you can probably see where the issue that “you might well be expecting an email some time soon” is going.
Our tips are therefore:

  1. Keep a closer eye than usual on your statements. Simply put, if you see something, say something. (But note #2.)
  2. Watch out for emails or calls that know more about you than you might expect. Even without full details of your bank account or payment card, crooks with data from this breach will be in a much more believable position to scam you into thinking they are legitimate. (And see #3.)
  3. Never contact Loqbox or any other financial provider using information from an email or a call. Get out your original paperwork (or turn your payment card over) and use contact details from there – that way, you won’t get tricked into talking to an imposter.
  4. Speak to your card provider about getting a new number. If your card provider thinks there’s now a risk of fraud on your current card, they’ll probably issue you a new card and cancel the old one.
  5. Don’t pick passwords that crooks could guess from your customer data. The more crooks know about you, even if it’s just your birthday and where you live, the more clues they have to guess poorly-chosen passwords. In fact, don’t pick guessable passwords at all – use a password manager if you’re struggling to come up with good passwords yourself.

HOW TO PICK A PROPER PASSWORD

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

2 Comments

what a business model is this? You just put the money into Bank account every month, end of the year you get back what you put in, plus some interests. How anyone need to use this company to do exactly Bak already does???

Because you are actually paying back a loan, your monthly payments are reported to various credit agencies as evidence that you are credit-worthy, which seems to improve your credit rating.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?