Well, I guess you storing the password in the cookie technically "...would not allow access to our online services on their own..." (That's what the Alias is - your passphrase.)
Nope, to logon you would also need the UserId. Oh, wait! Santander user Id's follow the SurnameInitials pattern. Or SurnameInitials1 or SurnameInitials2 if you have more than one account. And I guess you could get that from the full name which is also stored in the cookie.
But on the face of it, reassuringly, the pass number is not stored in the cookie. Of course having remembered your UserID and your passphrase, a substantial number of people will have used 12345 or something similar as their number. And at first glance it does not look like Santander locks you out of your account after multiple login attempts. So I guess you could brute-force that number.
Well at least they require a one time pin/password before setting up a new payee. Sent via a phone. But that's quite a recent development.
In my opinion, if there is _anyone_ who has lost money prior to the one-time-pin number from their online account, then Santander can not claim that the user is at fault and Santander should reimburse them; provably Santander stored their login details insecurely - that passnumber only happened about the same time as the change to OTP.
I'd call this a pretty big deal, despite the attempt of Santander to downplay. It should be at the top of the BBC business and technical news, and the FSA should be all over them.
And I'd also like to see the Santander UK managers personally fined for this appalling lapse. Bankers get paid huge salaries and this sort of amateur-hour stuff should never ever have happened. They should also donate a seven figure sum to the security researcher who published this stupendous fail and write a public letter of thanks.