We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
RBS online security
c_smith
Posts: 383 Forumite
After being refused money from a cashline machine yesterday, I tried to log into my RBS online account yesterday and received a message that I should contact their customer services dept.
I was then put through to their fraud team who told me that last Monday night, someone contacted them to have my account password reset and gave them my name, date of birth, address and one of my bank card numbers to pass the security checks. The bank duly reset my password and allowed the fraudsters to go online and gain access to my accounts and all the information that goes with it.
Before any money was lost, the bank security realised there was an issue and shut down my online account and cancelled my debit card.
When I contacted them yesterday, I was also advised to cancel my RBS credit card. They also tried to suggest that my computer may be infected with a virus or keylogger which would allow the thieves to obtain the required information in the first place, but I am very security conscious and this is definitely not the case. I have since completed numerous scans on my PC to rule this out.
I now have real concerns about the standard of RBS digital banking security and the fact that someone can contact them with publicly available information about me, have my password reset and then get access to all my personal banking details, standing orders set up to linked account, direct debit information, etc, etc. It's also a bit of a coincidence that this just happened to coincide with the "technical issues" the bank have been having over the past week or so.
I am interested on hearing others views on this and where I should go from here as I don't think what has happened is acceptable. It's not as though someone has signed in using my password, they have effectively been GIVEN a new password by the bank!!
Any views on this?
I was then put through to their fraud team who told me that last Monday night, someone contacted them to have my account password reset and gave them my name, date of birth, address and one of my bank card numbers to pass the security checks. The bank duly reset my password and allowed the fraudsters to go online and gain access to my accounts and all the information that goes with it.
Before any money was lost, the bank security realised there was an issue and shut down my online account and cancelled my debit card.
When I contacted them yesterday, I was also advised to cancel my RBS credit card. They also tried to suggest that my computer may be infected with a virus or keylogger which would allow the thieves to obtain the required information in the first place, but I am very security conscious and this is definitely not the case. I have since completed numerous scans on my PC to rule this out.
I now have real concerns about the standard of RBS digital banking security and the fact that someone can contact them with publicly available information about me, have my password reset and then get access to all my personal banking details, standing orders set up to linked account, direct debit information, etc, etc. It's also a bit of a coincidence that this just happened to coincide with the "technical issues" the bank have been having over the past week or so.
I am interested on hearing others views on this and where I should go from here as I don't think what has happened is acceptable. It's not as though someone has signed in using my password, they have effectively been GIVEN a new password by the bank!!
Any views on this?
0
Comments
-
I would just be greatful they took the actions they have at this moment in time. As im sure if you was subject to fraud and the bank did not act on it the title to this thread would say something totally different.
However im sure some IT security boffin will come along soon to answer you security concerns.Im an ex employee RBS GroupHowever Any Opinion Given On MSE Is Strictly My Own0 -
I was would just be greatful they took the actions they have at this moment in time. As im sure if you was subject to fraud and the bank did not act on it the title to this thread would say something totally different.
Obviously part of the bank's security works given the fact that the account was shut down before the fraudsters could move any money, that I'm not arguing with.
BUT, my point is, something is obviously lacking if someone can have my password reset and be given access (by the bank) to my account in the first place.
Having done a bit of searching, I came across this article which, nearly 2 years ago, highlighted the security implications of the password recovery system being used by the RBS group.0 -
Access cannot be gained without also knowing the unique part of the customer number and the online Security Number. Are you saying they were also compromised? If so can you think how?The bank duly reset my password and allowed the fraudsters to go online and gain access to my accounts and all the information that goes with it.
Are you saying that RBS reset both the Security Number and Password for immediate access in a single contact? And/or provided the customer number?
You won't know this and probably won't be told but it would be interesting to know whether the card 3 digit security code was required.0 -
Obviously part of the bank's security works given the fact that the account was shut down before the fraudsters could move any money, that I'm not arguing with.
BUT, my point is, something is obviously lacking if someone can have my password reset and be given access (by the bank) to my account in the first place.
Having done a bit of searching, I came across this article which, nearly 2 years ago, highlighted the security implications of the password recovery system being used by the RBS group.
As stated above im sure some IT security boffin will come along soon to answer your security concerns.
Ive only just learnt how to use Excel :rotfl:Im an ex employee RBS GroupHowever Any Opinion Given On MSE Is Strictly My Own0 -
They could not do that without also knowing the online Security Number and the unique part of the customer number. Are you saying they were also compromised? If so can you think how?
Are you saying that RBS reset both the Security Number and Password in a single contact? Or provided the customer number?
From what I was told, the fraudster knew the customer number and had the password reset from that. I have no idea how they could have got this information as I have never revealed it to anyone and the only two computers I use are both at home and are both secure.
Until you mentioned it, I hadn't considered the security number part of it and this was never mentioned by the fraud dept. Are you saying the person responsible would have had to have at least know the security number in order to get the password reset?
I'm going to contact them again on Monday now to establish whether this is the case or whether they reset both the security number and password at the same time, as that would indicate an even bigger security failing.0 -
I am interested on hearing others views on this and where I should go from here as I don't think what has happened is acceptable. It's not as though someone has signed in using my password, they have effectively been GIVEN a new password by the bank!!
Any views on this?
Move to another bank, close your RBS account and cancel your RBS credit card; then tell RBS why you've left. Simples.
Bank security is a difficult beast. Obviously the banks want to make things difficult for fraudsters, but keep things are simple as possible for valued customers.0 -
Until you mentioned it, I hadn't considered the security number part of it and this was never mentioned by the fraud dept. Are you saying the person responsible would have had to have at least know the security number in order to get the password reset?
I'm not an expert just a user. I'm only saying the customer number and the system requested 3 digits of the Security Number are needed for a login attempt.
Just guessing, a fraudster knew the customer number, and then failed to enter the Security Number. Not sure how a forgotten Security Number is reset. By post I hope.
I share your general security concerns about relying on public domain, familial and/or casually overhearable personal data, but RBS were early adopters of non-familial security which is to be commended and only require partial security on each login. Another plus.
However I will now be looking very closely at the reset procedure particularly for the Security Number. I will be very angry, possibly account closing angry, if I find that both Security Number and Password can be reset together for immediate use.0 -
My experience with NatWest online banking is that in some respects they are more cautious than most. Having logged in with all the correct security information and set up a new payee using a card reader and card PIN they contacted me to confirm the transactions. I also now get text messages as soon as any new payee is set up.
With my other banks in similar circumstances the transactions have gone ahead without question.0 -
Is the password resetting operation based in the UK or India?0
-
Until you mentioned it, I hadn't considered the security number part of it and this was never mentioned by the fraud dept. Are you saying the person responsible would have had to have at least know the security number in order to get the password reset?
Well, different circumstances and quite possibly different department, but occasionally I've inadvertently locked myself out of online banking -- wasn't aware I'd hit any wrong keys but it's always possible (or maybe had caps lock on and hadn't realised).
I've rung NWOLB straight away to get me back in (much quicker than going through the online rigmarole which ensues if you mess up and get it wrong), and in order to do that, part of what they ask for and need to enter is selected characters from your normal login number and password, the same as you would if you were logging in yourself. All the login details are only in my head, but of course the first part of the customer number on the first screen is based on my date of birth which someone could find out -- not the last 4 digits of it though, which are specified by NWOLB when you're first issued with it.~cottager0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.3K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601.1K Mortgages, Homes & Bills
- 177.6K Life & Family
- 259.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards