RBS online security

jalexa

stclair wrote: »

It's not a secret it never has been customers always get told that information!

I don't know if I knew but I do recall finding out from RBS (or Tesco) that leading zeros were not significant. Maybe the OP was born on a quiet day for the maternity ward. Or signed up for online banking on the first day of age eligibility.

SnowTiger

Mandelbrot wrote: »

Any more 'secrets' you wish to share about RBS security?

It's not a very well kept 'secret.'

http://www.natwest.com/go.ashx?ONLINE-LOGON:

[Customer number] is your date of birth (ddmmyy) followed by your unique number which identifies you to the bank.

URL should be http://www.rbs.co.uk/go.ashx?PER-ONLINE-LOGON as we're discussing RBS.

stclair

c_smith wrote: »

stclair, I see you work for the group, do you know if both the security number and the password can be reset at the same time for immediate use? If so, this would seem to be a huge security issue.

I doubt they would reset both for immediate use that would be very risky. You can call the digital banking helpdesk on 0131 317 4597 and they will be able to guide you through the process.

jalexa

stclair wrote: »

I doubt they would reset both for immediate use that would be very risky.

Indeed it would.

The RBS Help says this (my emphasis)...

If you still can't recall your Customer Number or Security Number and/or Password, you will be able to regain access to the service by answering a few simple questions and you may be able to use the service immediately.

The really worrying word is "and" (if that is a grammatically accurate use of "and"). I also worry about "simple". I assume the entire text has legal sign-off.

The poster at #11 said "...much quicker than going through the online rigmarole...". I really hope that "quicker" does not mean "less rigorous".

stclair

jalexa wrote: »

Indeed it would.

The RBS Help says this (my emphasis)...

If you still can't recall your Customer Number or Security Number and/or Password, you will be able to regain access to the service by answering a few simple questions and you may be able to use the service immediately.

The really worrying word is "and" (if that is a grammatically accurate use of "and"). I also worry about "simple". I assume the entire text has legal sign-off.

I never had any issues with my online banking therefore im not to sure.

However now I have taken time to look into it appears the details can be reset online:

https://www.rbsdigital.com/help.aspx?id=CN1

I do not know what happens next as I do not want to put my details in...

UPDATE: if you click you have your debit card it asks for details from your card CV2 number etc.

If you click you do not have a debit card ask for some details then says we will send you an activation code in the post.

cottager

jalexa wrote: »

The poster at #11 said "...much quicker than going through the online rigmarole...". I really hope that "quicker" does not mean "less rigorous".

#11 reporting

From the first time I was locked out I can quote the message seen, as I made a note of it at the time:
'The details you have entered have not been recognised. For your security, your online service has been temporarily locked. No further attempts will be accepted. If you provide us with the following details, you should be able to access the service in just a few minutes.'

I should say my first encounter with this (in Apr 2011) was entirely different from what had been in place before if I'd ever made a slip logging in. Previously there was a red alert saying something like "Please address the following issue" and you'd be able to have another go by re-starting the login process. Probably re-attempts would be strictly limited, perhaps to only once -- I don't know as I made sure not to get it wrong at the second attempt.

Anyway, being confronted with this new message, the "should" didn't sound particularly reassuring, and I wondered if the "few minutes" could turn into a much longer wait before regaining access, but I began answering the questions, which didn't look too onerous: name, DOB, gender, postcode, email etc. Then there was a second screen for yet more details: account number, code from a debit card etc.

Ironically, it was being security-conscious which led me to back out and ring instead! Having not seen it before, I became wary about being asked to enter this amount and type of information. I didn't know how I could have ended up somewhere I shouldn't be, but my thought was "Hang on, is this really genuine?"

So before going any further I phoned the NWOLB help desk to check. The guy told me yes, it was genuine, and went on to say he could clear the temporary lock over the phone. So after various questions, and asking for my customer number and then for random characters from my security number and password he cleared it, saying I should log out, then log back in again.

Having done it that way once, when it cropped up again a few weeks ago, I chose to phone again. It just seems more straightforward to me than going through the online process.

I wouldn't say doing it over the phone was less rigorous, simply less hassle IMO, and with a prompt resolution. It's clearly more rigorous than the previous setup, where after a login mistake you were invited to re-try.

It's presented as a temporary lock which implies it can be cleared relatively simply -- which it can, provided you "pass the test". If I answered anything wrongly I'm pretty sure I wouldn't have the luxury of further guesses

I'd expect them to smell a potential rat and block the a/c completely, on suspicion that I wasn't the rightful account holder. Which I wouldn't like at all, incidentally! -- but in those circumstances I couldn't really blame them.

EDIT: to be clear, it's NatWest online banking I'm referring to, not RBS, though I'd expect them to be very similar if not the same.

jalexa

cottager wrote: »

It's presented as a temporary lock which implies it can be cleared relatively simply -- which it can, provided you "pass the test". If I answered anything wrongly I'm pretty sure I wouldn't have the luxury of further guesses

I'd expect them to smell a potential rat and block the a/c completely, on suspicion that I wasn't the rightful account holder. Which I wouldn't like at all, incidentally! -- but in those circumstances I couldn't really blame them.

Useful update but I think you describe a "temporary lock" situation where you hadn't forgotten your security details but for reasons unknown wrong security was entered several times and your access was "locked" but was unlocked after telephone contact by answering questions including from your security details.

The OP alleges something different, described as "the bank duly reset my password". I'm now struggling with what exactly happened. Was a new password issued? Or access unlocked for the original password?

One thing which really troubles me is the detail required on the online reset page if only an unlock is required. RBS is reported as alleging the presence of a keylogger, indeed a risk, but the online reset procedure risks the compromise of identity and account data through that very risk for quite a small return. And why no mention of Rapport?

To use a "nasty" word in a technical sense, that is an "ignorant" reset process, I assume with RBS legal sign-off.

Macca83_2

I bank with RBS and use their online banking. If someone was able to reset password details would it not be impossible for them to move money from your account without the card reader and card? Or are there ways and means of doing that too? Would a cloned card and any card reader work?
I've always been happy with the level of security offered by RBS online but from the sounds of it, it was far too easy for the ops password to be reset.

agrinnall

c_smith wrote: »

The customer number used by the bank incase you don't know, is based on your date of birth. The "random" part of my customer number (that is no more) would have been extremely easy for someone to guess. And then there is also the possibility of some unscrupulous bank employee passing on information.

I have completed a full scan with Avast, a boot scan with Avast, an online scan with Bit Defender, a full Spybot scan, a Malwarebytes scan, and I've also checked that there are no suspicious running processes with Security Task Manager.

Any other suggestions to be sure?

The 4 digits after your DoB are no easier for someone to guess in your case than in anybody else's, i.e. 1 in 1000.

If it is necessary to know your customer number (and it's still not clear whether this is the case or not) then there are 3 likely options: somebody made a very lucky guess, somebody you know has managed to find it out from watching you, or something on your computer has provided the information.

You do seem to have been pretty comprehensive on investigating whether a keylogger is present, but I wonder if it's worth posting on the Techie board just in case someone there knows of an additional scan you could perform?

jalexa

agrinnall wrote: »

If it is necessary to know your customer number...

Well the first 6 digits are DOB, hardly a state secret. What you describe as 4 digits is not what it seems. I always thought it was 4 significant digits until I found out from RBS (or Tesco) that leading zeros are not significant.

The OP has stated "the "random" part of my customer number ... would have been extremely easy for someone to guess". I suspect the OP has had an early claim on the particular DOB and has several leading zeros:). The Customer Number is not masked during sign-on so is easily observed. Its a long time since I have used telephone Direct Banking but from memory the Customer Number is required in full. That is intended as a statement of fact. Obviously it is necessary to identify the caller, but in hindsight perhaps using DOB is not that smart but I assume it has RBS legal sign-off.