RBS online security

c_smith

jalexa wrote: »

The OP alleges something different, described as "the bank duly reset my password". I'm now struggling with what exactly happened. Was a new password issued? Or access unlocked for the original password?

I was told by the fraud department that the persons responsible did not have my password. The fraudsters used the bank's procedures to have the password reset, which presumably means the bank allowed them them to choose a new password after providing certain other information.

stclair

c_smith wrote: »

I was told by the fraud department that the persons responsible did not have my password. The fraudsters used the bank's procedures to have the password reset, which presumably means the bank allowed them them to choose a new password after providing certain other information.

Hmmm strange as they would need to know the last four digits of your card number and your cv2. This might be a good case for mi6 lol

c_smith

agrinnall wrote: »

If it is necessary to know your customer number (and it's still not clear whether this is the case or not) then there are 3 likely options: somebody made a very lucky guess, somebody you know has managed to find it out from watching you, or something on your computer has provided the information.

There are some other possibilities that I would not dismiss out of hand.

The bank seem to want to infer that it is something I may have done or not done which has caused the problem. I would suggest some other possibilities are:

1. Some unscrupulous bank employee has passed on information for the purposes of committing fraud.

2. The bank's security has been violated during the "technical issues" they have experienced over the past week or so.

3. Customer personal information has been accidentally lost by a bank employee, in either electronic or paper format.



I am sure there are other possibilities, but I can definitely rule out the possibility of anyone, other than bank employees, knowing my full customer ID number. My wife doesn't even know it. And as regards a potential virus, this would certainly appear not to be the case. Had there been a keylogger on my system, I have several other accounts that would also have been subject to attack, wouldn't you think?

c_smith

stclair wrote: »

Hmmm strange as they would need to know the last four digits of your card number and your cv2. This might be a good case for mi6 lol

He did say they had the card number. Didn't mention the cv2 though, so that I can't confirm.

jalexa

c_smith wrote: »

I was told by the fraud department that the persons responsible did not have my password. The fraudsters used the bank's procedures to have the password reset, which presumably means the bank allowed them them to choose a new password after providing certain other information.

Hardly surprising given that it is described as a "password and/or security number" reset procedure.

I don't know how the online team handled the issue but I now know as a matter of fact of the online reset procedure and am horrified at the identity and account details requested by an organisation some of who's staff recognise (and appear quick to allege) keylogging risk.

Thanks for the heads-up. Can't say I'm off, mainly because I can't answer where, but I am far from happy at your revelations.

c_smith

http://www.thesun.co.uk/sol/homepage/news/3727561/Brits-bank-data-sold-for-pennies-by-Indian-call-centres.html

c_smith

jalexa wrote: »

Thanks for the heads-up. Can't say I'm off, mainly because I can't answer where, but I am far from happy at your revelations.

http://www.which.co.uk/money/bank-accounts/reviews-ns/online-banking-security/compare-online-banking-security/

RBS are near the top when it comes to online security. Doesn't exactly fill me with confidence about security in the UK banking system.

jalexa

c_smith wrote: »

RBS are near the top when it comes to online security. Doesn't exactly fill me with confidence about security in the UK banking system.

Overall yes, but poor login security. Interestingly the specific issue highlighted still exists. A different 3 from 4 for the Security Number. Only two attempts guarantees capture. That has always worried me.

To compare password reset with Nationwide, Nationwide provides half a temporary password by phone then the other half by email.

cottager

jalexa wrote: »

Useful update but I think you describe a "temporary lock" situation [correct] where you hadn't forgotten your security details [correct] but for reasons unknown [not really: I accept I probably made a slip with one digit] wrong security was entered several times [only once] and your access was "locked" but was unlocked after telephone contact by answering questions including from your security details.[correct]

The OP alleges something different...

I appreciate the OP has a different issue: it was acknowledged when I first posted in #11:

Well, different circumstances and quite possibly different department, but...

In post #27 I was specifically addressing your subsequent comment...

The poster at #11 said "...much quicker than going through the online rigmarole...". I really hope that "quicker" does not mean "less rigorous".

In a direct response to you and that particular observation (indicated by quoting that extract only), I was attempting in #27 to explain to you why I believed "quicker" was not "less rigorous" in the situation I'd described. I wasn't then seeking to add any more in answer to the OP's issue which is clearly different.

However, the process of "authenticating oneself" to the bank when either logging in ordinarily or speaking to them -- whether it's the fraud department (which the OP has been doing) or, as in my case, the helpdesk when temporarily locked out, or indeed perhaps also if someone (not the rightful account holder) was seeking to reset a password -- may be similar or contain similar elements. Which is all I was attempting to say in the first place

c_smith

I've sent a letter to the complaints dept seeking a detailed explanation as to how this breakdown in security occurred. I'll decide from their response whether I am changing banks.