Another Victim of NatWest's Insecure Banking Security Systems
Options
Comments
-
-
There are a number of possible explanations as to how the fraudsters obtained enough of your mother's details to gain her trust, each with a different likelihood and responsible party. The bank clearly has taken a different view than your own. It would be prudent to consider why that might be.
Regardless of how the details were obtained, possession of those details were not sufficient for the fraudsters to empty the account. Otherwise they would not have needed to phone your mother - to do so unnecessarily would have been plain stupid. So, they called her to obtain things they didn't have. Based on what happened next, it would appear they got what they needed.
RBS / NatWest would have required both a card (debit/authorisation) and valid pin to send to any new payee.
Unless they re-ordered (or intercepted) both then the OPs mother provided them with the code - plain and simple.0 -
...and they'd need the card (or to have cloned the chip on the existing card) to generate a code from the card reader. I was referring to the online banking PIN in my post above but it's a good point to raise.The fraudsters would need the PIN in order to be able to generate the necessary code on a card reader. I suppose it's possible, if you have full details of login/password, to request a PIN reminder, but that is by snail mail and takes days, and would require either a change of address or intercept.
Getting a replacement card would presumably deactivate the OP's mother's card. We know this didn't happen because she visited a branch and withdrew cash using her card after the money started disappearing.
The only likely explanation is the OP's mother 'authorised' the transactions using her card reader over the phone to the fraudsters. So the classic vishing scam, for which we know customers generally don't get refunded.
The only difference in this case is the customer visited a branch and might have said something that ought to have alerted the bank that this was happening in time to stop some of the money being taken. That seems to be the strongest argument for taking the complaint further depending on exactly what occurred at the bank branch.0 -
The additional £15,752 was still in the account at this time totalling over £21,000.
You haven't actually said when or how the actual fraud took place, e,g, when did the money leave her account? What happened at that point?My mother went into the local branch, expressed concern that she had been contacted by the Fraud Team and wanting to check her card was working.
The cashier probably should have clocked at what was going on, but I don't think this is going to shift the overall liability to the bank. She didn't report a fraud.She also didn't make the transfer from the branch. Had either of those two things happened it would have been different, but as it is I think it's just a conversation and a cash withdrawal of £35.so you have to wonder if that's because they've been hacked and are leaking peoples passwords.
The banks systems have not been hacked. If the banks systems were hacked they wouldn't bother messing around phoning people etc, they'd just be clearing millions out of ledger accounts. This fraud clearly fits into the pattern of social engineering fraud.At some point the fraudsters will have gained initial access to your mum's account, for example with an phising scam etc. Or the security details may even have been guessable or reused somewhere else. Banks systems are very secure but other websites are not, and a lot of people repeat their passwords all over the place.
Anyway, the point is, somewhere somehow your mother disclosed her personal details. It's worth raising to FOS because its free to do so, but I think the chance is unlikely. FOS will most likely rule that although this is tragic, the fault lies with the fraudsters not the bank. Don't waste your money on a court case.
You can read the outcomes of some similar cases on the FOS website. The most relevant upheld complaint I can think of is DRN3406759
Everyone agrees its terrible that these things happen.I understand how upsetting it must be, But, it's probably time to accept this money is gone.0 -
I'm curious as to what evidence you have that the fraudsters were able to register another phone to her account.The comments I post are my personal opinion. While I try to check everything is correct before posting, I can and do make mistakes, so always try to check official information sources before relying on my posts.0
-
This is the most concerning thing. My mother is not a frail 90 year old bewildered by technology, but an Internet savvy, and highly suspicious 68 year old, so despite what the masses may think here, she has neither been duped into revealing log in details to her on line banking or previously ‘leaked’ them.
The sequence of events suggests that the fraudsters had already gained access to her online banking. At this point they called her, spoofing the caller ID to appear to be callling from the number on the back of the bank card. Her first mistake was not to hang up and then call back to the number on the back of the card. They then built her trust by saying that they suspected a fraud was taking place, furthering the pretence by quoting recent transactions on her account that were too recent to be on paper and intercepted in the post. How would they know these without being in the account? whilst talking to her reassuringly a message came through on her mobile (the only number registered on the account, saying that ‘a new number had been registered to receive notifications on the account-if this wasn’t you then please contact the bank on the number on the back of your card’, because she was now confident she was talking to the bank, and they already had the matter in hand, then that was her second mistake. But clearly, a new number can only be added to the account via access to the online banking.
Therefore the only sane conclusion is that the fraudsters have already hacked the system and are able to access online accounts.
Once a new number has been successfully logged on the account then autrhorisation code can be easily intercepted.
Yes during the process my mother put her card into the online banking card reader and authorised the setting up of a new payee, but not having a photographic memory for sort codes, and going only by the fact it appeared to be in her name and was the ‘safe account’ the fraudsters commonly call it, she was still confident it was the bank she was dealing with.Nutty Bird
£1 per day 2013
Build a savings pot0 -
Therefore the only sane conclusion is that the fraudsters have already hacked the system and are able to access online accounts.
No, you obviously don't want to hear it, but then the truth hurts sometimes. The only sane conclusion is that your mother has indeed "been duped into revealing log in details to her on line banking or previously ‘leaked’ them. "
If the bank had really been hacked (and thus the crimials had access to the bank's servers) they wouldn't fart around ringing individual customers for the sake of a few tens of thousands. They obviously just had access to your mothers account, not the entire bank.0 -
It sounds like they maybe got her online banking password somehow (keylogger, reused on a breached site, lucky guess/brute forced), and then did the social engineering fraud bit to convince her not to report the new number notification to the actual bank. Those texts are the security against this kind of thing - ie even if your online banking is compromised they cannot set up new payees, phone numbers etc without notifying you. I'm not sure how much clearer the bank can be with the "please call the number on the back of your card" bit
sorry that your mum has lost out, but I can't see that the bank were at fault here.
Guess the take home message is to always contact the bank yourself no matter how convincing the person on the other end of the phone is...0 -
she has neither been duped into revealing log in details to her on line banking or previously ‘leaked’ them
Her details have been leaked somewhere. It could be someone has backdoor entrance to her computer. It could be she used the same details on other sites to which they have access. Or they were guessable / based on personal information. Or they duped her into entering them into a mirror site somewhere.
Ultimately she was duped by a phone call so its obviously conceivable she was duped by an email or other form of phising attack. The phone call was the second part of the attack, the first part came earlier, it could have been several months ago.Therefore the only sane conclusion is that the fraudsters have already hacked the system and are able to access online accounts.
I don't doubt they had access. But the only way to gain access is to use the security details, which they knew somehow. You can't 'hack' into bank accounts any other way.0
This discussion has been closed.
Categories
- All Categories
- 343.4K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.8K Spending & Discounts
- 235.5K Work, Benefits & Business
- 608.3K Mortgages, Homes & Bills
- 173.2K Life & Family
- 248.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards