We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Another Victim of NatWest's Insecure Banking Security Systems
Options
Comments
-
Yes I think that is true when you register for the first time you need an activation code but once you have registered if you just 'forget' your details ie a fraudster wants to get them you can reset your details with your debit card that is highly insecure I think0
-
It seems you are correct. I was able to go through most of the process (without confirming in the final step. The information required was...Yes I think that is true when you register for the first time you need an activation code but once you have registered if you just 'forget' your details ie a fraudster wants to get them you can reset your details with your debit card that is highly insecure I think
First name (on card)
Middle name(s) (not on card, but middle initial was there)
Last name (on card)
DOB
Postcode
Sort code (on card)
Account number (not on card)
Debit card number and CVV
After providing those details I was asked to choose a new PIN and password. This is poor compared with other banks who at least send a code by SMS.
None of the details asked for that were not on the card are things that can reasonably be kept secret.
Edit: Just received a SMS and email confirming I'd re-registered even though I didn't go through with it and can still log in with my old details <sigh>0 -
Well done for trying the process not sure I'd have been brave enough with a live account!
When you say debit card number do you mean the debit card PIN or the long number?
I know Barclays are similar - if you have someone's debit card number and PIN (and name/dob etc) you can reset the Internet Banking logon details. his might be convenient but NOT what I want. If I genuinely forget my logon details I want a secure way to find them - ie delivered to my home address by an armed guard courier, and not just reset using an insecure debit card.0 -
Precisely.
But that is because my security strategy includes never using cards for accounts with any substantial sums in them (or that could give access to large sums). All my day to day spending is on a credit card or one debit card with only a small amount of money available on it.
The point being that your long card number doesn't have to be 'public' information.
Whilst I admire your commitment to security, I don't think this is a reasonable step to expect of the majority... I know it's hard for us to believe but some people struggle with maintaining just one account, never mind several, or having credit cards etc.
It's all well and good to talk about making the system secure as can be, but it also has to be accessible and usable by the customer and that will always present a point of weakness - even more so when we make allowances for human nature, ie losing things, forgetting stuff, talking too much... no easy answers
0 -
It's an account I opened for cashback, I don't use it and will probably use it as a donor account when the next opportunity presents.Well done for trying the process not sure I'd have been brave enough with a live account!
The 16 digit card number. I would never, ever, input a card PIN into a website or mobile app. It should only ever be used on a card reading device to unlock the chip.When you say debit card number do you mean the debit card PIN or the long number?
That's pretty poor. After all, if you have the physical debit card and PIN, then you can authorise the reset using their card reader system - if such a facility were in place. The same can be said of Natwest.I know Barclays are similar - if you have someone's debit card number and PIN (and name/dob etc) you can reset the Internet Banking logon details. his might be convenient but NOT what I want. If I genuinely forget my logon details I want a secure way to find them - ie delivered to my home address by an armed guard courier, and not just reset using an insecure debit card.
The phone-based 2FA used by Lloyds group and TSB has its limitations, but at least it is used during these resets IIRC.0 -
Whilst I admire your commitment to security, I don't think this is a reasonable step to expect of the majority... I know it's hard for us to believe but some people struggle with maintaining just one account, never mind several, or having credit cards etc.
It's all well and good to talk about making the system secure as can be, but it also has to be accessible and usable by the customer and that will always present a point of weakness - even more so when we make allowances for human nature, ie losing things, forgetting stuff, talking too much... no easy answers
You are right, there is no easy way and the more complex it is, the more vulnerable it is. For example if you force passwords to be too complex you need.
But, I am a big fan of the security system used by Starling and Monzo. You can lock the app itself with biometric security on your phone, to login on a new phone you'd need access to your email account, and any transfers need the PIN number. It causes very little friction but is incredibly hard to break, particularly if you have a secure email account with proper 2FA set up (not based on SMS!!!). They escew all the complexity of login details by simply not having any at all :-). This is one of the main reasons these are my only two main accounts. You can also keep money aside in 'pots' keeping the usable balance low, if you want to.
In terms of securing your card PAN, don't bother its impossible. Also unnecessary because banks refund debit card transactions quickly and painlessly where no PIN was used.0 -
I've often said that your email account should be one of the most secure in terms of password complexity.
This is because so much can be done in terms of password resets with access to an email account.
Although providers such as gmail offer 2FA google revealed in early 2018 that less than 10% of actively used gmail accounts had 2FA set up by the user.0 -
I know Barclays are similar - if you have someone's debit card number and PIN (and name/dob etc) you can reset the Internet Banking logon details. his might be convenient but NOT what I want.
IIRC don't you need to generate a code using the debit card and card reader, so you would need to have the card in your possession?0 -
Yes you are right - to logon to your Barclays internet banking ll I need it your debit card and PIN - the username is the long card number ie not secret.
To reset your logon details and logon that way I think you do it a different way just using debit card details like Natwest does but perhaps someone can try it and see the procedure.
In any case, watch out for your debit card as if someone shoulder surfs you and gets to know your PIN and steals your card they can do a lot more damage than just getting money out of an ATM.
Nationwide have an extra layer of security in that you still generate the codes in the same way using the debit card but you also need a username which the fraudster does not have. For Barclays and NatWest the username is emblazoned on the front of the debit card!0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards