Another Victim of NatWest's Insecure Banking Security Systems

p00hsticks

colsten wrote: »

Neither my Natwest nor my Barclays debit cards contain anything that resembles the username / membership number needed for logging in.

I think the quote you have used is from the part of the discussion about what happens if you say you have forgotten your user name / membership number.



It appears with NatWest and Barclays you can then re-register using you card details and a few other bits and peices that scammers could easily locate, such as date of birth and middle name (see post #53)

EachPenny

p00hsticks wrote: »

I think the quote you have used is from the part of the discussion about what happens if you say you have forgotten your user name / membership number.

That, but also Barclays and NatWest allow you to log on to online banking using the long card number instead of a username/membership number.

18cc

When you log onto Barclays you can use your long card number as your username, hence my saying the username is on the front of your debit card - it is the long card number. No point keeping your username secret!

EachPenny

18cc wrote: »

When you log onto Barclays you can use your long card number as your username, hence my saying the username is on the front of your debit card - it is the long card number. No point keeping your username secret!

Thinking about it though, I'm not sure the Barclays username is even that secure.

They might have changed their system since I registered, but back then the username was given to you by Barclays, and if there is any randomness then it is only a small part of the username as a whole.
(unless by complete fluke a random process gave me a username which coincidentally has significant information in it :huh: )

Rosemary7391

A thought... would it make sense for accounts to have different tiers of security? So someone like EachPenny who is clearly very good at keeping everything secure can have very feature rich frictionless online banking, whilst banks could have the discretion to disable certain features or require increased security for customers who opt in or have been caught out before?

jonnygee2

whilst banks could have the discretion to disable certain features or require increased security for customers who opt in or have been caught out before?

The problem is that everyone would lower the security level and then blame the bank when their money gets stolen. Like people write down pin numbers or use their DOB and then go crazy when the bank won't refund their card fraud.

Rosemary7391

jonnygee2 wrote: »

The problem is that everyone would lower the security level and then blame the bank when their money gets stolen. Like people write down pin numbers or use their DOB and then go crazy when the bank won't refund their card fraud.

I'm not envisaging the minimum security being any lower than it currently is today. But take the situation from the OP - if they could get a refund on condition that they could no longer set up new payees on online banking, but had to use telephone banking or a branch to do so (ie they had to move to a more secure account), would that be a reasonable model?

masonic

jonnygee2 wrote: »

The problem is that everyone would lower the security level and then blame the bank when their money gets stolen. Like people write down pin numbers or use their DOB and then go crazy when the bank won't refund their card fraud.

Not really, opt-in enhanced security can be (and is) used by some financial institutions to good effect. It just hasn't been implemented by any major high street banks - probably because of their arduous auditing process that makes it necessary for every change to have a major impact to be justifiable.

Although I recall a certain bank required customers who were the victim of fraud to install and use certain "security software" to continue using online banking. I don't know if they still do that. That's not an example of a good measure IMHO.

Being able to optionally change your username and require it for login (no card number fallback) would be an example of a good measure. Being able to disable online password resets and fall back to receiving a postal activation code would be another. Being able to upgrade from SMS authorisation to TOTP would be fantastic.

EachPenny

Rosemary7391 wrote: »

I'm not envisaging the minimum security being any lower than it currently is today. But take the situation from the OP - if they could get a refund on condition that they could no longer set up new payees on online banking, but had to use telephone banking or a branch to do so (ie they had to move to a more secure account), would that be a reasonable model?

It is a valid point, and if banks are on the hook for loses suffered by customers who have been scammed we might arrive at a situation where banks decline to give 'vulnerable' customers access to online/phone banking (or withdraw it).

A halfway position might be to allow customers read-only access to check balances and payments etc, but not to initiate transfers or payments without going through some further security system.

But with closures of their branch networks we might arrive in a position where older people (especially) have vey little choice when it comes to meeting their banking needs.

Rosemary7391

EachPenny wrote: »

It is a valid point, and if banks are on the hook for loses suffered by customers who have been scammed we might arrive at a situation where banks decline to give 'vulnerable' customers access to online/phone banking (or withdraw it).

A halfway position might be to allow customers read-only access to check balances and payments etc, but not to initiate transfers or payments without going through some further security system.

But with closures of their branch networks we might arrive in a position where older people (especially) have vey little choice when it comes to meeting their banking needs.

It is really interesting to examine the assumptions under which systems operate. It often reveals why certain sections of society struggle!