Another Victim of NatWest's Insecure Banking Security Systems

Malcolm1948

Banks might be a little safer if they made more intelligent use of some of the checks they already have, like card readers.
From my recent experience, NatWest require you to use a card reader to validate setting up a new payee but not necessarily when making subsequent payments to that payee, which can be quite large.
On a least 2 occasions I have received calls/ texts from the Fraud Team the day before the payment was scheduled indicating that payment has been blocked and to call them. This could be quite embarrassing - and damaging - if those calls had been missed and the payments were time sensitive. Amounts were around the £5-6k mark.
Making or requiring customers to engage in telephone contact unnecessarily is in itself a security risk, particularly as sensitive information is required to be given to validate identity.
All this could be avoided if NatWest enforced use of the checking mechanism they already have in place - the card reader - more consistently.

scaredofdebt

Change to a bank with proper online security, such as 2FA, it's not 100% infallible but very hard to circumvent as long as the user isn't compromised!

System

Malcolm1948 wrote: »

Banks might be a little safer if they made more intelligent use of some of the checks they already have, like card readers.
From my recent experience, NatWest require you to use a card reader to validate setting up a new payee but not necessarily when making subsequent payments to that payee, which can be quite large.
On a least 2 occasions I have received calls/ texts from the Fraud Team the day before the payment was scheduled indicating that payment has been blocked and to call them. This could be quite embarrassing - and damaging - if those calls had been missed and the payments were time sensitive. Amounts were around the £5-6k mark.
Making or requiring customers to engage in telephone contact unnecessarily is in itself a security risk, particularly as sensitive information is required to be given to validate identity.
All this could be avoided if NatWest enforced use of the checking mechanism they already have in place - the card reader - more consistently.

I recent sent a larger payment (with another bank) and they did the same thing. Slightly inconvenient but not unreasonable.

For time sensitive payments, why not make a CHAPS payment (in branch) with ID or even just send a few days earlier?

18cc

This is my own feeling on the various bank security:


1. I don't like Barclays and Natwest because of the way you can logon using your debit card number - I want a bank that I can keep my userID secret.


2. I don't like Lloyds and Halifax (and I think Santander but I have no direct experience of them)- you can keep your userID secret, but they use SMS for payment verification and that is inherently insecure on a number of levels, eg SIM swap fraud.


3. For me the jury is out on FD and HSBC - they use voiceID which is secure but if ever broken means you have to change your voice!. Anyone can call you and get a sample of your voice and from then on run a voice changing program to interact with the bank. No idea if it would work but I am suspicious.


4. I Like Nationwide - you can keep your UserID secret and requires a card reader to anything meaningful.


5. I like Monzo, Starling and any app-only bank my feeling is a banking app is more secure than desktop. Also, real-time updates on any activity on your account means should anything happen you can get on top of it quickly.


As I say, these are my thoughts only.

masonic

18cc wrote: »

2. I don't like Lloyds and Halifax (and I think Santander but I have no direct experience of them)- you can keep your userID secret, but they use SMS for payment verification and that is inherently insecure on a number of levels, eg SIM swap fraud.

Not for me they don't. They call me on a phone number registered to my account, which can be a landline. I've never even seen an option for SMS payment verification.

BooJewels

18cc wrote: »

2. I don't like Lloyds and Halifax (and I think Santander but I have no direct experience of them)- you can keep your userID secret, but they use SMS for payment verification and that is inherently insecure on a number of levels, eg SIM swap fraud.

For what it's worth, with Halifax it's a phone call (not an SMS) and you can use your home landline (they ask you to choose which number when you set up a new payee) - you input the code displayed on the bank screen into the phone when you get the call. I use a number that's not used for anything else, reducing the opportunity for SIM switching.

But I think this is where the OP's mother was done - wasn't a new number added to the account? Although I didn't understand that bit - presumably she'd compromised herself some time earlier by allowing access to her online account and that was the end game, getting the funds sent to a new payee.

BooJewels

Apologies masonic, I'm typing on my tablet and was a bit slower than you.

buglawton

Moneybox reported an example of this classic fraud. One of the steps however is either to convince the victim to transfer money to an emergency account to 'protect' it from fraud, or to get a transaction code as texted back to an account holder, to make an initial transfer and set up a new payee.

Fraudsters are apparently able to masquerade texts as actually coming from the banks usual 5 digit SMS number, so inject their texts into the genuine banks message stream. And possibly able to masquerade the originator of a phone call, though they use other tricks like holding the line open while playing a dial tone.