We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
Natwest Online Banking Hacked
Theundertow99
Posts: 4 Newbie
Hi guys,
I'm looking for some advice. Yesterday lunch time, I recieved a text from my bank, Natwest, advising me that a new payee had been set up. Shortly after, I recieved a 2nd text saying (paraphrased) "your payment authorisation code is ***", your adviser will ask for this."
Obviously alarmed, I called the fraud team who told me that a payment of £2600 had been made, over telephone banking, to an account I didn't recognise. The adviser quickly figured out that it was not me and, after a few questions, said that they would refund the money.
Worryingly, they told me that, whoever it was, had accessed my internet banking several times during the night and were looking at my direct debits. They had then called up the telephone banking service, somehow passed security, and managed to make a payment.
Now, having the money refunded so quickly is, obviously, great. But this is where NatWest stopped being helpful. Understandably, I wanted to know how this could have happened. To access my online banking, they needed to have known an 8 digit numerical pin number, an alphabetical password and my full internet banking username. These figures were unique to my online banking, not used on any other account, not written down and I've never disclosed them to anyone.
I was simply unable to get any response from Natwest as to how this could've happened as they explained there are many ways. My secondary concern was how has this person, who was not me, managed to add a new payee and authorise an immediate payment of £2600? How have they passed security on the phone? Why would you have two factor authentication (a code sent by SMS or email) and then not require it to authorise a very unusual transaction, to a new payee? Surely there has been a failing at Natwest's end here? It's hard for me to set up new payee's at times, you need a card reader to do it online, let alone someone who is not me and doesn't have access to my emails or phone. I complained to Natwest and was, more or less, shot down by a member of their complaints team who essentially said, fraud happens, our security systems are top notch and it's not our fault that your data has been leaked. I'm not convinced they aren't at fault; they quickly refunded my money and will not provide me with any information regarding the call to them in which someone passed security, set up a brand new payee, calling from a phone number they won't have recognised and made the payment despite being unable to provide the authorisation code.
Ant advice would be great. My overriding concern is how this could've happened, whether I can feasibly trust Natwest moving forward and what I can do to protect myself from further issues. Very worried about the amount of data this person was able to obtain while freely roaming my online banking profile...
Thanks in advance
I'm looking for some advice. Yesterday lunch time, I recieved a text from my bank, Natwest, advising me that a new payee had been set up. Shortly after, I recieved a 2nd text saying (paraphrased) "your payment authorisation code is ***", your adviser will ask for this."
Obviously alarmed, I called the fraud team who told me that a payment of £2600 had been made, over telephone banking, to an account I didn't recognise. The adviser quickly figured out that it was not me and, after a few questions, said that they would refund the money.
Worryingly, they told me that, whoever it was, had accessed my internet banking several times during the night and were looking at my direct debits. They had then called up the telephone banking service, somehow passed security, and managed to make a payment.
Now, having the money refunded so quickly is, obviously, great. But this is where NatWest stopped being helpful. Understandably, I wanted to know how this could have happened. To access my online banking, they needed to have known an 8 digit numerical pin number, an alphabetical password and my full internet banking username. These figures were unique to my online banking, not used on any other account, not written down and I've never disclosed them to anyone.
I was simply unable to get any response from Natwest as to how this could've happened as they explained there are many ways. My secondary concern was how has this person, who was not me, managed to add a new payee and authorise an immediate payment of £2600? How have they passed security on the phone? Why would you have two factor authentication (a code sent by SMS or email) and then not require it to authorise a very unusual transaction, to a new payee? Surely there has been a failing at Natwest's end here? It's hard for me to set up new payee's at times, you need a card reader to do it online, let alone someone who is not me and doesn't have access to my emails or phone. I complained to Natwest and was, more or less, shot down by a member of their complaints team who essentially said, fraud happens, our security systems are top notch and it's not our fault that your data has been leaked. I'm not convinced they aren't at fault; they quickly refunded my money and will not provide me with any information regarding the call to them in which someone passed security, set up a brand new payee, calling from a phone number they won't have recognised and made the payment despite being unable to provide the authorisation code.
Ant advice would be great. My overriding concern is how this could've happened, whether I can feasibly trust Natwest moving forward and what I can do to protect myself from further issues. Very worried about the amount of data this person was able to obtain while freely roaming my online banking profile...
Thanks in advance
0
Comments
-
Hi guys,
I'm looking for some advice. Yesterday lunch time, I recieved a text from my bank, Natwest, advising me that a new payee had been set up. Shortly after, I recieved a 2nd text saying (paraphrased) "your payment authorisation code is ***", your adviser will ask for this."
Obviously alarmed, I called the fraud team who told me that a payment of £2600 had been made, over telephone banking, to an account I didn't recognise. The adviser quickly figured out that it was not me and, after a few questions, said that they would refund the money.
Worryingly, they told me that, whoever it was, had accessed my internet banking several times during the night and were looking at my direct debits. They had then called up the telephone banking service, somehow passed security, and managed to make a payment.
Now, having the money refunded so quickly is, obviously, great. But this is where NatWest stopped being helpful. Understandably, I wanted to know how this could have happened. To access my online banking, they needed to have known an 8 digit numerical pin number, an alphabetical password and my full internet banking username. These figures were unique to my online banking, not used on any other account, not written down and I've never disclosed them to anyone.
I was simply unable to get any response from Natwest as to how this could've happened as they explained there are many ways. My secondary concern was how has this person, who was not me, managed to add a new payee and authorise an immediate payment of £2600? How have they passed security on the phone? Why would you have two factor authentication (a code sent by SMS or email) and then not require it to authorise a very unusual transaction, to a new payee? Surely there has been a failing at Natwest's end here? It's hard for me to set up new payee's at times, you need a card reader to do it online, let alone someone who is not me and doesn't have access to my emails or phone. I complained to Natwest and was, more or less, shot down by a member of their complaints team who essentially said, fraud happens, our security systems are top notch and it's not our fault that your data has been leaked. I'm not convinced they aren't at fault; they quickly refunded my money and will not provide me with any information regarding the call to them in which someone passed security, set up a brand new payee, calling from a phone number they won't have recognised and made the payment despite being unable to provide the authorisation code.
Ant advice would be great. My overriding concern is how this could've happened, whether I can feasibly trust Natwest moving forward and what I can do to protect myself from further issues. Very worried about the amount of data this person was able to obtain while freely roaming my online banking profile...
Thanks in advance
Send a DSAR request to Natwest specifically requesting a copy of the recording of the phonecall to be sent.0 -
I don't think so.0
-
Cheers. I asked for this on the phone. The woman told me that DSAR's have to be sent in writing but she could tell me, straight away, that they would not provide me with a copy of the call as it was not me who was on the call and, therefore, it could be a data protection breach to provide me with the call. She said they would only provide calls, relating to fraud cases, to the police. I will, however, submit a DSAR requesting it anyway.0
-
Also raise a formal complaint over the fact that your questions remained unanswered.
What I find a little strange is that there is no mention of any measures to prevent this from happening again, and of changing the login credentials. Was this not discussed, and why not? If it was discussed, what advice were you given, and what actions did you take? How do you access your account - from a PC or a Mac or an app?
I hope your actual name isn't [Text Removed], btw0 -
Could it be an employee that has been selling on information and has now been found out and sacked? It's rare, but it has happened before (I don't mean NatWest specifically).0
-
Do you do your internet banking from a desktop computer if so you might want to to consider wiping it and reinstalling from scratch just in case you have any nasty virus or Trojan software on there
where have you been doing internet banking from - perhaps an unsecured Wi-Fi for example your local coffee shop?
they have got your internet banking credentials some how0 -
by the way your story is why i am a great fan of those banks that's use voice id to identify you when you are on the phone to them for example first direct0
-
Who do you live with? Let's start close to home and work outwards.0
-
how did the payment go through if they sent you the authorisation code on your mobile needed to set up a new payee? U called them up straight away you said when you got the code and the money had already been sent
Hows that possible0 -
I asked why the payment was still authorised without the code and they told me that they don't always need the code to verify the payment. "This is because nowadays we don't always have our phones on us". I guess they must have asked some other questions and they were able to answer using the data they took from my online banking (direct debits, recent transactions etc).
The bank deactivated my online banking and cancelled my cards. I need to re-register when I get my new card so my account is secure. I was then sent some generic pdf docs about how to protect myself moving forward.
I used Android0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 349.7K Banking & Borrowing
- 252.6K Reduce Debt & Boost Income
- 452.9K Spending & Discounts
- 242.6K Work, Benefits & Business
- 619.4K Mortgages, Homes & Bills
- 176.3K Life & Family
- 255.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards