We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Natwest Online Banking Hacked
Options
Comments
-
Hi Colsten. Unlikely, yes. However, it happened exactly as I've written it. The fact that this string of events seems unlikely is exactly why I'm looking for advice.0
-
First thing to do (if you haven't already) is to change all your passwords for internet and phone banking. Do this from a safe computer, which has been scanned for viruses, etc beforehand. It's possible that if someone had enough personal information about you (either from some sort of Trojan, or as is probably a bit more likely a bit of social engineering) that they could conceivably call up NatWest, reset some security details and then authorise a transaction. They probably won't have asked for a security code over the phone, as that goes against all the anti-scam warnings they send out about never revealing PINs, security codes, etc over the phone and instead relied on the successful verification against your personal details.
I'd be putting in a formal complaint, although I don't know how far it'll get. I'd also consider getting geared up to protect yourself from identity theft, just on the off chance they have enough info to fraudulently open new accounts in your name down the line - better to protect yourself now before they take action. Consider a protective CIFAS registration and see the links below:
https://www.identitytheft.org.uk/
https://www.actionfraud.police.uk/a-z-of-fraud/identity-fraud-and-identity-theft0 -
The most likely scenario would be that someone got access to your computer wither someone close that you allowed the access to or someone hacked it. In there you likely have all the usernames saved. As for the transaction authentication code was it only send to your mobile or e-mail too?
In nay case the wasn't a hack on the bank, but on you with elements of social engineering. There isn't much the bank can do to find the root cause. They might have some gap in the processes that allowed this to happen but we don't know that. For all we know the impostor provided all the required details to allow the transaction through.
Ultimately it all started with someone gaining access to your login information. An identifying who and how is outside of the banks' remit.0 -
Theundertow99 wrote: »To access my online banking, they needed to have known an 8 digit numerical pin number, an alphabetical password and my full internet banking username.
As far as I recall allocated Nat West banking usernames are/were notoriously easy to guess as it's just your date of birth plus a low four digit number (the first customer on their records with that birthday got 0001, the second 0002 etc....)
And isn't it just a four character pin ?0 -
Could it be an employee that has been selling on information and has now been found out and sacked? It's rare, but it has happened before (I don't mean NatWest specifically).
I don't think employees have access to full pin numbers and passwords though - they're all encrypted.
When you call up you are usually asked to provide particular letters / digits from your pin and password to allow the emplyee access.
Information sales usually involve credit or debit card numbers and details (expiry dates etc)0 -
Theundertow99 wrote: »Hi guys,
I'm looking for some advice. Yesterday lunch time, I recieved a text from my bank, Natwest, advising me that a new payee had been set up. Shortly after, I recieved a 2nd text saying (paraphrased) "your payment authorisation code is ***", your adviser will ask for this."
Obviously alarmed, I called the fraud team who told me that a payment of £2600 had been made, over telephone banking, to an account I didn't recognise. The adviser quickly figured out that it was not me and, after a few questions, said that they would refund the money.
So the fraud was discovered and dealt with.
Worryingly, they told me that, whoever it was, had accessed my internet banking several times during the night and were looking at my direct debits. They had then called up the telephone banking service, somehow passed security, and managed to make a payment.
I can see how that would be worrying.
Now, having the money refunded so quickly is, obviously, great. But this is where NatWest stopped being helpful. Understandably, I wanted to know how this could have happened. To access my online banking, they needed to have known an 8 digit numerical pin number, an alphabetical password and my full internet banking username. These figures were unique to my online banking, not used on any other account, not written down and I've never disclosed them to anyone.
I was simply unable to get any response from Natwest as to how this could've happened as they explained there are many ways. My secondary concern was how has this person, who was not me, managed to add a new payee and authorise an immediate payment of £2600? How have they passed security on the phone? Why would you have two factor authentication (a code sent by SMS or email) and then not require it to authorise a very unusual transaction, to a new payee? Surely there has been a failing at Natwest's end here? It's hard for me to set up new payee's at times, you need a card reader to do it online, let alone someone who is not me and doesn't have access to my emails or phone.
This is a fraud investigation. As such They are not going to release information as to how it was achieved to you or anyone outside their own organisation. If such information were made public not only would it be an advantage to the criminal fraternity in panning future activity. It is an internal matter for NatWest.
I complained to Natwest and was, more or less, shot down by a member of their complaints team who essentially said, fraud happens, our security systems are top notch and it's not our fault that your data has been leaked. I'm not convinced they aren't at fault; they quickly refunded my money and will not provide me with any information regarding the call to them in which someone passed security, set up a brand new payee, calling from a phone number they won't have recognised and made the payment despite being unable to provide the authorisation code.
NatWest are not going to be able to explain how someone managed to obtain your account and security this information from you. It could be any one of a number of things from someone who has access to you home to malware on your computer.
I would, as advised, change all your passwords in respect of online banking and email accounts. Also, keep an eye on your credit report for a while. If your NatWest details have been compromised perhaps other financial account details have too.
Ant advice would be great. My overriding concern is how this could've happened, whether I can feasibly trust Natwest moving forward and what I can do to protect myself from further issues. Very worried about the amount of data this person was able to obtain while freely roaming my online banking profile...
You will probably never know how it happened but look close to home. The security systems in place at NatWest worked as the fraud was discovered and you have suffered no loss.
Thanks in advance
An unfortunate incident but NatWest have dealt with it. It will not be NatWest's security that has been compromised but your own. Look at your own security to ensure that it is a robust as possible and move on.0 -
To access my online banking, they needed to have known an 8 digit numerical pin number, an alphabetical password and my full internet banking username.
From that i would work on the basis its someone who could possibly be looking over your shoulder or you have a keystroke logging software on your computer.
Have you had a phone call about your infected computer?0 -
Yes, the customer id is date of birth ddmmyy plus 4 digits but not necessarily a low 4 digit number. The PIN is a 4 digit number and the password is 6 to 20 characters, alpha numeric, non case sensitive and excludes special characters.p00hsticks wrote: »As far as I recall allocated Nat West banking usernames are/were notoriously easy to guess as it's just your date of birth plus a low four digit number (the first customer on their records with that birthday got 0001, the second 0002 etc....)
And isn't it just a four character pin ?
In addition to set up a new payee the user must use their debit card in the NatWest card reader which requires a different 4 digit PIN. It is possible to pay a new payee from the mobile app without a card reader but not for the value stated by the OP.
I would say the the OP has had their security credentials compromised on several levels. The one that would concern me most is the debit card PIN as a key logging hack would not have revealed this unless the OP had this saved on their computer. Not to mention the fraudster also having access to the OP's debit card.0 -
Well, if the person logged in wasn't you, they shouldn't have told you what they were doing online either under Data Protection rules.Theundertow99 wrote: »Cheers. I asked for this on the phone. The woman told me that DSAR's have to be sent in writing but she could tell me, straight away, that they would not provide me with a copy of the call as it was not me who was on the call and, therefore, it could be a data protection breach to provide me with the call. She said they would only provide calls, relating to fraud cases, to the police. I will, however, submit a DSAR requesting it anyway.
To be honest, I'm surprised NatWest told you what they looked at, as it could affect any investigation into what's happened.I consider myself to be a male feminist. Is that allowed?0 -
Theundertow99 wrote:Worryingly, they told me that, whoever it was, had accessed my internet banking several times during the night and were looking at my direct debits. They had then called up the telephone banking service, somehow passed security, and managed to make a payment.
Quite how would your bank know that the person accessing your account in the night was not you?Theundertow99 wrote:they would not provide me with a copy of the call as it was not me who was on the call and, therefore, it could be a data protection breach to provide me with the call
If they have been foolish enough to say they accept it was not you on the call (which they couldn't possibly know) then they will have to pay you out or prove that you were complicit in the funds transfer.
Is there anything else you'd like to say at this point?0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599.1K Mortgages, Homes & Bills
- 177K Life & Family
- 257.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards