Natwest data breach?

400ixl

GT732 said:

I believe it is this one. It is something leaking somewhere, it would be very hard for someone to sit and generate or use some form of a system to match my full name (correctly spelled), 16 digit number, and expiry date with the correct 3 digit security code...

Unlikely, it is far more likely that they have got some of the details elsewhere and pieced them together and then as stated done a brute force attack on it.

If they have bought the card details name and card number from a data breach it is not beyond the realms of technology to brute force against a month and year and 3 digit codes with the right horse power.

Not a hugely common attack, but it is around and used every day.

If Natwest had been compromised to the point that you are suggesting they would have had to declare it and itwould be in the news, even if they hadn't got to the point of notifying those involved.

born_again

GT732 said:

Afternoon, I had a notification on my app on Sunday after midnight that I need to approve a payment. I quickly logged on and it said £25 to some work site website. It didnt give me the option to approve or reject, I quickly froze my card and the payment didn't go through. 

In Jan 2022, in the morning I seen a notification to approve a payment. By the time I logged on somehow the payment approved itself. Whilst this for £1, when I called fraud they said several payments were attempted prior to it being approved. I was advised persons using the card were attempting to guess the 3 digits on the back. Why didn't they block the card automatically?

A new card was issued back then. I used this card in local retailers such as supermarkets, BQ etc from Jan 2022 to Dec 2022. I have not used this card for the whole of 2023 or 2024. . 

So this Sunday I called fraud again and it was connected to India and they advised someone must have used my card and pin... (you dont need to use a pin for an online transaction). 

As I have not used the card for nearly 2 years, I am now wondering whether there is a data breach with Natwest. No one will wait 2 years after cloning your card to use it. 

Anyone else faced something similar? 

They do. It's surprising the amount of attempted fraud on expired cards.
A lot of compromised cards are sold on, some a few times before being used.

GT732

Ergates said:

GT732 said:

But then the other main issue is Natwests system doesn't even attempt to block the card or freeze it when I have clearly been told the 3 digits were being guessed. There's 999 Combinations on that alone.

They'll block the card automatically if too many incorrect attempts are made, the same as with a PIN.   Also the same as with a PIN, they don't block straight away on the first failure as people mistyping their own numbers is common.

GT732 said:

What makes it worse is if you wish to transfer more than £750 from your account and do so via app you need that stupid calculator they provide to generate a pin. But how does that work because that is never connected to the Internet so natwest does work on some algorithms which are weak 

You not understanding how something works doesn't make it weak.

If a device is not connected to the Internet or a mobile phone signal how does it update or receive instant live data? Ie a phone can receive two step verification, but those calculators are preprogrammed.... If something is preprogrammed and linked to your account to give certain denominations it won't be that difficult to crack.

Several attempts were made in the 2022 fraud and card was not blocked or frozen, as I state a payment was successful after several unsuccessful attempts. Don't they automatically check IP addresses? Or the time of the day? These payments were all done between 1-6am. Again on Sunday it was 1230am. Surely their system must detect and accept vast majority of people are asleep at that time so several attempts should not have been allowed. 

GT732

eskbanker said:

GT732 said:
It is something leaking somewhere, it would be very hard for someone to sit and generate or use some form of a system to match my full name (correctly spelled), 16 digit number, and expiry date with the correct 3 digit security code...

It's not entirely straightforward but it's certainly possible - the name often isn't validated, there will only be less than ten digits out of 16 needed (the first six will be within published BIN ranges and there will be at least one checksum digit, where algorithms are known), expiry date will be no more than 36 or 48 possibilities, etc.

I'm not saying there can't be data leaks, and certainly there'll be more relevant ones than in that old story above, but am simply challenging your apparent inability to countenance the other possibilities that are more likely....

Unfortunately it appears this forum seems to put the onus on the OPs ability to comprehend something. What am explaining is something rather straightforward... A card unused for two years, yet again with the same bank. I have several other bank accounts and cards and to date never had a single issue with them in relation to suspicious attempts let alone successful ones and with those cards I used thousands of times online and offline. Yet a card I don't use (key word don't) is compromised. 

The story you mention is published, there are cases that go unheard. in every organisation there's always someone bent that loves a backhander or sell data and if you think this can't happen unless it's published then that's down to your lack of acumen not mine. 

400ixl

No one is saying it can't happen, however it is on the lower end of probabilities as to what has happened. The amount of effort and working around security systems to do what you heard of 15 years ago today is a magnitude higher.

You appear to be fixated that your method is the one and only explanation.

eskbanker

GT732 said:
What am explaining is something rather straightforward... A card unused for two years, yet again with the same bank. I have several other bank accounts and cards and to date never had a single issue with them in relation to suspicious attempts let alone successful ones and with those cards I used thousands of times online and offline. Yet a card I don't use (key word don't) is compromised.

So your conclusion is that fraud on one card and not others must signify a data breach at the bank concerned - you really can't contemplate any of the other possibilities?

GT732 said:
The story you mention is published, there are cases that go unheard. in every organisation there's always someone bent that loves a backhander or sell data and if you think this can't happen unless it's published then that's down to your lack of acumen not mine. 

Where did I say that or anything close to it?  I specifically clarified that "I'm not saying there can't be data leaks, and certainly there'll be more relevant ones than in that old story above", but my point remains that there are a range of possibilities here, rather than the one you seem to have decided on....

Ergates

GT732 said:
If a device is not connected to the Internet or a mobile phone signal how does it update or receive instant live data?

It doesn't.

GT732 said:
If something is preprogrammed and linked to your account to give certain denominations it won't be that difficult to crack. 

You, clearly, have absolutely no idea how such systems works.  Why on earth would you imagine you are in any way qualified to say how easy or hard they are to crack?

Screenager

I had a data breach last week when I switched my bank, they somehow entered the wrong house number on my account, despite addressing my online letters to the right address. They issued my card and pin to the wrong address. They gave me £100 as compensation.

GT732

400ixl said:

GT732 said:

I believe it is this one. It is something leaking somewhere, it would be very hard for someone to sit and generate or use some form of a system to match my full name (correctly spelled), 16 digit number, and expiry date with the correct 3 digit security code...

Unlikely, it is far more likely that they have got some of the details elsewhere and pieced them together and then as stated done a brute force attack on it.

If they have bought the card details name and card number from a data breach it is not beyond the realms of technology to brute force against a month and year and 3 digit codes with the right horse power.

Not a hugely common attack, but it is around and used every day.

If Natwest had been compromised to the point that you are suggesting they would have had to declare it and itwould be in the news, even if they hadn't got to the point of notifying those involved.

Not all banks do make noise though do they? The reported link earlier was public because the staff member contacted customers notifying them of the breach who in turn went to Natwest seeking compensation. 

Fraud payments are successful yet how many of us check our statements regularly? I'm on the ball because of the nature of my job, others are not too bothered particularly the online shopping crowd who just spend, spend and spend. 

GT732

Ergates said:

GT732 said:
If a device is not connected to the Internet or a mobile phone signal how does it update or receive instant live data?

It doesn't.

GT732 said:
If something is preprogrammed and linked to your account to give certain denominations it won't be that difficult to crack. 

You, clearly, have absolutely no idea how such systems works.  Why on earth would you imagine you are in any way qualified to say how easy or hard they are to crack?

Did I say i am qualified? You seem to jump to conclusions. You have poor attitude. It's not rocket science is it on how these systems work is it? A pre programmed calculator will have so may denominations. In fact they don't even issue a new one with a new card. For you it might be rocket science but for me it isn't.