Another Victim of NatWest's Insecure Banking Security Systems
Comments
-
There is one more thing you might want to try when you complain to the regulator.
NatWest systems are highly insecure in that when you log onto internet banking you can choose either your customer number (which presumably is secret to you) or - and this is quite unusual - your card number
this is of course known to anybody who has ever had the card in their possession
thus one bit of information needed to logon is basically public i.e. your username which is your card number. Other banks - for example nationwide and lloyds - require your unique username which you can keep secret
to me this is completely unacceptable and is one reason why NatWest systems are insecure
obviously they will need the password as well to log on I don't know how the frsudsters got that perhaps we will never know0 -
Barclays also allow the long card number to be used in place of a username....thus one bit of information needed to logon is basically public i.e. your username which is your card number. Other banks - for example nationwide and lloyds - require your unique username which you can keep secret
And in a scam situation it is debatable whether a username is more secure than a long card number... if you set your username up as "18ccNatWest" (as some people inevitably would) it might not take too many guesses to figure it out if other online accounts have already been compromised.
My NatWest long card number is known only to me and NatWest.
"In the future, everyone will be rich for 15 minutes"0 -
-
And in a scam situation it is debatable whether a username is more secure than a long card number... if you set your username up as "18ccNatWest" (as some people inevitably would) it might not take too many guesses to figure it out if other online accounts have already been compromised.
You are right, having a unique username doesn't really help. The password should be unguessable and unknowable. If it is neither then the same is probably true of the username. If you want to add more security, it doesn't really help to add more of the same thing.
Barclays real line of security is its card reader system. I don't know Natwest but by the sounds of it this works in a similar way. This system is effectively a three step security system which needs a physical card + reader + pin number + online banking details to break, making it pretty much impenetrable.
Pretty much always its the user themselves which are the source of the vulnerability and people are still, by and large, very poorly educated about how to keep their online presence secure.0 -
Barclays allow you to log in without the card reader. Actually, all those using card readers or number generator gadgets allow you to log in with or without them. If you logged in without them, you'll need the card reader etc for certain transactions, e.g. for setting up a new payee.Barclays real line of security is its card reader system. I don't know Natwest but by the sounds of it this works in a similar way. This system is effectively a three step security system which needs a physical card + reader + pin number + online banking details to break, making it pretty much impenetrable.0 -
Well I suppose the equivalent would be sticking a label on my Nationwide debit card saying my internet banking user ID is 169842751 and leaving at there for anyone to see0
-
I don't think using a debit card number as an alternative to entering a username is particularly convenient, and nobody has mentioned Natwest's policy of using your DOB as the first 6 digits of the actual username, with only 4 digits that could ostensibly be kept secret. These practices are quite clearly not ideal.Well I suppose the equivalent would be sticking a label on my Nationwide debit card saying my internet banking user ID is 169842751 and leaving at there for anyone to see
However, there's nothing wrong with having a public username and all of the security loaded into the password etc. Allowing short passwords is a far worse crime. So a solution for those who are forced to use a username they can't keep secret is to pick a secret username and prepend or append that to your password.
The username for my email account is known to everyone I have ever emailed, but I have a 20-character* password and 2-factor authentication (using TOTP), so don't consider this a security risk - email is often the gateway to other accounts being compromised, so I'd consider it as precious as an online banking account.
* approximately0 -
Precisely.Presumably you have never made a purchase using your NatWest card.
But that is because my security strategy includes never using cards for accounts with any substantial sums in them (or that could give access to large sums). All my day to day spending is on a credit card or one debit card with only a small amount of money available on it.
The point being that your long card number doesn't have to be 'public' information."In the future, everyone will be rich for 15 minutes"0
This discussion has been closed.
Categories
- All Categories
- 343.1K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.2K Work, Benefits & Business
- 607.9K Mortgages, Homes & Bills
- 173K Life & Family
- 247.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards