Another Victim of NatWest's Insecure Banking Security Systems

Options
123578

Comments

  • EachPenny
    EachPenny Posts: 12,239 Forumite
    First Post Combo Breaker
    Options
    jonnygee2 wrote: »
    Barclays real line of security is its card reader system. I don't know Natwest but by the sounds of it this works in a similar way. This system is effectively a three step security system which needs a physical card + reader + pin number + online banking details to break, making it pretty much impenetrable.
    Physical card and PIN would be enough.

    That gives you the surname (1st step) and card number (2nd step) (either that or account number work in lieu of membership number).

    Then last 4 digits of the card number (again) and the PINSentry code. (3rd step and bingo!)

    Any PINSentry device will work, so you only need to steal/obtain the physical card and PIN.
    "In the future, everyone will be rich for 15 minutes"
  • societys_child
    societys_child Posts: 7,110 Forumite
    First Anniversary Name Dropper First Post
    edited 10 November 2018 at 10:13PM
    Options
    18cc wrote: »
    There is one more thing you might want to try when you complain to the regulator.

    NatWest systems are highly insecure in that when you log onto internet banking you can choose either your customer number (which presumably is secret to you) or - and this is quite unusual - your card number

    this is of course known to anybody who has ever had the card in their possession

    thus one bit of information needed to logon is basically public i.e. your username which is your card number. Other banks - for example nationwide and lloyds - require your unique username which you can keep secret

    to me this is completely unacceptable and is one reason why NatWest systems are insecure

    obviously they will need the password as well to log on I don't know how the frsudsters got that perhaps we will never know
    This is wrong.
    The first time I logged in, yes it asked for customer number or card number.


    Then 3 digits from my online Pin + 3 characters from my password. (In random order)



    Subsequent logins no longer ask for the customer or card number, but require 3 digits from my online Pin + 3 characters from my password. It's actually more secure than certain other bank websites.


    Your suggested complaint to the regulator would be pointless and wrong.
  • 18cc
    18cc Posts: 2,120 Forumite
    Options
    Well I think from memory of when I had a NatWest account, as long as you had the debit card details and things like customer name, DOB then you can reset your internet banking logon without knowing a username.

    This allows you to get instantly a new PIN and password and logon using the card number as username.
  • A_Nice_Englishman
    A_Nice_Englishman Posts: 2,301 Forumite
    First Anniversary First Post Mortgage-free Glee!
    Options
    The OPs mother may or may not have been a victim of 'NatWest's Insecure Banking Security Systems' but she has been a victim of crime. Has it been reported to the police?
  • antrobus
    antrobus Posts: 17,386 Forumite
    Options
    A_Nice_Englishman wrote: »
    The OPs mother may or may not have been a victim of 'NatWest's Insecure Banking Security Systems' but she has been a victim of crime. Has it been reported to the police?

    Gordon Bennett, you're right. Someone (including me) should have thunk of that. :)

    https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime
  • BooJewels
    BooJewels Posts: 2,868 Forumite
    First Anniversary Photogenic First Post Name Dropper
    Options
    I did think about it and actually assumed that would have already have been dealt with by the family, long before discussing it with strangers on a forum. At least I hope.
  • jonnygee2
    jonnygee2 Posts: 2,086 Forumite
    Name Dropper First Post Combo Breaker First Anniversary
    Options
    Barclays allow you to log in without the card reader. Actually, all those using card readers or number generator gadgets allow you to log in with or without them. If you logged in without them, you'll need the card reader etc for certain transactions, e.g. for setting up a new payee.

    Yes you are right of course. But this is where you have to differentiate between privacy and security. While logged in you can see someones bank account info, maybe their salary and a load of confidential information. But that doesn't actually jeopardise the money itself.

    Barclays, Natwest etc then have this really funny, but perhaps sensible, split where they allow you to send money to known payees using only the login details. I guess this is a kind of 'known risk'. They know these details are not perfectly secure, but also the risks of sending to known payees is very low.

    So they only put in the real security steps for transfers to new payees. Personally, I don't like this split between known/new payees at all and the first time I understood it I thought it was kind of doomed.

    But actually, I will admit that it does seem to prevent the vast majority of fraud and I;ve come round to see the logic in it. I don't think it's as frictionless as it could be for the user and I think the 'accepted risk' of letting people transfer money to known payees with just the login information is not necessary. There has been an (admittedly incredibly rare) version of fraud that exploits this known vulnerability. But by and large, it does seem to prevent a lot, Imagine in the OPs scenario, for example - they wouldn't have even needed to phone her, and the fact they needed to go through all the rigmarol of phoning her and getting her to authorise the transaction for them shows how secure they think the system is, even after they've gained access to her online banking.

    If you are with these systems my best recommendation would be to delete all saved payees. This causes a lot of friction to the user (you!) but it does make your account far more secure.
  • masonic
    masonic Posts: 23,278 Forumite
    Photogenic Name Dropper First Post First Anniversary
    edited 11 November 2018 at 8:26AM
    Options
    18cc wrote: »
    Well I think from memory of when I had a NatWest account, as long as you had the debit card details and things like customer name, DOB then you can reset your internet banking logon without knowing a username.

    This allows you to get instantly a new PIN and password and logon using the card number as username.
    I checked this and it is now necessary to "re-register for internet banking". I didn't proceed any further but it didn't seem like something that could be done quickly and probably involves things being sent by post as the initial process of registering for internet banking does.

    TSB still allows you to reset details online using the above information, which might have helped some of the frauds occurring after their upgrade, but the Natwest process appears to be more robust.

    Edit: Also, it also doesn't fit what happened in this instance as the OP's mother was still able to log in via mobile banking, which wouldn't have been the case if the PIN and password had been reset.
  • 18cc
    18cc Posts: 2,120 Forumite
    Options
    I don't have a Natwest account any more, but I did look at re-register for internet banking. There appears to be 2 ways - 'without your debit card details' in which case stuff is sent by post and 'with your debit card details' which allows you to do it there and then. You do need to input name and DOB first, but not sure what details they require off your debit card though.

    It does imply that armed with your name, dob and debit card details anyone can reset your IB logon details!!

    Agreed this appears to not be what happened here as she could still logon.
  • masonic
    masonic Posts: 23,278 Forumite
    Photogenic Name Dropper First Post First Anniversary
    Options
    18cc wrote: »
    I don't have a Natwest account any more, but I did look at re-register for internet banking. There appears to be 2 ways - 'without your debit card details' in which case stuff is sent by post and 'with your debit card details' which allows you to do it there and then. You do need to input name and DOB first, but not sure what details they require off your debit card though.

    It does imply that armed with your name, dob and debit card details anyone can reset your IB logon details!!
    I set up a new Natwest current account earlier this year for a switching bonus, and discovered I needed to re-register for internet banking as they had remembered me from >10 years earlier when I had an ISA with them. I retained the correspondence relating to this, which says:

    [by email] "Here is your Customer Number. Please keep this number handy as you'll need this every time you log in. It's easy to remember as the first six digits are your date of birth.

    What Next?
    We'll send you an activation code separately - if we have your mobile number we'll send it by text within 48 hours, if not you'll receive a letter within 7-10 days..."

    As suggested above, they sent me a text with an activation code. So, like other banks, the above is vulnerable to a SIM swap attack. I agree this is a convenience-security trade off that is not worth it.
    Agreed this appears to not be what happened here as she could still logon.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 343.2K Banking & Borrowing
  • 250.1K Reduce Debt & Boost Income
  • 449.7K Spending & Discounts
  • 235.3K Work, Benefits & Business
  • 608.1K Mortgages, Homes & Bills
  • 173.1K Life & Family
  • 248K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards