Another Victim of NatWest's Insecure Banking Security Systems
Options
Comments
-
Barclays real line of security is its card reader system. I don't know Natwest but by the sounds of it this works in a similar way. This system is effectively a three step security system which needs a physical card + reader + pin number + online banking details to break, making it pretty much impenetrable.
That gives you the surname (1st step) and card number (2nd step) (either that or account number work in lieu of membership number).
Then last 4 digits of the card number (again) and the PINSentry code. (3rd step and bingo!)
Any PINSentry device will work, so you only need to steal/obtain the physical card and PIN."In the future, everyone will be rich for 15 minutes"0 -
There is one more thing you might want to try when you complain to the regulator.
NatWest systems are highly insecure in that when you log onto internet banking you can choose either your customer number (which presumably is secret to you) or - and this is quite unusual - your card number
this is of course known to anybody who has ever had the card in their possession
thus one bit of information needed to logon is basically public i.e. your username which is your card number. Other banks - for example nationwide and lloyds - require your unique username which you can keep secret
to me this is completely unacceptable and is one reason why NatWest systems are insecure
obviously they will need the password as well to log on I don't know how the frsudsters got that perhaps we will never know
The first time I logged in, yes it asked for customer number or card number.
Then 3 digits from my online Pin + 3 characters from my password. (In random order)
Subsequent logins no longer ask for the customer or card number, but require 3 digits from my online Pin + 3 characters from my password. It's actually more secure than certain other bank websites.
Your suggested complaint to the regulator would be pointless and wrong.0 -
Well I think from memory of when I had a NatWest account, as long as you had the debit card details and things like customer name, DOB then you can reset your internet banking logon without knowing a username.
This allows you to get instantly a new PIN and password and logon using the card number as username.0 -
The OPs mother may or may not have been a victim of 'NatWest's Insecure Banking Security Systems' but she has been a victim of crime. Has it been reported to the police?0
-
A_Nice_Englishman wrote: »The OPs mother may or may not have been a victim of 'NatWest's Insecure Banking Security Systems' but she has been a victim of crime. Has it been reported to the police?
Gordon Bennett, you're right. Someone (including me) should have thunk of that.
https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime0 -
I did think about it and actually assumed that would have already have been dealt with by the family, long before discussing it with strangers on a forum. At least I hope.0
-
Barclays allow you to log in without the card reader. Actually, all those using card readers or number generator gadgets allow you to log in with or without them. If you logged in without them, you'll need the card reader etc for certain transactions, e.g. for setting up a new payee.
Yes you are right of course. But this is where you have to differentiate between privacy and security. While logged in you can see someones bank account info, maybe their salary and a load of confidential information. But that doesn't actually jeopardise the money itself.
Barclays, Natwest etc then have this really funny, but perhaps sensible, split where they allow you to send money to known payees using only the login details. I guess this is a kind of 'known risk'. They know these details are not perfectly secure, but also the risks of sending to known payees is very low.
So they only put in the real security steps for transfers to new payees. Personally, I don't like this split between known/new payees at all and the first time I understood it I thought it was kind of doomed.
But actually, I will admit that it does seem to prevent the vast majority of fraud and I;ve come round to see the logic in it. I don't think it's as frictionless as it could be for the user and I think the 'accepted risk' of letting people transfer money to known payees with just the login information is not necessary. There has been an (admittedly incredibly rare) version of fraud that exploits this known vulnerability. But by and large, it does seem to prevent a lot, Imagine in the OPs scenario, for example - they wouldn't have even needed to phone her, and the fact they needed to go through all the rigmarol of phoning her and getting her to authorise the transaction for them shows how secure they think the system is, even after they've gained access to her online banking.
If you are with these systems my best recommendation would be to delete all saved payees. This causes a lot of friction to the user (you!) but it does make your account far more secure.0 -
Well I think from memory of when I had a NatWest account, as long as you had the debit card details and things like customer name, DOB then you can reset your internet banking logon without knowing a username.
This allows you to get instantly a new PIN and password and logon using the card number as username.
TSB still allows you to reset details online using the above information, which might have helped some of the frauds occurring after their upgrade, but the Natwest process appears to be more robust.
Edit: Also, it also doesn't fit what happened in this instance as the OP's mother was still able to log in via mobile banking, which wouldn't have been the case if the PIN and password had been reset.0 -
I don't have a Natwest account any more, but I did look at re-register for internet banking. There appears to be 2 ways - 'without your debit card details' in which case stuff is sent by post and 'with your debit card details' which allows you to do it there and then. You do need to input name and DOB first, but not sure what details they require off your debit card though.
It does imply that armed with your name, dob and debit card details anyone can reset your IB logon details!!
Agreed this appears to not be what happened here as she could still logon.0 -
I don't have a Natwest account any more, but I did look at re-register for internet banking. There appears to be 2 ways - 'without your debit card details' in which case stuff is sent by post and 'with your debit card details' which allows you to do it there and then. You do need to input name and DOB first, but not sure what details they require off your debit card though.
It does imply that armed with your name, dob and debit card details anyone can reset your IB logon details!!
[by email] "Here is your Customer Number. Please keep this number handy as you'll need this every time you log in. It's easy to remember as the first six digits are your date of birth.
What Next?
We'll send you an activation code separately - if we have your mobile number we'll send it by text within 48 hours, if not you'll receive a letter within 7-10 days..."
As suggested above, they sent me a text with an activation code. So, like other banks, the above is vulnerable to a SIM swap attack. I agree this is a convenience-security trade off that is not worth it.Agreed this appears to not be what happened here as she could still logon.0
This discussion has been closed.
Categories
- All Categories
- 343.2K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608.1K Mortgages, Homes & Bills
- 173.1K Life & Family
- 248K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards