Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • NuttyBird
    • By NuttyBird 9th Nov 18, 6:44 PM
    • 51Posts
    • 16Thanks
    NuttyBird
    Another Victim of NatWest's Insecure Banking Security Systems
    • #1
    • 9th Nov 18, 6:44 PM
    Another Victim of NatWest's Insecure Banking Security Systems 9th Nov 18 at 6:44 PM
    My Mother has been a victim of fraud to the sum of £19850 being stolen from her NatWest Bank Account. It looks like NatWest will not be making any attempt to get this money back in to her Account. Even though this is completely the fault of the bank due to their grossly negligent failure of the branch staff to recognise that a Fraud was in motion at the time and to take prompt action to stop it before the funds left the account.

    Looking at my mother’s bank statements it is also evident that the money was still in her account when she went into the bank to express her concerns about the fraud that was in action at the time.

    The events are as follows:

    My mother received 2 missed calls from the same number that appears on the back of her bank cards. The following day she answered the call –who introduced themselves as the Fraud Team at NatWest. The caller clearly already had access to her bank account as they were able to list a couple of very recent transactions to try and build trust. To allow my mother to check the validity of the phone number and better verify, she asked to be called back later on her Landline Number, which she didn’t give them, but they obviously had it.

    Overnight ‐ From Bank Statements it can be seen that 5 transfers between Deposit accounts and the linked Current account take place, totalling £15,752, via the compromised online banking system. My mother went into the local branch, expressed concern that she had been contacted by the Fraud Team and wanting to check her card was working. She Withdrew £35 as shown on the statement. The additional £15,752 was still in the account at this time totalling over £21,000.

    The fact that my mother went into the branch, and spoke to a cashier about the fact the she had been contacted by the Fraud Team should have raised alarm bells with the cashier and a further investigation should have taken place. But no – this did not happen and unfortunate my 69 year old mother has now lost £20,000

    Today she received a letter from their (can you believe) Customer Care Team! Saying that they fully sympathise that you have been the victim of a scam and such a large sum of money lost is life changing and extremely distressing, but as a bank – the NatWest are confident that they have not made any errors and they have done all they can to assist in the retrieval of her money. The letter also says “You don’t need to take any further action now” REALLY!! And “I hope it won’t be necessary, but you have the right to refer your complaint to the Financial Ombudsman Service.

    We feel the NatWest is negligent in its Duty of care and we are strongly considering legal action.

    Any advice greatly appreciated
    Thanks
    Nutty Bird

    £1 per day 2013
    Build a savings pot
Page 1
    • antrobus
    • By antrobus 9th Nov 18, 7:05 PM
    • 16,213 Posts
    • 23,080 Thanks
    antrobus
    • #2
    • 9th Nov 18, 7:05 PM
    • #2
    • 9th Nov 18, 7:05 PM
    ... And “I hope it won’t be necessary, but you have the right to refer your complaint to the Financial Ombudsman Service.

    We feel the NatWest is negligent in its Duty of care and we are strongly considering legal action.

    Any advice greatly appreciated
    Thanks
    Originally posted by NuttyBird
    You refer your complaint to the FOS. If that fails, then by all means contact a solicitor in order to take legal action.
    • eskbanker
    • By eskbanker 9th Nov 18, 7:07 PM
    • 8,416 Posts
    • 9,527 Thanks
    eskbanker
    • #3
    • 9th Nov 18, 7:07 PM
    • #3
    • 9th Nov 18, 7:07 PM
    You mention 'the compromised online banking system' but have you (or NatWest) established if and/or how online banking was actually compromised? The fact that they're washing their hands of this suggests (to me) that they believe that the security credentials were disclosed by the account holder....

    I do get your point that (with hindsight) intervention after her branch visit may have prevented the large transfer, but with the dialogue between account holder and cashier being face to face rather than a routinely-recorded phone call it'll be tricky to establish exactly who said what though.
    • masonic
    • By masonic 9th Nov 18, 7:13 PM
    • 10,116 Posts
    • 7,399 Thanks
    masonic
    • #4
    • 9th Nov 18, 7:13 PM
    • #4
    • 9th Nov 18, 7:13 PM
    First of all, you should make use of the Financial Ombudsman Service before considering taking legal action. You can do this straight away based on what the bank has told you.

    My understanding is that NatWest uses card readers to verify outgoing payments to new destinations. So one question it would be useful to find the answer to is how were these payments made. Access to online banking and full details of login password/PIN should not have been enough. Perhaps while on the phone to the fraudsters she was asked to pop her card into the reader and type in some numbers, then read back the response to check her card was working?

    It does seem as though more should have been done when she visited the branch. This is probably the main thrust of your argument for compensation. Though you would be best to word your complaint a little less emotively than you have done here.
    • Heng Leng
    • By Heng Leng 9th Nov 18, 9:12 PM
    • 4,637 Posts
    • 1,485 Thanks
    Heng Leng
    • #5
    • 9th Nov 18, 9:12 PM
    • #5
    • 9th Nov 18, 9:12 PM
    The title is somewhat misleading - it wasn't NatWest's Insecure Banking Security Systems but your mother's actions that enabled the fraudulent transaction.
    • NuttyBird
    • By NuttyBird 9th Nov 18, 9:23 PM
    • 51 Posts
    • 16 Thanks
    NuttyBird
    • #6
    • 9th Nov 18, 9:23 PM
    • #6
    • 9th Nov 18, 9:23 PM
    The title is somewhat misleading - it wasn't NatWest's Insecure Banking Security Systems but your mother's actions that enabled the fraudulent transaction.
    Originally posted by Heng Leng
    The callers already had my Mothers details - so no their systems were clearly insecure as prior to any contact with my Mum they already had online access to her account, as they were able to register a new phone number on the account and quote her most recent transactions to gain her trust and she only ever used online banking on her iPhone, so low risk of a computer being compromised. A lot of news recently about various banks mobile banking apps being offline, so you have to wonder if that's because they've been hacked and are leaking peoples passwords.
    Last edited by NuttyBird; 09-11-2018 at 9:33 PM.
    Nutty Bird

    £1 per day 2013
    Build a savings pot
    • antrobus
    • By antrobus 9th Nov 18, 9:48 PM
    • 16,213 Posts
    • 23,080 Thanks
    antrobus
    • #7
    • 9th Nov 18, 9:48 PM
    • #7
    • 9th Nov 18, 9:48 PM
    The callers already had my Mothers details - so no their systems were clearly insecure as prior to any contact with my Mum they already had online access to her account, as they were able to register a new phone number on the account and quote her most recent transactions to gain her trust and she only ever used online banking on her iPhone, so low risk of a computer being compromised. A lot of news recently about various banks mobile banking apps being offline, so you have to wonder if that's because they've been hacked and are leaking peoples passwords.
    Originally posted by NuttyBird
    I'd say it was most likely that your mother divulged the necessary passwords.

    Think about it logically for a minute; if the fraudsters "already had online access to her account" why would they need to contact her at all? They would already possess the capability to empty her account, and any subsequent contact would run the risk of warning the target.

    That part of the story doesn't make sense, and “If it doesn't make sense, it's usually not true.” As the great Sheindlin puts it.
    • masonic
    • By masonic 9th Nov 18, 9:50 PM
    • 10,116 Posts
    • 7,399 Thanks
    masonic
    • #8
    • 9th Nov 18, 9:50 PM
    • #8
    • 9th Nov 18, 9:50 PM
    The callers already had my Mothers details - so no their systems were clearly insecure
    Originally posted by NuttyBird
    There are a number of possible explanations as to how the fraudsters obtained enough of your mother's details to gain her trust, each with a different likelihood and responsible party. The bank clearly has taken a different view than your own. It would be prudent to consider why that might be.

    Regardless of how the details were obtained, possession of those details were not sufficient for the fraudsters to empty the account. Otherwise they would not have needed to phone your mother - to do so unnecessarily would have been plain stupid. So, they called her to obtain things they didn't have. Based on what happened next, it would appear they got what they needed.
    • antrobus
    • By antrobus 9th Nov 18, 10:03 PM
    • 16,213 Posts
    • 23,080 Thanks
    antrobus
    • #9
    • 9th Nov 18, 10:03 PM
    • #9
    • 9th Nov 18, 10:03 PM
    ....
    My understanding is that NatWest uses card readers to verify outgoing payments to new destinations. So one question it would be useful to find the answer to is how were these payments made. Access to online banking and full details of login password/PIN should not have been enough....
    Originally posted by masonic
    The fraudsters would need the PIN in order to be able to generate the necessary code on a card reader. I suppose it's possible, if you have full details of login/password, to request a PIN reminder, but that is by snail mail and takes days, and would require either a change of address or intercept.
    • Thrugelmir
    • By Thrugelmir 9th Nov 18, 11:05 PM
    • 61,024 Posts
    • 54,224 Thanks
    Thrugelmir
    To allow my mother to check the validity of the phone number and better verify, she asked to be called back later on her Landline Number, which she didn’t give them, but they obviously had it.
    Originally posted by NuttyBird
    Simply call directory enquiries to obtain the number. The bank didn't divulge it.

    How did they obtain her mobile number?
    Financial disasters happen when the last person who can remember what went wrong last time has left the building.
    • londoninvestor
    • By londoninvestor 9th Nov 18, 11:38 PM
    • 419 Posts
    • 343 Thanks
    londoninvestor
    OP, you may well get somewhere with the ombudsman, as their view is that banks should refund unless the customer has been "grossly" negligent (details here in MSE news story).

    "But it's not fair to automatically call a customer grossly negligent simply because they've fallen for a scam. That's especially true in light of the sophisticated way criminals exploit banks' security systems – and convince customers that their money is at risk.
    by Financial Ombudsman Service as reported by MSE
    You and your mum will need to be upfront about what information was disclosed to the fraudsters when they phoned, though. Your case won't necessarily be harmed (see the quote above) by having given some information away; it will be harmed if there are parts of the story that don't add up.
    • londoninvestor
    • By londoninvestor 9th Nov 18, 11:43 PM
    • 419 Posts
    • 343 Thanks
    londoninvestor
    so no their systems were clearly insecure as prior to any contact with my Mum they already had online access to her account, as they were able to register a new phone number on the account
    Originally posted by NuttyBird
    Do you mind expanding on this point about registering a new phone number on the account?
    • Heng Leng
    • By Heng Leng 10th Nov 18, 3:23 AM
    • 4,637 Posts
    • 1,485 Thanks
    Heng Leng
    There are a number of possible explanations as to how the fraudsters obtained enough of your mother's details to gain her trust, each with a different likelihood and responsible party. The bank clearly has taken a different view than your own. It would be prudent to consider why that might be.

    Regardless of how the details were obtained, possession of those details were not sufficient for the fraudsters to empty the account. Otherwise they would not have needed to phone your mother - to do so unnecessarily would have been plain stupid. So, they called her to obtain things they didn't have. Based on what happened next, it would appear they got what they needed.
    Originally posted by masonic
    RBS / NatWest would have required both a card (debit/authorisation) and valid pin to send to any new payee.

    Unless they re-ordered (or intercepted) both then the OPs mother provided them with the code - plain and simple.
    • masonic
    • By masonic 10th Nov 18, 7:51 AM
    • 10,116 Posts
    • 7,399 Thanks
    masonic
    The fraudsters would need the PIN in order to be able to generate the necessary code on a card reader. I suppose it's possible, if you have full details of login/password, to request a PIN reminder, but that is by snail mail and takes days, and would require either a change of address or intercept.
    Originally posted by antrobus
    ...and they'd need the card (or to have cloned the chip on the existing card) to generate a code from the card reader. I was referring to the online banking PIN in my post above but it's a good point to raise.

    Getting a replacement card would presumably deactivate the OP's mother's card. We know this didn't happen because she visited a branch and withdrew cash using her card after the money started disappearing.

    The only likely explanation is the OP's mother 'authorised' the transactions using her card reader over the phone to the fraudsters. So the classic vishing scam, for which we know customers generally don't get refunded.

    The only difference in this case is the customer visited a branch and might have said something that ought to have alerted the bank that this was happening in time to stop some of the money being taken. That seems to be the strongest argument for taking the complaint further depending on exactly what occurred at the bank branch.
    • jonnygee2
    • By jonnygee2 10th Nov 18, 12:40 PM
    • 444 Posts
    • 444 Thanks
    jonnygee2
    The additional £15,752 was still in the account at this time totalling over £21,000.
    You haven't actually said when or how the actual fraud took place, e,g, when did the money leave her account? What happened at that point?

    My mother went into the local branch, expressed concern that she had been contacted by the Fraud Team and wanting to check her card was working.
    The cashier probably should have clocked at what was going on, but I don't think this is going to shift the overall liability to the bank. She didn't report a fraud.She also didn't make the transfer from the branch. Had either of those two things happened it would have been different, but as it is I think it's just a conversation and a cash withdrawal of £35.

    so you have to wonder if that's because they've been hacked and are leaking peoples passwords.
    The banks systems have not been hacked. If the banks systems were hacked they wouldn't bother messing around phoning people etc, they'd just be clearing millions out of ledger accounts. This fraud clearly fits into the pattern of social engineering fraud.At some point the fraudsters will have gained initial access to your mum's account, for example with an phising scam etc. Or the security details may even have been guessable or reused somewhere else. Banks systems are very secure but other websites are not, and a lot of people repeat their passwords all over the place.

    Anyway, the point is, somewhere somehow your mother disclosed her personal details. It's worth raising to FOS because its free to do so, but I think the chance is unlikely. FOS will most likely rule that although this is tragic, the fault lies with the fraudsters not the bank. Don't waste your money on a court case.

    You can read the outcomes of some similar cases on the FOS website. The most relevant upheld complaint I can think of is DRN3406759

    Everyone agrees its terrible that these things happen.I understand how upsetting it must be, But, it's probably time to accept this money is gone.
    • tacpot12
    • By tacpot12 10th Nov 18, 1:19 PM
    • 1,491 Posts
    • 1,274 Thanks
    tacpot12
    I'm curious as to what evidence you have that the fraudsters were able to register another phone to her account.
    • NuttyBird
    • By NuttyBird 10th Nov 18, 2:31 PM
    • 51 Posts
    • 16 Thanks
    NuttyBird
    This is the most concerning thing. My mother is not a frail 90 year old bewildered by technology, but an Internet savvy, and highly suspicious 68 year old, so despite what the masses may think here, she has neither been duped into revealing log in details to her on line banking or previously ‘leaked’ them.

    The sequence of events suggests that the fraudsters had already gained access to her online banking. At this point they called her, spoofing the caller ID to appear to be callling from the number on the back of the bank card. Her first mistake was not to hang up and then call back to the number on the back of the card. They then built her trust by saying that they suspected a fraud was taking place, furthering the pretence by quoting recent transactions on her account that were too recent to be on paper and intercepted in the post. How would they know these without being in the account? whilst talking to her reassuringly a message came through on her mobile (the only number registered on the account, saying that ‘a new number had been registered to receive notifications on the account-if this wasn’t you then please contact the bank on the number on the back of your card’, because she was now confident she was talking to the bank, and they already had the matter in hand, then that was her second mistake. But clearly, a new number can only be added to the account via access to the online banking.
    Therefore the only sane conclusion is that the fraudsters have already hacked the system and are able to access online accounts.

    Once a new number has been successfully logged on the account then autrhorisation code can be easily intercepted.

    Yes during the process my mother put her card into the online banking card reader and authorised the setting up of a new payee, but not having a photographic memory for sort codes, and going only by the fact it appeared to be in her name and was the ‘safe account’ the fraudsters commonly call it, she was still confident it was the bank she was dealing with.
    Last edited by NuttyBird; 10-11-2018 at 2:38 PM.
    Nutty Bird

    £1 per day 2013
    Build a savings pot
    • masonic
    • By masonic 10th Nov 18, 2:38 PM
    • 10,116 Posts
    • 7,399 Thanks
    masonic
    Therefore the only sane conclusion is that the fraudsters have already hacked the system and are able to access online accounts.
    Originally posted by NuttyBird
    So if they got everything they needed from "hacking", why did they phone her at all?
    • msallen
    • By msallen 10th Nov 18, 2:39 PM
    • 906 Posts
    • 1,051 Thanks
    msallen
    Therefore the only sane conclusion is that the fraudsters have already hacked the system and are able to access online accounts.
    Originally posted by NuttyBird
    No, you obviously don't want to hear it, but then the truth hurts sometimes. The only sane conclusion is that your mother has indeed "been duped into revealing log in details to her on line banking or previously ‘leaked’ them. "

    If the bank had really been hacked (and thus the crimials had access to the bank's servers) they wouldn't fart around ringing individual customers for the sake of a few tens of thousands. They obviously just had access to your mothers account, not the entire bank.
    • Rosemary7391
    • By Rosemary7391 10th Nov 18, 2:44 PM
    • 2,417 Posts
    • 4,076 Thanks
    Rosemary7391
    It sounds like they maybe got her online banking password somehow (keylogger, reused on a breached site, lucky guess/brute forced), and then did the social engineering fraud bit to convince her not to report the new number notification to the actual bank. Those texts are the security against this kind of thing - ie even if your online banking is compromised they cannot set up new payees, phone numbers etc without notifying you. I'm not sure how much clearer the bank can be with the "please call the number on the back of your card" bit sorry that your mum has lost out, but I can't see that the bank were at fault here.



    Guess the take home message is to always contact the bank yourself no matter how convincing the person on the other end of the phone is...
    Slinkies 2018 Challenge - 0/80lb lost
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

4,505Posts Today

6,182Users online

Martin's Twitter
  • Watching Theresa May... seriously would anyone in their right mind truly want her job right now!

  • RT @thecheekypostie: @MartinSLewis Thanks to this, I have just skim read it. To those in Scotland - on page 548, Dounreay is mentioned by n?

  • Today's twitter poll: The 585 page draft agreement of the withdrawal of the UK from the EU has been published. A? https://t.co/8YLkPyzqYM

  • Follow Martin