Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • NuttyBird
    • By NuttyBird 9th Nov 18, 6:44 PM
    • 51Posts
    • 16Thanks
    NuttyBird
    Another Victim of NatWest's Insecure Banking Security Systems
    • #1
    • 9th Nov 18, 6:44 PM
    Another Victim of NatWest's Insecure Banking Security Systems 9th Nov 18 at 6:44 PM
    My Mother has been a victim of fraud to the sum of £19850 being stolen from her NatWest Bank Account. It looks like NatWest will not be making any attempt to get this money back in to her Account. Even though this is completely the fault of the bank due to their grossly negligent failure of the branch staff to recognise that a Fraud was in motion at the time and to take prompt action to stop it before the funds left the account.

    Looking at my mother’s bank statements it is also evident that the money was still in her account when she went into the bank to express her concerns about the fraud that was in action at the time.

    The events are as follows:

    My mother received 2 missed calls from the same number that appears on the back of her bank cards. The following day she answered the call –who introduced themselves as the Fraud Team at NatWest. The caller clearly already had access to her bank account as they were able to list a couple of very recent transactions to try and build trust. To allow my mother to check the validity of the phone number and better verify, she asked to be called back later on her Landline Number, which she didn’t give them, but they obviously had it.

    Overnight ‐ From Bank Statements it can be seen that 5 transfers between Deposit accounts and the linked Current account take place, totalling £15,752, via the compromised online banking system. My mother went into the local branch, expressed concern that she had been contacted by the Fraud Team and wanting to check her card was working. She Withdrew £35 as shown on the statement. The additional £15,752 was still in the account at this time totalling over £21,000.

    The fact that my mother went into the branch, and spoke to a cashier about the fact the she had been contacted by the Fraud Team should have raised alarm bells with the cashier and a further investigation should have taken place. But no – this did not happen and unfortunate my 69 year old mother has now lost £20,000

    Today she received a letter from their (can you believe) Customer Care Team! Saying that they fully sympathise that you have been the victim of a scam and such a large sum of money lost is life changing and extremely distressing, but as a bank – the NatWest are confident that they have not made any errors and they have done all they can to assist in the retrieval of her money. The letter also says “You don’t need to take any further action now” REALLY!! And “I hope it won’t be necessary, but you have the right to refer your complaint to the Financial Ombudsman Service.

    We feel the NatWest is negligent in its Duty of care and we are strongly considering legal action.

    Any advice greatly appreciated
    Thanks
    Nutty Bird

    £1 per day 2013
    Build a savings pot
Page 2
    • jonnygee2
    • By jonnygee2 10th Nov 18, 2:47 PM
    • 505 Posts
    • 506 Thanks
    jonnygee2
    she has neither been duped into revealing log in details to her on line banking or previously ‘leaked’ them
    Her details have been leaked somewhere. It could be someone has backdoor entrance to her computer. It could be she used the same details on other sites to which they have access. Or they were guessable / based on personal information. Or they duped her into entering them into a mirror site somewhere.

    Ultimately she was duped by a phone call so its obviously conceivable she was duped by an email or other form of phising attack. The phone call was the second part of the attack, the first part came earlier, it could have been several months ago.

    Therefore the only sane conclusion is that the fraudsters have already hacked the system and are able to access online accounts.
    I don't doubt they had access. But the only way to gain access is to use the security details, which they knew somehow. You can't 'hack' into bank accounts any other way.
    • NuttyBird
    • By NuttyBird 10th Nov 18, 3:07 PM
    • 51 Posts
    • 16 Thanks
    NuttyBird
    Well they obviously need to phone you to social engineer you into not being concerned about the text messages you’re getting, but the fact remains banking systems have been compromised in the past and will again in the future, and yet the banking industry continues to wash its hands of the issues.
    Nutty Bird

    £1 per day 2013
    Build a savings pot
    • londoninvestor
    • By londoninvestor 10th Nov 18, 3:15 PM
    • 488 Posts
    • 405 Thanks
    londoninvestor
    Well they obviously need to phone you to social engineer you into not being concerned about the text messages you’re getting, but the fact remains banking systems have been compromised in the past and will again in the future, and yet the banking industry continues to wash its hands of the issues.
    Originally posted by NuttyBird
    Not sure that's entirely true - I'm thinking of those Barclays TV ads over the summer warning specifically about calls claiming to be from the bank. And if I set up a payment to a new payee for my Santander account online, I get more than one warning about push payment scams, and the screen suggests I might like to set the payment for tomorrow rather than today, so I can change my mind.

    There's also the IT work ongoing to provide "confirmation of payee name" and warn you if the payee's account name doesn't match what you think it is. Sadly that wasn't there in time for your mum.

    In your shoes, I'd still go to the ombudsman, give a frank account of what happened, and hope they'll regard it in the same light as the case of "Brian" here, who did get his money back: https://www.bbc.co.uk/news/business-45265609

    One customer called Brian contacted the Ombudsman service after his bank refused to refund him £7,000 in a text message scam.

    Brian received a message he thought was from his bank and unwittingly gave out his security details and passcodes.

    As a result, the bank said he had been grossly negligent and refused to refund the money.

    After reviewing the details, the Ombudsman decided it was a sophisticated fraud, and that the fraudsters had gained Brian's trust and therefore his actions were reasonable.

    They forced the bank to reimburse Brian's £7,000.
    by BBC
    • colsten
    • By colsten 10th Nov 18, 3:25 PM
    • 9,433 Posts
    • 8,389 Thanks
    colsten
    ................ Her first mistake was not to hang up and then call back to the number on the back of the card.
    Originally posted by NuttyBird


    she was now confident she was talking to the bank, and they already had the matter in hand, then that was her second mistake.
    Originally posted by NuttyBird

    Yes during the process my mother put her card into the online banking card reader and authorised the setting up of a new payee,
    Originally posted by NuttyBird
    That was her third mistake. It is very likely that your mother had previously made one or more additional mistakes, which resulted in the fraudsters having access to her account in the first instance. I am afraid, there is nothing in what you have reported that sounds as if NatWest have been negligent but the FOS will be in a better position than us strangers on the internet who don't have access to the full details of this case.
    • jonnygee2
    • By jonnygee2 10th Nov 18, 3:27 PM
    • 505 Posts
    • 506 Thanks
    jonnygee2
    In your shoes, I'd still go to the ombudsman, give a frank account of what happened, and hope they'll regard it in the same light as the case of "Brian" here, who did get his money back:
    Firstly, this relies on the assumption that the mother didn't actually authorise the transaction. The poster hasn't made this assertion yet, they haven't actually said how the money was transferred.

    If the transaction was actually unauthorised by the mother, then it is a bit different. But its very unlikely, because the banks response was that 'but as a bank – the NatWest are confident that they have not made any errors' which indicates they were not dealing with an unauthorised transaction (in which case they would have to carefully state why they felt it was grossly negligent).

    In fact, even if it was unauthorised I think the bank would have enough to show gross negligence - for example ignoring the second number set up on the account and not taking action after realising that money had been transferred between her accounts.

    But as a case with FOS it would still stand a lot more chance than if the transaction was actually authorised by the mother.

    IMPORTANT EDIT; Sorry, I just saw the post where the OP says that the mother indeeddid authorise the transaction with the card reader. So this is NOT a case of an unauthorised transaction. This makes it completely different to the 'brian' case mentioned in the BBC. Where a transaction is unauthorised the banks must PROVE gross negligence. Where the account holder authorised the transaction, to have any chance of success they need to prove the bank was grossly negligent.
    Last edited by jonnygee2; 10-11-2018 at 3:32 PM.
    • londoninvestor
    • By londoninvestor 10th Nov 18, 3:27 PM
    • 488 Posts
    • 405 Thanks
    londoninvestor
    Also, NatWest do say:

    We will never ask you to use your card-reader to log in to Online Banking, and we will never phone you to ask for your card-reader details.
    I'm not sure if they print that on the card reader itself - they probably should. Nationwide do, for example.
    • londoninvestor
    • By londoninvestor 10th Nov 18, 3:30 PM
    • 488 Posts
    • 405 Thanks
    londoninvestor
    Firstly, this relies on the assumption that the mother didn't actually authorise the transaction. The poster hasn't made this assertion yet, they haven't actually said how the money was transferred.
    Originally posted by jonnygee2
    Fair point.

    (Edit - although, the spirit of the FOS's position there seems to focus more on how "sophisticated" and plausible the fraudsters sounded, rather than the specific actions they conned Brian into.)
    Last edited by londoninvestor; 10-11-2018 at 3:36 PM.
    • masonic
    • By masonic 10th Nov 18, 3:32 PM
    • 10,277 Posts
    • 7,629 Thanks
    masonic
    Yes during the process my mother put her card into the online banking card reader and authorised the setting up of a new payee, but not having a photographic memory for sort codes, and going only by the fact it appeared to be in her name and was the ‘safe account’ the fraudsters commonly call it, she was still confident it was the bank she was dealing with.
    Originally posted by NuttyBird
    Thanks for editing this in to your post. That clarifies the situation. Next step: refer your complaint to the FOS, part 1 - details of why your mother believed she was on the phone with the genuine Natwest fraud department, part 2 - the missed opportunity to stop the fraud in branch.
    • londoninvestor
    • By londoninvestor 10th Nov 18, 3:46 PM
    • 488 Posts
    • 405 Thanks
    londoninvestor
    not having a photographic memory for sort codes, and going only by the fact it appeared to be in her name and was the ‘safe account’ the fraudsters commonly call it, she was still confident it was the bank she was dealing with.
    Originally posted by NuttyBird
    A couple of questions on this:
    1. Do you know if the recipient account was NatWest?
    2. If it wasn't, does NatWest online banking show which bank a sort code belongs to? No bank has the full "verification of payee" yet, but some (e.g. Santander) will at least show you which bank a sort code belongs to when you set up a payment to it, which is a partial line of defence against this kind of attack. If NatWest online banking doesn't show you that, I'd suggest that's worth mentioning to the FOS.
    • BooJewels
    • By BooJewels 10th Nov 18, 3:57 PM
    • 351 Posts
    • 255 Thanks
    BooJewels
    I must admit, in reading through this, I'm struggling to fathom how this could have been perpetrated without your mother unfortunately doing something that she perhaps shouldn't have done - probably inadvertently and maybe some time ago. I've always had the suspicion that they gather this material over a decent interval, snippets at a time. We've had a real task with one elderly relative in trying to train them not to give their life story when a scammer rings. "Hello Mrs x, we're just ringing from your bank Santander" "Ooh, I think you've got the wrong person, I bank with TSB". etc etc.

    I don't bank with NatWest, but the banks I do use now flash up a screen when you set up a new payee warning to be sure that you know the payee you're sending to, to double check if the recipient has just told you that they've changed banks and that the bank fraud department will never ask you to transfer money into another account and that the bank do not operate "safe accounts".

    To me, the one place the bank missed an opportunity and may be considered wanting was when your Mum told counter staff about it, that maybe should have warranted a bit more of a detailed conversation with staff. I would hope that if one of my older relatives had raised the same concerns they'd be given more appropriate assistance.
    • antrobus
    • By antrobus 10th Nov 18, 4:08 PM
    • 16,325 Posts
    • 23,194 Thanks
    antrobus
    This is the most concerning thing. My mother is not a frail 90 year old bewildered by technology, but an Internet savvy, and highly suspicious 68 year old, so despite what the masses may think here, she has neither been duped into revealing log in details to her on line banking or previously ‘leaked’ them. ...
    Originally posted by NuttyBird
    Mmm, well, actually if your mother does refer her complaint to the FOS, claiming that she is a frail OAP bewildered by technology might be more likely to result in a successful outcome.

    Someone who is "Internet savvy" and "highly suspicious" really should have known that getting a text message on their mobile saying that a new number had been registered which they hadn't requested themselves meant that their account had been compromised. And putting your debit card into a card reader and authorising the setting up of a new payee at the instigation of some third party over the phone, is just plain stupid. I don't mean to cause offence, but it really is.

    I think you stop being angry with NatWest. It's not their fault. Your mother has fallen for a fairly standard scam. She is not as internet as savvy as you think. It may well be that in her particular circumstances, the NatWest could have done more, and that might persuade the FOS to rule in her favour.

    But stick to the facts and outlining the sequence of events when complaining to the FOS. Don't make silly assertions about systems being hacked.
    • 18cc
    • By 18cc 10th Nov 18, 5:15 PM
    • 897 Posts
    • 604 Thanks
    18cc
    There is one more thing you might want to try when you complain to the regulator.

    NatWest systems are highly insecure in that when you log onto internet banking you can choose either your customer number (which presumably is secret to you) or - and this is quite unusual - your card number

    this is of course known to anybody who has ever had the card in their possession

    thus one bit of information needed to logon is basically public i.e. your username which is your card number. Other banks - for example nationwide and lloyds - require your unique username which you can keep secret

    to me this is completely unacceptable and is one reason why NatWest systems are insecure

    obviously they will need the password as well to log on I don't know how the frsudsters got that perhaps we will never know
    • EachPenny
    • By EachPenny 10th Nov 18, 6:14 PM
    • 8,604 Posts
    • 23,306 Thanks
    EachPenny
    ...thus one bit of information needed to logon is basically public i.e. your username which is your card number. Other banks - for example nationwide and lloyds - require your unique username which you can keep secret
    Originally posted by 18cc
    Barclays also allow the long card number to be used in place of a username.

    And in a scam situation it is debatable whether a username is more secure than a long card number... if you set your username up as "18ccNatWest" (as some people inevitably would) it might not take too many guesses to figure it out if other online accounts have already been compromised.

    My NatWest long card number is known only to me and NatWest.
    "In the future, everyone will be rich for 15 minutes"
    • Tallaght
    • By Tallaght 10th Nov 18, 6:30 PM
    • 793 Posts
    • 621 Thanks
    Tallaght
    https://personal.natwest.com/personal/security-centre/vishing.html?intcam=N_PC_HPTO_0_WTBWU_SyC_SC_Vish2 018_Link_a2
    • Uxb
    • By Uxb 10th Nov 18, 6:33 PM
    • 1,267 Posts
    • 1,413 Thanks
    Uxb
    obviously they will need the password as well to log on I don't know how the frsudsters got that perhaps we will never know
    Originally posted by 18cc
    in the case of NatWest selected digits from an online login PIN first and then secondly further selected digits from your online password.
    • Chino
    • By Chino 10th Nov 18, 6:46 PM
    • 609 Posts
    • 330 Thanks
    Chino
    My NatWest long card number is known only to me and NatWest.
    Originally posted by EachPenny
    Presumably you have never made a purchase using your NatWest card.
    • jonnygee2
    • By jonnygee2 10th Nov 18, 6:55 PM
    • 505 Posts
    • 506 Thanks
    jonnygee2
    And in a scam situation it is debatable whether a username is more secure than a long card number... if you set your username up as "18ccNatWest" (as some people inevitably would) it might not take too many guesses to figure it out if other online accounts have already been compromised.
    You are right, having a unique username doesn't really help. The password should be unguessable and unknowable. If it is neither then the same is probably true of the username. If you want to add more security, it doesn't really help to add more of the same thing.

    Barclays real line of security is its card reader system. I don't know Natwest but by the sounds of it this works in a similar way. This system is effectively a three step security system which needs a physical card + reader + pin number + online banking details to break, making it pretty much impenetrable.

    Pretty much always its the user themselves which are the source of the vulnerability and people are still, by and large, very poorly educated about how to keep their online presence secure.
    • colsten
    • By colsten 10th Nov 18, 7:58 PM
    • 9,433 Posts
    • 8,389 Thanks
    colsten
    Barclays real line of security is its card reader system. I don't know Natwest but by the sounds of it this works in a similar way. This system is effectively a three step security system which needs a physical card + reader + pin number + online banking details to break, making it pretty much impenetrable.
    Originally posted by jonnygee2
    Barclays allow you to log in without the card reader. Actually, all those using card readers or number generator gadgets allow you to log in with or without them. If you logged in without them, you'll need the card reader etc for certain transactions, e.g. for setting up a new payee.
    • 18cc
    • By 18cc 10th Nov 18, 8:01 PM
    • 897 Posts
    • 604 Thanks
    18cc
    Well I suppose the equivalent would be sticking a label on my Nationwide debit card saying my internet banking user ID is 169842751 and leaving at there for anyone to see
    • masonic
    • By masonic 10th Nov 18, 8:37 PM
    • 10,277 Posts
    • 7,629 Thanks
    masonic
    Well I suppose the equivalent would be sticking a label on my Nationwide debit card saying my internet banking user ID is 169842751 and leaving at there for anyone to see
    Originally posted by 18cc
    I don't think using a debit card number as an alternative to entering a username is particularly convenient, and nobody has mentioned Natwest's policy of using your DOB as the first 6 digits of the actual username, with only 4 digits that could ostensibly be kept secret. These practices are quite clearly not ideal.

    However, there's nothing wrong with having a public username and all of the security loaded into the password etc. Allowing short passwords is a far worse crime. So a solution for those who are forced to use a username they can't keep secret is to pick a secret username and prepend or append that to your password.

    The username for my email account is known to everyone I have ever emailed, but I have a 20-character* password and 2-factor authentication (using TOTP), so don't consider this a security risk - email is often the gateway to other accounts being compromised, so I'd consider it as precious as an online banking account.

    * approximately
    Last edited by masonic; 10-11-2018 at 8:41 PM.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

721Posts Today

4,809Users online

Martin's Twitter