Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • NuttyBird
    • By NuttyBird 9th Nov 18, 6:44 PM
    • 51Posts
    • 16Thanks
    NuttyBird
    Another Victim of NatWest's Insecure Banking Security Systems
    • #1
    • 9th Nov 18, 6:44 PM
    Another Victim of NatWest's Insecure Banking Security Systems 9th Nov 18 at 6:44 PM
    My Mother has been a victim of fraud to the sum of £19850 being stolen from her NatWest Bank Account. It looks like NatWest will not be making any attempt to get this money back in to her Account. Even though this is completely the fault of the bank due to their grossly negligent failure of the branch staff to recognise that a Fraud was in motion at the time and to take prompt action to stop it before the funds left the account.

    Looking at my mother’s bank statements it is also evident that the money was still in her account when she went into the bank to express her concerns about the fraud that was in action at the time.

    The events are as follows:

    My mother received 2 missed calls from the same number that appears on the back of her bank cards. The following day she answered the call –who introduced themselves as the Fraud Team at NatWest. The caller clearly already had access to her bank account as they were able to list a couple of very recent transactions to try and build trust. To allow my mother to check the validity of the phone number and better verify, she asked to be called back later on her Landline Number, which she didn’t give them, but they obviously had it.

    Overnight ‐ From Bank Statements it can be seen that 5 transfers between Deposit accounts and the linked Current account take place, totalling £15,752, via the compromised online banking system. My mother went into the local branch, expressed concern that she had been contacted by the Fraud Team and wanting to check her card was working. She Withdrew £35 as shown on the statement. The additional £15,752 was still in the account at this time totalling over £21,000.

    The fact that my mother went into the branch, and spoke to a cashier about the fact the she had been contacted by the Fraud Team should have raised alarm bells with the cashier and a further investigation should have taken place. But no – this did not happen and unfortunate my 69 year old mother has now lost £20,000

    Today she received a letter from their (can you believe) Customer Care Team! Saying that they fully sympathise that you have been the victim of a scam and such a large sum of money lost is life changing and extremely distressing, but as a bank – the NatWest are confident that they have not made any errors and they have done all they can to assist in the retrieval of her money. The letter also says “You don’t need to take any further action now” REALLY!! And “I hope it won’t be necessary, but you have the right to refer your complaint to the Financial Ombudsman Service.

    We feel the NatWest is negligent in its Duty of care and we are strongly considering legal action.

    Any advice greatly appreciated
    Thanks
    Nutty Bird

    £1 per day 2013
    Build a savings pot
Page 3
    • EachPenny
    • By EachPenny 10th Nov 18, 8:42 PM
    • 7,917 Posts
    • 21,351 Thanks
    EachPenny
    Presumably you have never made a purchase using your NatWest card.
    Originally posted by Chino
    Precisely.

    But that is because my security strategy includes never using cards for accounts with any substantial sums in them (or that could give access to large sums). All my day to day spending is on a credit card or one debit card with only a small amount of money available on it.

    The point being that your long card number doesn't have to be 'public' information.
    "In the future, everyone will be rich for 15 minutes"
    • EachPenny
    • By EachPenny 10th Nov 18, 8:51 PM
    • 7,917 Posts
    • 21,351 Thanks
    EachPenny
    Barclays real line of security is its card reader system. I don't know Natwest but by the sounds of it this works in a similar way. This system is effectively a three step security system which needs a physical card + reader + pin number + online banking details to break, making it pretty much impenetrable.
    Originally posted by jonnygee2
    Physical card and PIN would be enough.

    That gives you the surname (1st step) and card number (2nd step) (either that or account number work in lieu of membership number).

    Then last 4 digits of the card number (again) and the PINSentry code. (3rd step and bingo!)

    Any PINSentry device will work, so you only need to steal/obtain the physical card and PIN.
    "In the future, everyone will be rich for 15 minutes"
    • societys child
    • By societys child 10th Nov 18, 9:08 PM
    • 5,519 Posts
    • 6,158 Thanks
    societys child
    There is one more thing you might want to try when you complain to the regulator.

    NatWest systems are highly insecure in that when you log onto internet banking you can choose either your customer number (which presumably is secret to you) or - and this is quite unusual - your card number

    this is of course known to anybody who has ever had the card in their possession

    thus one bit of information needed to logon is basically public i.e. your username which is your card number. Other banks - for example nationwide and lloyds - require your unique username which you can keep secret

    to me this is completely unacceptable and is one reason why NatWest systems are insecure

    obviously they will need the password as well to log on I don't know how the frsudsters got that perhaps we will never know
    Originally posted by 18cc
    This is wrong.
    The first time I logged in, yes it asked for customer number or card number.


    Then 3 digits from my online Pin + 3 characters from my password. (In random order)



    Subsequent logins no longer ask for the customer or card number, but require 3 digits from my online Pin + 3 characters from my password. It's actually more secure than certain other bank websites.


    Your suggested complaint to the regulator would be pointless and wrong.
    Last edited by societys child; 10-11-2018 at 9:13 PM.

    • 18cc
    • By 18cc 10th Nov 18, 9:51 PM
    • 850 Posts
    • 572 Thanks
    18cc
    Well I think from memory of when I had a NatWest account, as long as you had the debit card details and things like customer name, DOB then you can reset your internet banking logon without knowing a username.

    This allows you to get instantly a new PIN and password and logon using the card number as username.
    • A Nice Englishman
    • By A Nice Englishman 10th Nov 18, 9:52 PM
    • 2,135 Posts
    • 1,194 Thanks
    A Nice Englishman
    The OPs mother may or may not have been a victim of 'NatWest's Insecure Banking Security Systems' but she has been a victim of crime. Has it been reported to the police?
    • antrobus
    • By antrobus 10th Nov 18, 10:09 PM
    • 16,207 Posts
    • 23,070 Thanks
    antrobus
    The OPs mother may or may not have been a victim of 'NatWest's Insecure Banking Security Systems' but she has been a victim of crime. Has it been reported to the police?
    Originally posted by A Nice Englishman
    Gordon Bennett, you're right. Someone (including me) should have thunk of that.

    https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime
    • BooJewels
    • By BooJewels 10th Nov 18, 10:25 PM
    • 337 Posts
    • 239 Thanks
    BooJewels
    I did think about it and actually assumed that would have already have been dealt with by the family, long before discussing it with strangers on a forum. At least I hope.
    • jonnygee2
    • By jonnygee2 11th Nov 18, 12:51 AM
    • 444 Posts
    • 444 Thanks
    jonnygee2
    Barclays allow you to log in without the card reader. Actually, all those using card readers or number generator gadgets allow you to log in with or without them. If you logged in without them, you'll need the card reader etc for certain transactions, e.g. for setting up a new payee.
    Yes you are right of course. But this is where you have to differentiate between privacy and security. While logged in you can see someones bank account info, maybe their salary and a load of confidential information. But that doesn't actually jeopardise the money itself.

    Barclays, Natwest etc then have this really funny, but perhaps sensible, split where they allow you to send money to known payees using only the login details. I guess this is a kind of 'known risk'. They know these details are not perfectly secure, but also the risks of sending to known payees is very low.

    So they only put in the real security steps for transfers to new payees. Personally, I don't like this split between known/new payees at all and the first time I understood it I thought it was kind of doomed.

    But actually, I will admit that it does seem to prevent the vast majority of fraud and I;ve come round to see the logic in it. I don't think it's as frictionless as it could be for the user and I think the 'accepted risk' of letting people transfer money to known payees with just the login information is not necessary. There has been an (admittedly incredibly rare) version of fraud that exploits this known vulnerability. But by and large, it does seem to prevent a lot, Imagine in the OPs scenario, for example - they wouldn't have even needed to phone her, and the fact they needed to go through all the rigmarol of phoning her and getting her to authorise the transaction for them shows how secure they think the system is, even after they've gained access to her online banking.

    If you are with these systems my best recommendation would be to delete all saved payees. This causes a lot of friction to the user (you!) but it does make your account far more secure.
    • masonic
    • By masonic 11th Nov 18, 7:20 AM
    • 10,108 Posts
    • 7,392 Thanks
    masonic
    Well I think from memory of when I had a NatWest account, as long as you had the debit card details and things like customer name, DOB then you can reset your internet banking logon without knowing a username.

    This allows you to get instantly a new PIN and password and logon using the card number as username.
    Originally posted by 18cc
    I checked this and it is now necessary to "re-register for internet banking". I didn't proceed any further but it didn't seem like something that could be done quickly and probably involves things being sent by post as the initial process of registering for internet banking does.

    TSB still allows you to reset details online using the above information, which might have helped some of the frauds occurring after their upgrade, but the Natwest process appears to be more robust.

    Edit: Also, it also doesn't fit what happened in this instance as the OP's mother was still able to log in via mobile banking, which wouldn't have been the case if the PIN and password had been reset.
    Last edited by masonic; 11-11-2018 at 7:26 AM.
    • 18cc
    • By 18cc 11th Nov 18, 8:10 AM
    • 850 Posts
    • 572 Thanks
    18cc
    I don't have a Natwest account any more, but I did look at re-register for internet banking. There appears to be 2 ways - 'without your debit card details' in which case stuff is sent by post and 'with your debit card details' which allows you to do it there and then. You do need to input name and DOB first, but not sure what details they require off your debit card though.

    It does imply that armed with your name, dob and debit card details anyone can reset your IB logon details!!

    Agreed this appears to not be what happened here as she could still logon.
    • masonic
    • By masonic 11th Nov 18, 8:25 AM
    • 10,108 Posts
    • 7,392 Thanks
    masonic
    I don't have a Natwest account any more, but I did look at re-register for internet banking. There appears to be 2 ways - 'without your debit card details' in which case stuff is sent by post and 'with your debit card details' which allows you to do it there and then. You do need to input name and DOB first, but not sure what details they require off your debit card though.

    It does imply that armed with your name, dob and debit card details anyone can reset your IB logon details!!
    Originally posted by 18cc
    I set up a new Natwest current account earlier this year for a switching bonus, and discovered I needed to re-register for internet banking as they had remembered me from >10 years earlier when I had an ISA with them. I retained the correspondence relating to this, which says:

    [by email] "Here is your Customer Number. Please keep this number handy as you'll need this every time you log in. It's easy to remember as the first six digits are your date of birth.

    What Next?
    We'll send you an activation code separately - if we have your mobile number we'll send it by text within 48 hours, if not you'll receive a letter within 7-10 days..."


    As suggested above, they sent me a text with an activation code. So, like other banks, the above is vulnerable to a SIM swap attack. I agree this is a convenience-security trade off that is not worth it.

    Agreed this appears to not be what happened here as she could still logon.
    • 18cc
    • By 18cc 11th Nov 18, 8:44 AM
    • 850 Posts
    • 572 Thanks
    18cc
    Yes I think that is true when you register for the first time you need an activation code but once you have registered if you just 'forget' your details ie a fraudster wants to get them you can reset your details with your debit card that is highly insecure I think
    • masonic
    • By masonic 11th Nov 18, 8:58 AM
    • 10,108 Posts
    • 7,392 Thanks
    masonic
    Yes I think that is true when you register for the first time you need an activation code but once you have registered if you just 'forget' your details ie a fraudster wants to get them you can reset your details with your debit card that is highly insecure I think
    Originally posted by 18cc
    It seems you are correct. I was able to go through most of the process (without confirming in the final step. The information required was...

    First name (on card)
    Middle name(s) (not on card, but middle initial was there)
    Last name (on card)
    DOB
    Postcode
    Sort code (on card)
    Account number (not on card)
    Debit card number and CVV

    After providing those details I was asked to choose a new PIN and password. This is poor compared with other banks who at least send a code by SMS.

    None of the details asked for that were not on the card are things that can reasonably be kept secret.

    Edit: Just received a SMS and email confirming I'd re-registered even though I didn't go through with it and can still log in with my old details <sigh>
    Last edited by masonic; 11-11-2018 at 9:04 AM.
    • 18cc
    • By 18cc 11th Nov 18, 5:18 PM
    • 850 Posts
    • 572 Thanks
    18cc
    Well done for trying the process not sure I'd have been brave enough with a live account!

    When you say debit card number do you mean the debit card PIN or the long number?

    I know Barclays are similar - if you have someone's debit card number and PIN (and name/dob etc) you can reset the Internet Banking logon details. his might be convenient but NOT what I want. If I genuinely forget my logon details I want a secure way to find them - ie delivered to my home address by an armed guard courier, and not just reset using an insecure debit card.
    • Rosemary7391
    • By Rosemary7391 11th Nov 18, 5:51 PM
    • 2,413 Posts
    • 4,074 Thanks
    Rosemary7391
    Precisely.

    But that is because my security strategy includes never using cards for accounts with any substantial sums in them (or that could give access to large sums). All my day to day spending is on a credit card or one debit card with only a small amount of money available on it.

    The point being that your long card number doesn't have to be 'public' information.
    Originally posted by EachPenny

    Whilst I admire your commitment to security, I don't think this is a reasonable step to expect of the majority... I know it's hard for us to believe but some people struggle with maintaining just one account, never mind several, or having credit cards etc.



    It's all well and good to talk about making the system secure as can be, but it also has to be accessible and usable by the customer and that will always present a point of weakness - even more so when we make allowances for human nature, ie losing things, forgetting stuff, talking too much... no easy answers
    Last edited by Rosemary7391; 11-11-2018 at 5:52 PM. Reason: Can't do English today...
    Slinkies 2018 Challenge - 0/80lb lost
    • masonic
    • By masonic 11th Nov 18, 6:09 PM
    • 10,108 Posts
    • 7,392 Thanks
    masonic
    Well done for trying the process not sure I'd have been brave enough with a live account!
    Originally posted by 18cc
    It's an account I opened for cashback, I don't use it and will probably use it as a donor account when the next opportunity presents.

    When you say debit card number do you mean the debit card PIN or the long number?
    The 16 digit card number. I would never, ever, input a card PIN into a website or mobile app. It should only ever be used on a card reading device to unlock the chip.

    I know Barclays are similar - if you have someone's debit card number and PIN (and name/dob etc) you can reset the Internet Banking logon details. his might be convenient but NOT what I want. If I genuinely forget my logon details I want a secure way to find them - ie delivered to my home address by an armed guard courier, and not just reset using an insecure debit card.
    That's pretty poor. After all, if you have the physical debit card and PIN, then you can authorise the reset using their card reader system - if such a facility were in place. The same can be said of Natwest.

    The phone-based 2FA used by Lloyds group and TSB has its limitations, but at least it is used during these resets IIRC.
    • jonnygee2
    • By jonnygee2 11th Nov 18, 8:27 PM
    • 444 Posts
    • 444 Thanks
    jonnygee2
    Whilst I admire your commitment to security, I don't think this is a reasonable step to expect of the majority... I know it's hard for us to believe but some people struggle with maintaining just one account, never mind several, or having credit cards etc.



    It's all well and good to talk about making the system secure as can be, but it also has to be accessible and usable by the customer and that will always present a point of weakness - even more so when we make allowances for human nature, ie losing things, forgetting stuff, talking too much... no easy answers
    You are right, there is no easy way and the more complex it is, the more vulnerable it is. For example if you force passwords to be too complex you need.

    But, I am a big fan of the security system used by Starling and Monzo. You can lock the app itself with biometric security on your phone, to login on a new phone you'd need access to your email account, and any transfers need the PIN number. It causes very little friction but is incredibly hard to break, particularly if you have a secure email account with proper 2FA set up (not based on SMS!!!). They escew all the complexity of login details by simply not having any at all :-). This is one of the main reasons these are my only two main accounts. You can also keep money aside in 'pots' keeping the usable balance low, if you want to.

    In terms of securing your card PAN, don't bother its impossible. Also unnecessary because banks refund debit card transactions quickly and painlessly where no PIN was used.
    • Uxb
    • By Uxb 11th Nov 18, 8:38 PM
    • 1,239 Posts
    • 1,356 Thanks
    Uxb
    I've often said that your email account should be one of the most secure in terms of password complexity.
    This is because so much can be done in terms of password resets with access to an email account.

    Although providers such as gmail offer 2FA google revealed in early 2018 that less than 10% of actively used gmail accounts had 2FA set up by the user.
    • pmduk
    • By pmduk 11th Nov 18, 8:48 PM
    • 9,359 Posts
    • 7,028 Thanks
    pmduk
    I know Barclays are similar - if you have someone's debit card number and PIN (and name/dob etc) you can reset the Internet Banking logon details. his might be convenient but NOT what I want.
    Originally posted by 18cc
    IIRC don't you need to generate a code using the debit card and card reader, so you would need to have the card in your possession?
    • 18cc
    • By 18cc 12th Nov 18, 7:28 AM
    • 850 Posts
    • 572 Thanks
    18cc
    Yes you are right - to logon to your Barclays internet banking ll I need it your debit card and PIN - the username is the long card number ie not secret.

    To reset your logon details and logon that way I think you do it a different way just using debit card details like Natwest does but perhaps someone can try it and see the procedure.

    In any case, watch out for your debit card as if someone shoulder surfs you and gets to know your PIN and steals your card they can do a lot more damage than just getting money out of an ATM.

    Nationwide have an extra layer of security in that you still generate the codes in the same way using the debit card but you also need a username which the fraudster does not have. For Barclays and NatWest the username is emblazoned on the front of the debit card!
    Last edited by 18cc; 12-11-2018 at 7:33 AM.
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

335Posts Today

4,835Users online

Martin's Twitter
  • Morning. I'm on my way to @GMB for my 7:40 Deals of the Week this week including hot BT fibre broadband deal, easyj? https://t.co/FWWMrk8dg8

  • "Sabrina, you're young. I'm not sure you've the experience I'm looking for in a business partner." Eh? Isn't the pr? https://t.co/IeTxBQq2OU

  • I am predicting the word myself will be misused 6 times in today;s boardroom. What do yourself think? #TheApprentice

  • Follow Martin