back to article NatWest tightens online banking security after hacks' 'hack' exposé

NatWest is tightening up its internet banking systems after security shortcomings were exposed by journalists. BBC hacks were able to hijack a colleague's NatWest online bank account and transfer money without knowing her password. The UK bank's parent, Royal Bank of Scotland (RBS) Group, is also shoring up its security. …

  1. Ken Moorhouse Silver badge

    communicating with them using ALL of their registered methods

    Who reads emails that purportedly come from the bank?

    Who listens to automated messages on their phone that supposedly come from the bank? I've inadvertently deleted credit card fraud prevention messages because they start off in spammy ways.

    This could be a good USP for the Royal Mail. People are more likely to trust a communication that comes through the post, more than anything else. It is also in writing, so carries legal weight. Whenever the bank rings me for marketing purposes I tell them to write to me. The problem with that of course, is the delay involved.

    Even the post has its problems. Crims can divert your post, or in some cases arrange to be there when the postman arrives. There is no one size fits all. The customer going into the branch is the ideal way, but flagging that up to the customer is not so easy.

    1. Anonymous Coward
      Anonymous Coward

      Re: communicating with them using ALL of their registered methods

      Well if they'd just digitally sign their email ...

    2. Rich 11 Silver badge

      Re: communicating with them using ALL of their registered methods

      The customer going into the branch is the ideal way

      Although they might have to rein back on their branch closure programme to make that a feasible option for a lot of us.

      1. Fatman Silver badge
        Joke

        Re: communicating with them using ALL of their registered methods

        <quote>Although they might have to rein back on their branch closure executive bonus pool programme to make that a feasible option for a lot of us.</quote>

        FTFY!!!

    3. aidanstevens

      Re: communicating with them using ALL of their registered methods

      The authenticity of phishing e-mails tends to be so pathetically bad that spotting a genuine e-mail from my bank is extremely quick and easy.

      1. NotWorkAdmin

        Re: communicating with them using ALL of their registered methods

        @aidanstevens I doubt we're talking about weirdos such as you and I. Virtually every "normal" person I know has fallen for this kind of thing and a lot of them do it regularly. That's friends, family and worst of all people I work with.

        The most troubling thing in the article for me is the premise that an attacker can gain access to my phone number without my knowledge.

    4. Doctor Syntax Silver badge

      Re: communicating with them using ALL of their registered methods

      "Who reads emails that purportedly come from the bank?"

      There's another side to that - by sending out spam the banks are training their customers to respond to phishing emails.

      Much as I'd like to suggest firing the guilty in the marketing departments (that's probably entire departments) there are ways in which things could be improved.

      My own solution to the bank email problem is to have my own domain and use that to give the banks etc their own email aliases to address any emails to me. Unless some bank employee has my email address on his BYOD - which he shouldn't - and loses it then I can reasonably rely on any email that claims to come from my bank actually having done so*.

      I appreciate that not everyone wants to run their own domain. A simpler solution would be that email hosters provide each customer with a subdomain within which the customer can set up their own aliases so instead of NatWest sending emails to fred.bloggs@example.com they send to nw.2016@fredbloggs.example.com or even better 55de6ff8-e541-11e5-b6b8-78acc0c6193c@fredbloggs.example.com.**

      The other technical improvement would be to make PGP a core part of an extended SMTP so that if I get an email which purports to come from my bank it would be signed and my email provider's server would verify the signature with the bank's public key before accepting it.*** For good measure I might have a copy of the bank's expected key on my email client, just in case the email were to come from someone@my-bannk.com.

      Today's email standards and practices are rapidly becoming inadequate and need to be improved.

      *In fact, this may not be correct. I have had words with more than one financial institution about their having employed digital marketing companies spammers to send out valuable marketing communications spam. If that were to happen under my current system I'd then have to change the alias and complain bitterly about the hassle. The alias might well be changed by changing bank. Maybe fire the marketing departments just to be on the safe side.

      **This does, of course, rely on email providers not having their database popped by teenage skiddies using exploits older than themselves. Come to that, so does my existing arrangement but I think that, unlike other internet companies I've left behind, they're prepared to keep their security up-to-date.

      ***The keys would either be served from the bank's email server or the bank's DNS records would include an alternative address. And, yes, I do know that PGP can be enabled on my email client today; do you know it's not a rhism of use without most other correspondents also using it? It needs to become universal to be of use and the only way for that to happen is for it to become adopted into the standard so that non-use can be deprecated.

  2. Ole Juul

    one in 10,000

    Our records show that of all the people who enroll in online banking and forget their details, only 0.01 per cent are fraudulent.

    How many bank robbers is an acceptable number?

    1. Richard Jones 1
      WTF?

      Re: one in 10,000

      So that would appear to be the ones worth robbing since the subsequent reports on R4 suggested average thefts of > £ 10,000 a time. Nice business if you can get it and they did.

  3. Anonymous Coward
    Anonymous Coward

    I once tried to ring NatWest to report a Bad Thing that was going on around NatWest online, it was a bit trixy

    After about an hour I was passed through to someone who thought they knew what email was

    I gave up

    1. All names Taken
      Paris Hilton

      Reply like ...

      Just saying like but

      After about an hour I was passed through to someone who thought they knew what email was

      Might be a good thing as the bank might be (but not in your case) talking to someone with criminal intent?

      Jus sayin like thats all

  4. The Quiet One

    Been there, done that, got the paperwork!

    My Wife's Natwest account got hacked about two weeks ago, probably using this method. She went to logon and was asked for 10th and 11th characters of a password she thought was only 10.... She was not notified in any way that the password had been changed.

    Meanwhile the erstwhile crims had moved over £4k in £900 lumps (probably because that's below a threshold that sets of alarms bells in the fraud team) to her current account, set up a new payee and tried to pay off a Barclay's Credit Card Bill with it.

    In fairness to Natwest, it was swiftly and painlessly dealt with and we were refunded in about 5 days, but it should not be this easy to do, surely?

    A mandatory notification of any change to account details via multiple communication channels is a good start, I suppose.

    Personally I would like to see the perpetrators caught, flayed over a gun carriage in Parliament Square and hung by their you-know-what's from London Bridge! (other cities and landmarks are available)

    1. Anonymous Coward
      Anonymous Coward

      Re: Been there, done that, got the paperwork!

      That's appalling and I am pleased that it was sorted out in the end. But it could have left the pair of you in dire straits during the five days which, of course, would have been worrying times.

      I'm with NatWest and I haven't installed the banking app on my phone (only because I don't think that phones and banking should mix) and this is another reason why I won't.

      As I say, I am pleased it was sorted in the end but, firstly, it shouldn't have taken so long to sort out and, secondly, it shouldn't have happened in the first place. May I ask how you got NatWest to accept that there was a problem at all?

      AC because I am also a customer.

      1. The Quiet One

        Re: Been there, done that, got the paperwork!

        She received a call about suspicious activity when they tried to pay the credit card bill, she tried to login to check it out and when she couldn't Natwest took over and sorted it all out.

        It would have been much more stressful had it been more money than it was, and the turnaround time was OK as I could support us from my own accounts. She had to wait for a letter with a new activation for the On-line Banking and a new debit card which delayed sorting it out completely. So the money was probably back pretty quickly but she couldn't access it for 5 days.

        I also steer well clear of banking on my mobile. I feel there are some things I just don't trust Android with, the same reason my Play Store account has no permanent payment details. I use gift cards if I want to buy something from their ,which is super rare.

        1. David Roberts Silver badge

          Re: Been there, done that, got the paperwork!

          I note that a new debit card was also issued.

          As per other comments, you should need to validate that you hold a card linked to your account before you can set up a new payee.

          So was the first criminal act to steal or clone the debit card, followed by an attempt to use it to transfer money?

    2. Anonymous Coward
      Anonymous Coward

      Re: Been there, done that, got the paperwork!

      I had this very thing happen to me last year. i.e. someone try to pay a Barclaycard debt using money from my account. NatWest refunded the money the same day (within the hour actually). No password change and I don't have their app installed on my phone. Well, how could I when said phone is a Nokia 6310????

      no 'stranger' online access to my account either.

      The silly thing is that by paying a BarclayCard, you know who is getting the money. Perhaps it is an attempy to blacken the BC oenwers name?

      It might have been a error in a payment setup. All it takes is one digit on the account number? I don't know but I got the money back without question.

      YMMV (and probably will)

      1. Anonymous Coward
        Anonymous Coward

        Re: Been there, done that, got the paperwork!

        AC for obv reason.

        Similar Natwest ness happened to wife who has no phone banking & if she has online banking has never used it in my presence, various uses of the account to pay someone's debts (in this case power utilities).

        So either a physical card skim / clone of some style or maybe she was allocated online banking & either internal leak of data or it was brute forceable.

        On plus side Natwest fraud team did sort it out over phone the day we spotted it & new card sent.

        1. Anonymous Coward
          Anonymous Coward

          Re: Been there, done that, got the paperwork!

          Both my HSBC accounts (Business and personal) have 2fa.

          In fact, you have to use the 2fa to generate a code to verify a payment to a new payee as well, although it doesn't ask for this if they're already on the list (or on the list of government and utility providers - so there's a bit of hole there).

          1. Anonymous Coward
            Anonymous Coward

            Re: Been there, done that, got the paperwork!

            My Natwest accounts have 2fa with the card reader. Strangely, I used my colleagues Barclay's card reader one day at work and it works exactly the same on my accounts, so it works regardless of how the device is branded or what bank issues it.

            Not sure if that is good or bad.

            1. Super Fast Jellyfish

              2fa card readers

              Yes they all work the same way - just as all PDQ machines do when they check your chip during purchases at a shop.

          2. Warm Braw Silver badge

            Re: Been there, done that, got the paperwork!

            In the BBC case, the personal account also had 2FA. However, if you tell the mobile app you don't have access to your 2FA device, it simply sends you a text to your phone with an OTP - effectively turning your phone into a 1FA device...

  5. Richard Jones 1
    FAIL

    No NatWest Branches But Don't Use The Post Office

    NatWest closed branches so opened up a facility whereby you can deposit a cheque in the Post Office Counter, (or clown-ter?). A couple of times this worked OK and the cheque was credited within 24~48 hours. Most recently I deposited one in their special envelope and after 7 days it had gone without trace. Contact with the bank produced concern but with post office counters it was a total bust. The 'receipt' the PO gave was totally worthless as the apparatchik who rang me back could not have cared less. They told me they do not care and do nothing except pass complaints straight to the bank.

    Two weeks later the cheque magically appeared to have been processed.

    1. Mystic Megabyte Silver badge

      Re: No NatWest Branches But Don't Use The Post Office @Richard Jones

      Because I live remotely I use the P.O. paying-in envelope system all the time. It usually takes between 5 and 10 days for the cheques to clear. *Always* write your sort code and account number on the back of the cheque so after they've dropped it on the floor they'll be able to match it up with the other slip.

      1. Doctor Syntax Silver badge

        Re: No NatWest Branches But Don't Use The Post Office @Richard Jones

        " *Always* write your sort code and account number on the back of the cheque"

        You mean so they can match it up with the one on the front?

        1. Super Fast Jellyfish
          Facepalm

          Re: No NatWest Branches But Don't Use The Post Office @Richard Jones

          @Dr Syntax - the ones on the front of the cheque will be those of the person / company who wrote it, not the person paying it in.

  6. Neil Barnes Silver badge

    Are Barclays...

    the only bank that use a card reader in the customer's hands to allow any interaction with the account? Any reader works, but you need a card for one of your accounts plus your PIN to get a one-time code to allow web access.

    1. JimmyPage Silver badge

      Re: Are Barclays...

      No. Nationwide do too. In fact I thought it was standard in UK online banking.

      If it isn't I suggest folks move to banks where it is, and apply some market forces.

      With 2FA, even if you physically managed to take control of my session, you'd be scuppered as any transaction out of my accounts requires me to re-validate it with the reader.

      1. Captain Badmouth
        Pint

        As regards Nationwide

        They've upped their online game. A few weeks ago their website was given an "F" rating by the ssl labs online scanner, today it's improved to a "B". Not marvelous but better.

        Award yourselves a "half" nationwide.

        https://www.ssllabs.com/ssltest/analyze.html?d=onlinebanking.nationwide.co.uk

    2. romanempire
      Happy

      Re: Are Barclays...

      Yep AFAIK. But one can also use the Pinsentry function on the mobile app which is handy as it saves having to carry the calculator-sized Pinsentry device around. I get the impression that they are steering customers to the mobile app as they charge for extra Pinsentrys.

      HSBC had an RSA-type key fob.

      P.

    3. Matthew Shaw

      Re: Are Barclays...

      Natwest have a card reader as well, you have to use it in order to set up new payees. So I don't know how the reporter was able to take £1.50 out of the account without having to set up a new payee. Unless the payee already existed.

      1. Ben 47

        Re: Are Barclays...

        That's not actually true any more. They changed the app recently to make it possible to pay up to £250 per day via the Mobile app without the reader. For some reason.

        http://personal.natwest.com/personal/ways-to-bank-with-us/mobile-payments.html

      2. Afernie

        Re: Are Barclays...

        "Natwest have a card reader as well, you have to use it in order to set up new payees. So I don't know how the reporter was able to take £1.50 out of the account without having to set up a new payee. Unless the payee already existed."

        Yeah, RBS too. To be honest the whole story sounds pretty dubious. Not because I believe RBS and Natwest have great security and everything's tickety boo, but more because the whole setup for the 'hack' feels skewed, presumably to ensure success and create a nice sensationalistic story.

        1. Anonymous Coward
          Anonymous Coward

          Re: Are Barclays...

          No it wasn't. It was based on customer complaints and the bank claiming that the victim must have given their passcodes to someone else or stored them insecurely.

          Therefore the 'hack' was simple. Once you have control of the victim's phone number (by using online chat to report a stolen phone) - the journalist was just given the other phone then there was nothing else needed as the options for lost passwords and for setting up a new payee if you don't have a pinsentry were just to send an authentication code by sms.

          So from that point the online account was taken over and new payees set up just from SMS authentication codes. The £1.50 taken was just proof of concept and they could have taken much more. There was also no claim by the bank that what they had done was not possible and it had clearly been done to many other people.

    4. mhaldix

      Re: Are Barclays...

      NatWest use this system !!

      Though not often enough, obviously. If the customer sets up a new payment out of their account it has to be confirmed using the card reader device. At least that's how it's always worked for me. That said it's difficult to see how the scam as detailed by the BBC could work as the criminals would need access to one of the customer's cards as well as their phone.

      I do not use banking apps or phone banking, both of which I consider insecure. Banks appear the believe the public phone system is a secure way of communicating! That is definitely not the case.

      1. Anonymous Coward
        Anonymous Coward

        @mhaldix

        You can get an authentication code via sms instead of using the card reader, hence once they have control of your phone number they could run amok.

    5. Doctor Syntax Silver badge

      Re: Are Barclays...

      "the only bank that use a card reader in the customer's hands to allow any interaction with the account?"

      No, but the only time I needed to use mine it didn't work. I think it's because these things are time based and the bank is running several years slow.

  7. Pascal Monett Silver badge
    Facepalm

    So giving them your phone number makes you less secure ?

    Brilliant. They introduce the phone as a 2FA security measure, then they proceed to hand over your entire bank account to any moderately enterprising criminal.

    Or should I say business partner ?

    1. Adze

      Re: So giving them your phone number makes you less secure ?

      If the phone gives full access, or at least access sufficient to steal money from the account, then it's 2FA in name only and '1FA' in practice.

  8. Anonymous Coward
    Anonymous Coward

    Why?

    I still don't understand why NatWest can't make their banking app activate on simless tablets at the same time as a mobile phone. After all, I can already do much more with my bank account from my Windows PC & laptop - devices that are way more vulnerable to malware than the typical android tablet.

    I found that if I activated the app on my tablet, it wouldn't work on my phone and vice versa. Admittedly this was a while ago, but with all the hassle of reactivating it again, I haven't tried again since. And I doubt anything's changed on this front as I haven't seen any mention in their app "change logs".

    And then there's the infamous crash on start that's been plauging the app for at least 4-5 years now...

    Amazing how unsophisticated a multi £Bn company can be

    1. JimmyPage Silver badge
      Thumb Up

      Re: Amazing how cheap a multi £Bn company can be

      FTFY

    2. Bultark

      Re: Why?

      This has changed, apparently you can now run it on multiple devices (have yet the test it) got a 'what's new' message within the app a few months back

    3. Ben 47

      Re: Why?

      Yes, you can now have the app on multiple devices. I've got it on my phone and WiFi only tablet.

  9. Snivelling Wretch
    Headmaster

    > "do ping us an email."

    No, no and no!

  10. Doctor Syntax Silver badge

    Why did it take a Beeb news item to get them to move?

  11. Valerion

    Better than Barclays

    We tried to change the phone number on my wife's Natwest account the other day, but it won't let you without a card-reader.

    Compare this to Barclays, who allow it to be changed at will. This happened to my daughter a couple of months ago. Account hacked, £3000 taken. Barclay's were hopelessly incompetent at sorting it out. No communication and they never gave us any details on how it happened. They tried to blame her of course saying we must have a virus on the computer. We all use Macs with AV installed. I ran multiple Malware scans - nothing. No phishing either.

    Because they changed the phone number, she got no alerts. And after reporting it and giving them the correct number, the fraud team kept trying to reach her on the number belonging to the thieving scum! Beggars belief...

    Eventually she got it back, but she's leaving Barclay's obviously...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019