NatWest tightens online banking security after hacks' 'hack' exposé

Step 1. Simply take over a victim's mobile phone number


NatWest is tightening up its internet banking systems after security shortcomings were exposed by journalists.

BBC hacks were able to hijack a colleague's NatWest online bank account and transfer money without knowing her password. The UK bank's parent, Royal Bank of Scotland (RBS) Group, is also shoring up its security.

Radio 4's You and Yours revealed the security flaw after investigating complaints from the victims of SIM swap fraudsters. The SIM swap scam involves redirecting text messages from someone's mobe to another phone. El Reg covered the swindle three years ago.

This is how is typically goes down: using some social engineering, the crook reports a victim's handset as lost or stolen to their mobile network, and asks for the victim's phone number to be swapped over to the crim's SIM. Alternatively, the crook just nicks the phone.

Either way, the thief receives texts sent to the victim's number. As the You and Yours team found, the crim can then call NatWest and claim they've forgotten their customer ID number, password, PIN, and everything else needed to log into their online bank account. The bank will then text a code to the victim's number, which can be entered by the crook online to reset and change the password and PIN, and gain control of the bank account.

This allowed a BBC reporter to siphon off £1.50 from a producer's account.

On the one hand, an attacker must somehow gain control of a victim's phone number, which isn't straightforward. In the Beeb's case, the reporter was handed the producer's mobile and told to do her worst. It's not exactly Kevin Mitnick.

On the other hand, simply having control of a person's phone number shouldn't immediately throw open the doors to all their money. So minus 10 points to NatWest.

In response to the investigation, a community manager on NatWest's official forum stated that the "specific example put to us by You and Yours required them to know multiple pieces of personal information to generate the activation code and have control of the customer mobile phone," while admitting that its security needs improving and outlining forthcoming changes:

We're implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email and text, to alert them any time a change is made to their contact details on online banking, in a similar way to Apple and Google. We are also introducing a 'cooling off period' of three days, which prevents payments being made via the mobile app when a reactivation has taken place.

NatWest reckons that all manner of extra information would be needed to make a transaction, specifically the customer number, partial PIN and partial password. Crucially, though, the You and Yours team was able to set new passwords and PINs after claiming they had forgotten those login details. There was no email confirming a password change, a shortcoming RBS and NatWest has since addressed.

The BBC team did not go through a step-by-step process of how the hack was carried out, due to an understandable concern to not give fraudsters fresh ideas.

The community manager made a much better fist of explaining the bank's position than the hapless spokesperson fielded on BBC Radio 4's You and Yours, Chris Popple, manager director of digital at RBS/NatWest, who didn't get much past banalities about taking customer security seriously and repeatedly described the BBC's research as "helpful."

In response to queries from El Reg, NatWest supplied a statement partly reiterating what its community manager had said:

SIM swap fraud is an emerging issue across the industry, and we're working closely with Financial Fraud Action UK and mobile phone providers to enhance our customer authentication processes as fraudsters become more sophisticated.

Our records show that of all the people who enroll in online banking and forget their details, only 0.01 per cent are fraudulent.

We encourage all of our customers to protect their phone using a passcode or Touch ID, keep details of their PIN and online banking details secure, and to get in touch with us as soon as possible if they believe they have been a victim of fraud. As stated in our Digital Promise, if a customer does fall victim of fraud in this way, we will refund them.

If you spot any security problems with your mobile or online banking, do ping us an email. ®


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022