Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

NatWest tightens online banking security after hacks' 'hack' exposé

Step 1. Simply take over a victim's mobile phone number

NatWest is tightening up its internet banking systems after security shortcomings were exposed by journalists.

BBC hacks were able to hijack a colleague's NatWest online bank account and transfer money without knowing her password. The UK bank's parent, Royal Bank of Scotland (RBS) Group, is also shoring up its security.

Radio 4's You and Yours revealed the security flaw after investigating complaints from the victims of SIM swap fraudsters. The SIM swap scam involves redirecting text messages from someone's mobe to another phone. El Reg covered the swindle three years ago.

This is how is typically goes down: using some social engineering, the crook reports a victim's handset as lost or stolen to their mobile network, and asks for the victim's phone number to be swapped over to the crim's SIM. Alternatively, the crook just nicks the phone.

Either way, the thief receives texts sent to the victim's number. As the You and Yours team found, the crim can then call NatWest and claim they've forgotten their customer ID number, password, PIN, and everything else needed to log into their online bank account. The bank will then text a code to the victim's number, which can be entered by the crook online to reset and change the password and PIN, and gain control of the bank account.

This allowed a BBC reporter to siphon off £1.50 from a producer's account.

On the one hand, an attacker must somehow gain control of a victim's phone number, which isn't straightforward. In the Beeb's case, the reporter was handed the producer's mobile and told to do her worst. It's not exactly Kevin Mitnick.

On the other hand, simply having control of a person's phone number shouldn't immediately throw open the doors to all their money. So minus 10 points to NatWest.

In response to the investigation, a community manager on NatWest's official forum stated that the "specific example put to us by You and Yours required them to know multiple pieces of personal information to generate the activation code and have control of the customer mobile phone," while admitting that its security needs improving and outlining forthcoming changes:

We're implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email and text, to alert them any time a change is made to their contact details on online banking, in a similar way to Apple and Google. We are also introducing a 'cooling off period' of three days, which prevents payments being made via the mobile app when a reactivation has taken place.

NatWest reckons that all manner of extra information would be needed to make a transaction, specifically the customer number, partial PIN and partial password. Crucially, though, the You and Yours team was able to set new passwords and PINs after claiming they had forgotten those login details. There was no email confirming a password change, a shortcoming RBS and NatWest has since addressed.

The BBC team did not go through a step-by-step process of how the hack was carried out, due to an understandable concern to not give fraudsters fresh ideas.

The community manager made a much better fist of explaining the bank's position than the hapless spokesperson fielded on BBC Radio 4's You and Yours, Chris Popple, manager director of digital at RBS/NatWest, who didn't get much past banalities about taking customer security seriously and repeatedly described the BBC's research as "helpful."

In response to queries from El Reg, NatWest supplied a statement partly reiterating what its community manager had said:

SIM swap fraud is an emerging issue across the industry, and we're working closely with Financial Fraud Action UK and mobile phone providers to enhance our customer authentication processes as fraudsters become more sophisticated.

Our records show that of all the people who enroll in online banking and forget their details, only 0.01 per cent are fraudulent.

We encourage all of our customers to protect their phone using a passcode or Touch ID, keep details of their PIN and online banking details secure, and to get in touch with us as soon as possible if they believe they have been a victim of fraud. As stated in our Digital Promise, if a customer does fall victim of fraud in this way, we will refund them.

If you spot any security problems with your mobile or online banking, do ping us an email. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like