Natwest and the flawed security concept
On friday I went to pay a supplier via online banking and found that I couldn’t, please phone us it said. So I phoned the number it gave on the screen and the chap I spoke to didn’t seem to have a clue. I’m assured that he wasn’t in an Indian call centre, but he seemed to have difficulty understanding me and I couldn’t quite grasp what he was saying. Eventually he put me through to telephone banking where they were able to make the payment for me.
So I tried to contact my Natwest personal shopper relationship manager, but she wasn’t available. I spoke to her boss who told me that she’d get back to me within 48 business hours. So I spoke to the online banking helpdesk, determined to find out why I could no longer make online payments.
“We have suspended the ability to make online payments due to fraud, we are sending out card readers, when you get your card reader you will be able to make payments again”.
Now I know for a fact that I’ve had my card reader for my personal account for almost 6 months, and I’m sure that one of my mates has had a card reader for his personal account for about a year. Yet they haven’t managed to roll one out to the business yet (where we pay to use that service).
“it’s because you haven’t been using online banking for very long” - rubbish, it’s about 8 years
“it’s because you don’t make many payments online” - rubbish, far more than from my personal account
“we’re rolling them out in a random order” - seems far more plausible
Is there any way to jump the queue? “it’s technically impossible for anybody within Natwest to prioritise your request, you will just have to wait for your company to be randomly chosen” - anybody? against policy maybe, technically impossible, nah.
So, has there been a sudden increase in fraud?
“No, fraud hasn’t increased at all, but we’ve noticed that of the customers that have already received their card readers, there hasn’t been a single instance of fraud” - err, so speed up the rollout?
In the meantime, how am I meant to pay my suppliers and staff?
“Telephone banking” - seems somewhat more time consuming and prone to errors?
“Phone your business manager” - she claims this isn’t possible, and besides she’s never there!
“Go into your branch” - are you having a laugh?
Ok, so I’m left with telephone banking… which I might add I’ve never setup, it just seems to have been enabled on our account. Thing is, telephone banking strikes me as far more prone to fraud.
Firstly, telephone calls aren’t secure, SSL web connections are, it’s even legitimate to record telephone calls under certain circumstances. Secondly, anyone within earshot can hear what I’m requesting, including any passwords I get asked to read out. Thirdly, telephone banking seems to require less in the way of security details than online banking. So the argument that it’s all for security reasons seems crazy.
When I tried to complain about their ill thought out policy I was told that I wasn’t being singled out and that they treat all of their customers like this (I didn’t at any point suggest I was being singled out). I was given nothing in the way of apology and very little in the way of suggestion (a mild hint that I choose a different bank, but she refused to tell me that in so many words).
As somebody who often gets asked for advice on what business bank to choose, my advice from now on will be “Do NOT choose Natwest whatever you do”. I think it’s time I started the long winded process of moving my various companies bank accounts away from Natwest. Anyone got any suggestions?
July 1st, 2008 at 11:13 am
re: Telephone banking and fraud
Point 1. I’m quite convinced that fraud on accounts is not due to people “snooping on the line” - they wouldn’t be any online fraud if this was the case, as SSL would see to that.
Point 2. Mass installs of keyloggers verses people sat around you hearing a few letters from your password (or indeed wiretaps on your line). Humm. I think keyloggers win. Unless organised criminals are now putting people into buildings around the country in order to get banking passwords. (are the digits from your PIN entered into the phone via DTMF or read aloud?)
Point 3. As it’s been over 8 years since I did telephone banking, what details do they have for online banking that they don’t use for telephone banking?
Of course another source of fraud (other than keylogging) is phishing sites, again organised crime. Now, it is conceivable that criminals in far flung countries will, rather than use a botnet of computers to log into accounts and transfer money, that they will individually phone up the online banking services one by one and transfer money to their accounts. But doing it using online banking is a much safer bet for the criminal and probably the way most of it is done.
Now, I know that *you* check for keyloggers everytime you use online banking (or su on a server for that matter) and that you’re not going to fall for a phishing site - thus making *your* online banking as safe as it could be, but as for telephone banking being less secure than online banking for the general population - I’m less convinced.
I’d be interested to see statistics for bank fraud via different banking instruction methods. I’d imagine in the current climate that online banking would be at the top of the list, which you are now protected from, like it or not!
It is however crazy that they can’t rollout a magic box to you - or just tell the computer that they have even if they haven’t and let you use your personal magic box…
July 1st, 2008 at 11:36 am
SSL prevents snooping and does a great job of it, so fraudsters choose a different approach. What I’m saying is that moving to a mechanism that doesn’t prevent it seems like a backwards step.
Clearly keyloggers win, but I do know of people who have worked with (eg: inadvertently employed) fraudsters. I know it’s not a suitable approach for organised crime, but it’s clearly still something to take into account.
Telephone banking seems to just require a customer number and 2 digits from a pin. So once you’ve got the customer number it seems you’ve got a 1 in 100 chance of guessing the pin number, scary really. Online banking requires 3 digits of password (alpha-numeric) and 3 digits of pin, which is in excess of 1 in 238 million.
Keyloggers are less important with Natwest (still quite important) as you would have to see multiple login attempts in order to get all of the digits of the pin and password.
I’m sure that online banking is a major source of fraud, I just don’t think that their method of tackling it has been very well thought out.
In further news, Natwest did today suggest that we consider switching to a different bank. That was after phoning me from a withheld number, announcing themselves as being from “the bank” and asking for my password.