Blog article
See all stories »

Where NatWest got it wrong

I had an interesting discussion with Bob Howard (BBC Money Box) this morning concerning the current situation with GetCash service by NatWest. At the end, I felt that it would be important to draw a clear line between "mobile payments are not safe" and "badly implemented mobile payments are not safe". 

Mobile-related frauds are now getting close media attention, and not without a reason. NatWest have been offering cardless cash withdrawals for years. If any fraud did occur with that service, it was of little interest to media.

Enter the mobile payments and things shifted into a different universe. Every mobile phone with GetCash app is a lucrative fraud target - find a hole in the app (for example, via malware) and get an instant reward in cash.

What did NatWest do wrong, in my opinion?

Every banking card issued by NatWest conforms to the EMV ("chip and PIN") standards. Those standards (not without some issues, though) were collectively thought-through, developed, tested and implemented by a consortium, not by a single company. The underlying architecture is sound, there is "secure element" involved, EMV protocols represent "good practice" etc - in a nutshell, EMV works, and it works well.

Why do banks, when it comes to a mobile-based version of that same card, re-invent the wheel? Why do banks think their IT departments are filled with "mobile payments" Da Vincis who can outsmart EMV? Why do banks, well familiar with the advantages of "chip", deploy mobile solutions using the equivalent of a magnetic stripe? 

Is it greed? As in "why pay mobile operators or another party for access to secure element if we can simply keep fingers crossed". Or arrogance? As in "we know better" (than Google, for example). Or ignorance? As in "we are using world-class fraud management tools that cannot be beaten even by well-funded and extremely well-organised fraudsters". What do the banks gain by going it all alone?..

Incidents like GetCash fraud are damaging to the mobile payments industry as a whole. How many times would a consumer need to be stung by a mobile-related fraud to stop even think about using a mobile phone for payments and banking?..

We need to get media on board to help us educate the consumer that it's badly implemented mobile payments that are not safe.

If it's not secure, it's not safe. And there is no "secure" without "secure element" (ask Visa or MasterCard why they don't allow PIN entry via mobile). As simple as that. Anyone doubting that will pay the price.


Comments: (11)

A Finextra member
A Finextra member 10 October, 2012, 07:00Be the first to give this comment the thumbs up 0 likes To paraphrase the saying, if it's not broken, why fix ("enhance") it?..
A Finextra member
A Finextra member 10 October, 2012, 08:40Be the first to give this comment the thumbs up 0 likes

What can you do if someone has phished your bank details, and personal ID details?  Helplines dont ask for your PIN, ever.  GetCash on the mobile phone should at least have allowed the helpline to text the getcash code to a known customer phone, not a random one.   Its procedure and implementation that is wrong.

A Finextra member
A Finextra member 10 October, 2012, 10:12Be the first to give this comment the thumbs up 0 likes

Let me give you a hint: over 10bn (!) times a day, mobile phones worldwide are being reliably and securely authenticated, without any PIN.

Pat Carroll
Pat Carroll - ValidSoft - London 10 October, 2012, 11:50Be the first to give this comment the thumbs up 0 likes

@ Alexander. I agree with you. The decision by Natwest to suspend its Get Cash app, whilst being a wise one, has cast an unwarranted bad light on mobile based transacting. Since this first came to light there has been speculation as to the cause of the fraud losses, ranging from mobile operating systems, mobile hacking and zero-day exploits. The truth, I suspect, is rather more mundane. The fraudsters were able to download the app and register it with the victim’s debit card details because there was no strong authentication at the point of registration, simply knowledge based information which we all know can be gleaned by fraudsters in a number of ways, such as phishing.

Ironically, the customers who had actually downloaded and registered the app were safe from the fraud; it was those that hadn’t who were at risk. This episode therefore had nothing to do with the medium being a smart-phone but everything to do with the process employed in deploying and activating the app. There is no real difference between this and Internet banking losses through the reliance on PINs and Passwords alone.

In this and other instances that will surely follow, we need to look at the end-to-end process rather than casting a shadow over mobile banking.


Note: my comment is also posted under the NatWest report at

A Finextra member
A Finextra member 10 October, 2012, 20:50Be the first to give this comment the thumbs up 0 likes


Interesting article but it was a case of simple phishing and nothing more.  The only advantage to the fraudster of using GetCash was that the service allowed 'instant money laundering'.  It is nearly impossible for him to be traced versus him transfering money to another account.  The limits of GetCash are so low, and the code needs to be used within 3 hours that the service isn't that unsecure.  I can think of plenty worse implementations.

A Finextra member
A Finextra member 11 October, 2012, 09:19Be the first to give this comment the thumbs up 0 likes

@Pat and @Michael

Thank you for your comments. I agree that, perhaps, the current problem with GetCash is phishing-related.

However, there is no evidence that it cannot be exploited on the platform level: at some point the GetCash code is shown "in the clear" on the phone's screen. Get malware to intercept that stage, display a bogus code, forward the real one, get cash.

The key factor here is critical: once the code has been generated by the app, NatWest has no control over who, how and when will be using it. It's ironic that, from that perspective, the name of the service sounds more like an invitation to fraudsters...

Peter Bove
Peter Bove - Aviso - London 11 October, 2012, 10:14Be the first to give this comment the thumbs up 0 likes

It is the normal cycle, banks issue a product, fraudsters find holes in it, banks react with different technology.

If everyone waited until there were well developed standards for everything, then we would have zero innovation and we'd still be transacting with cheques. I attended a Visa vendor forum last year where Visa stated that they would have mobile payment standards in place by 2015.... it's just too long.

Will fraud destroy mobile commerce? It certainly didn't destroy card commerce, despite the massive fraud levels, if the customer proposition is strong then it will survive.

The fact is, we need innovation to move things forward, the fraud prevention and security side will catch up later. In this case, it does seem that obvious flaws existed, which wasn't too smart.

A Finextra member
A Finextra member 11 October, 2012, 10:25Be the first to give this comment the thumbs up 0 likes


I agree with your viewpoint. The last paragraph summed it up well - was GetCash based on the best possible solution (irrespective of standards)? In my opinion - no. It was a commercial decision in their case, not a "technological" one.


Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 12 October, 2012, 17:04Be the first to give this comment the thumbs up 0 likes

Transaction-level frauds and account hijacking frauds are common. But this episode exposes another type of fraud where the victim / genuine customer neither put through a transaction nor even signed up for the said channel (GetCash). For the want of any standard name that I'm aware of, let me call this "Enrolment Fraud". No amount of transaction-level security will help prevent this fraud. Only a more secure enrolment process can reduce / eliminate it. It seems to me that some amount of friction - e.g. application signed in wet ink, branch visit to prove identity - and a corresponding drop in adoption rate will be an inevitable part of such a process. I don't envy banks their position of having to walk a tightrope between security and convenience on this one!

A Finextra member
A Finextra member 12 October, 2012, 17:24Be the first to give this comment the thumbs up 0 likes

@ Ketharaman

I thought you'd call it "Get cash!" fraud :)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 13 October, 2012, 19:31Be the first to give this comment the thumbs up 0 likes

@AlexanderP: At the time GetCash was launched, you and I had concluded that this app would permit non-customers to receive money. I bet neither of us had thought that the term "non-customers" would go this far!

Member since




More from member

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all

Now hiring