Journalists expose NatWest mobile security flaws

Journalists expose NatWest mobile security flaws

NatWest and RBS are to upgrade mobile security procedures after BBC journalists broke into an online bank account and removed money.

BBC Radio 4’s You and Yours conducted their investigation after being contacted by a number of people affected by a 'SIM swap fraud' scam.

The SIM swap allows fraudsters to block the customer’s phone and redirect all calls and messages to their phone instead.

As some banks text details and allow users to make payments with their phones, this SIM swap can allow criminals access to online bank accounts.

The customer's mobile phone will go dead once the swap has been made. 

The You and Yours team ran the investigation with producer Natalie Donovan’s NatWest bank account, and were successful in transferring £1.50 without any knowledge of her PIN, passwords, or security question answers.

From having control of the producer’s sim card information reporter Shari Vahl was able to change PIN and password and block her out of her account.

As a result of the investigation NatWest will be introducing a "cooling off period" of three days, "which prevents payments being made via the mobile app when a re-activation has taken place".

The changes were outlined on the NatWest community platform, with the bank also stating, "SIM swap fraud is an emerging issue across the industry and we're working closely with Financial Fraud Action UK and mobile phone providers to combat the issue and reduce instances of SIM Swap fraud. We’re also working on implementation of a number of controls that will help detect SIM swap fraud before the activation code is sent via text message."

Response to the investigation was wholly positive online:

Comments: (2)

Andy Hunter
Andy Hunter - Perficiam Ltd - London 04 March, 2016, 21:09Be the first to give this comment the thumbs up 0 likes

RBS/NatWest used to have one of the strongest online security regimes in the industry. By insisting on authenticating new payees using a chip card in an offline reader, users were protected from almost all types of fraud attempt. The decision to drop this requirement for payments under £250 made from the mobile app was an attempt to improve utility and the compromise will have been recognised. RBS/NatWest must, however, take responsibility and treat all claims for fraud quickly and sympathetically. Unless the bank can show gross negligence, funds must be restored quickly whenever a customer claims fraud has taken place.

Robert Burch
Robert Burch - Independent Consultant - Cotswolds 07 March, 2016, 08:39Be the first to give this comment the thumbs up 0 likes

The mobile phone companies need to improve their procedures too.  My wife recently asked for a new SIM in a Vodafone store.  She was asked for her name and phone number.  No identity checks were done.  They did not even check that the phone she brought to the store had the number she quoted.