Step 1. Simply take over a victim’s mobile phone number. NatWest is tightening up its internet banking systems after security shortcomings were exposed by journalists.
BBC hacks were able to hijack a colleague’s NatWest online bank account and transfer money without knowing her password. The UK bank’s parent, Royal Bank of Scotland (RBS) Group, is also shoring up its security.
Radio 4’s You and Yours revealed the security flaw after investigating complaints from the victims of SIM swap fraudsters. The SIM swap scam involves redirecting text messages from someone’s mobe to another phone. El Reg covered the swindle three years ago.
This is how is typically goes down: using some social engineering, the crook reports a victim’s handset as lost or stolen to their mobile network, and asks for the victim’s phone number to be swapped over to the crim’s SIM. Alternatively, the crook just nicks the phone.
Either way, the thief receives texts sent to the victim’s number. As the You and Yours team found, the crim can then call NatWest and claim they’ve forgotten their customer ID number, password, PIN, and everything else needed to log into their online bank account. The bank will then text a code to the victim’s number, which can be entered by the crook online to reset and change the password and PIN, and gain control of the bank account.
This allowed a BBC reporter to siphon off £1.50 from a producer’s account.
On the one hand, an attacker must somehow gain control of a victim’s phone number, which isn’t straightforward. In the Beeb’s case, the reporter was handed the producer’s mobile and told to do her worst. It’s not exactly Kevin Mitnick.
On the other hand, simply having control of a person’s phone number shouldn’t immediately throw open the doors to all their money. So minus 10 points to NatWest.
In response to the investigation, a community manager on NatWest’s official forum stated that the “specific example put to us by You and Yours required them to know multiple pieces of personal information to generate the activation code and have control of the customer mobile phone,” while admitting that its security needs improving and outlining forthcoming changes:
We’re implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email and text, to alert them any time a change is made to their contact details on online banking, in a similar way to Apple and Google. We are also introducing a ‘cooling off period’ of three days, which prevents payments being made via the mobile app when a reactivation has taken place.
NatWest reckons that all manner of extra information would be needed to make a transaction, specifically the customer number, partial PIN and partial password. Crucially, though, the You and Yours team was able to set new passwords and PINs after claiming they had forgotten those login details. There was no email confirming a password change, a shortcoming RBS and NatWest has since addressed.
The BBC team did not go through a step-by-step process of how the hack was carried out, due to an understandable concern to not give fraudsters fresh ideas.
The community manager made a much better fist of explaining the bank’s position than the hapless spokesperson fielded on BBC Radio 4’s You and Yours, Chris Popple, manager director of digital at RBS/NatWest, who didn’t get much past banalities about taking customer security seriously and repeatedly described the BBC’s research as “helpful.”
In response to queries from El Reg, NatWest supplied a statement partly reiterating what its community manager had said:
SIM swap fraud is an emerging issue across the industry, and we’re working closely with Financial Fraud Action UK and mobile phone providers to enhance our customer authentication processes as fraudsters become more sophisticated.
Our records show that of all the people who enroll in online banking and forget their details, only 0.01 per cent are fraudulent.
We encourage all of our customers to protect their phone using a passcode or Touch ID, keep details of their PIN and online banking details secure, and to get in touch with us as soon as possible if they believe they have been a victim of fraud. As stated in our Digital Promise, if a customer does fall victim of fraud in this way, we will refund them.