A 6-digit PIN gives 'emergency' cash to anyone who types it in
What could go wrong?
Natwest has pulled a feature on its banking app that lets users get cash without a bank card. The removal of "Get Cash" from the app comes two days after reports that a fraudster used the feature to "get cash" - from another person's account. The BBC reported that a Natwest customer had been diddled out of £900 through a thief …
This is what I would worry about, the chances of guessing are 999,999 to 1 but if enough people use it then there is a fair chance that at some stage someone will guess one correctly.
Why not enter you account number or some other reference no instead (maybe your DOB even).
"maybe your DOB even" - really?
You think that offers MORE security than a random 1-in-a-million chance?
Assuming I don't even know you, I can already narrow your DOB down to about 1 in 30,000.
More realistically, I can assume you'll be in a certain age range (i.e. probably of working age) which improves my chances no end.
If I know you, I have your money.
What was your first pet's name, just out of curiosity?
I think he meant 'as well as' not "instead of"
So it'd be something like
Insert DoB dd/mm/yy
Insert the 6 digit pin.
or perhaps a couple different security things. Most of these accounts have passwords now (I have no idea what mine is) so it could ask you for the generated pin and a random bit of info, password, DoB, mothers maiden name, the usual bollocks.
Well, the mobile app generated a pin number once you told it how much you wanted to withdraw. You then went to one of the ATMs that supported the feature, pressed the "Enter" key, typed in the pin, typed in the pin again, and then you had to type in the amount that the pin was generated for. So, assuming said ATM didn't tell you that it was an invalid pin after the first input, you then would have to correctly guess from £10 to £100 on top for each combination, multiplying the odds of a correct guess considerably. Also, the pin generated becomes invalid after a couple of hours.
I have used it and thought it could be very handy for letting someone else get money out in an emergency. It would be interesting to find out the exact details of what happened, as it seems a telephone call was mentioned and I never had to make said call, it was just one of the options available and was something you could do even without the mobile app.
I wonder if they implement rate limiting?
If not, you could theoretically get a gang of 10,000 criminals to try 100 PINs each, all over the country.
Assuming there's more than one user of the app, several of those PINs will be valid over a 2-hour period.
And trying 50 an hour sounds feasible to me.
I'm not totally familiar with this app, but I think that you have to put in your internet banking personal ID number, I also seem to recall that you need to nominate the ATM you're going to use, but that may be the general emergency cash option that RBS/NatWest have offered for a long time with no problem.
It's a one-time-use 6 digit PIN that can only be used on cash machines within a certain area. To get that 6 digit pin for emergency cash you'd first need my smartphone (since the mobile banking account is tied to that specific app on that specific phone) and then you'd also need another 6 digit PIN to get into the app in the first place.
Seems reasonably secure to me.
as to the *like a card* comment, it's for emergency cash - you know, like when you lose your wallet or get robbed...
Which makes me ponder the 9 times thing, my bank go ape if I try to do things mildly odd (and on occasion completely normal like getting my groceries) so requesting emergency cash 9 times would have my account locked faster than you can phone up 3 times...
"According to a Natwest spokesperson it was likely that the fraud victim interviewed on the BBC's Moneybox programme had given out his details to phishers which is how his account got hijacked."
The fraud victim denied this, and Nat West put forward no evidence to support their allegation. I have no evidence that Nat West's security precautions are unbreakable...
But at the same time whenever you do this kind of thing they ask you for your name, dob, first line of address / postcode and some kind of password.
The victim can deny it all they want, but odds are, they got caught out somewhere. Flat out denying it is impossible, i'm sure my details are probably floating about somewhere, I'd hope not, but in all likelyhood they are.
name, dob, first line of address / postcode and some kind of password.
And thanks to people on Facebook we know all this now.
hell you don't even have to use it to get done by it.
"Hey it's Fred's Smith's 25th on Thursday, do you know if he's planned anything?"
Well thanks for the DoB and Full name, half way there.
I also know many of my friends mothers maiden names and pet names, all thanks to the wonderful world of social medai (that I hardly use)
"The victim can deny it all they want, but odds are, they got caught out somewhere. Flat out denying it is impossible, i'm sure my details are probably floating about somewhere, I'd hope not, but in all likelyhood they are."
But in at least one of the cases mentioned over the weeked the victim had signed up for electronic banking and not for mobile banking which is needed to generate the PINs. He should have received a letter from the bank confirming that it had been set up but had not (and bank didn't seem to be able to state that a letter had been sent other than saying that as mobile banking was used someone must have set it up so a letter would have been sent to him)
Was another case where someone had had a bank card stolen overseas - victim noticed within minutes that he'd lost wallet and immediately phone the bank to cancel the card ... but during the 20 mins he waited "on hold" somehow several £1000 were removed from his account via ATMs and purchases - bank then refused to refund him as they said he must have had his PIN number written down as all transactions came through as validated - though victim denied this as he has never used his PIN number (and bank confirmed this).
And in all these cases the banks are taking the line of "our security procedures are now robust so you must have done something to enable these transactions to occur ... and we can't give you any more details on these transactions as that might compromise our security procedures"
@AC - I don't know about you, but I often dump letters from my bank into the bin (for later shredding) because I do Internet banking and anything they have to tell me gets done through that.
Now in this particular case, I think it's more likely than not that this has happened along with the customer's PC being compromised or the customer banking from someone else's compromised PC, which would let the bad guys get access to the customer's customer number and pin.
As for the other case that you cite - The customer must have given away their PIN in one way or another, probably by skimming. For several years now, though, the banks have had to - by law - refund this sort of fraud.
If other people can guess my password good on them, even with the poxy clue I still used to forget the blasted thing, time and time again (I've remembered now though.)
Not that my bank seem to use it for anything anymore... now they send me codes to my phone whenever I try and do anything *shrugs*
More than likely they were infected by one of those recent strains of mobile banking trojan; perhaps even something specifically targeting the Get Cash app, but that's pure speculation with no basis in fact.
I wouldn't trust anyone who can get owned that badly to have a reliable opinion on how it happened, to be honest with you.
If this was planned, then surely we would have a date for the return of the service sooner and more specific than "next week at the earliest". I have seen this advertised so I would be surprised if they were planning to just pull it and leave it unavailable for any significant length of time.
I don't really care about this service as i have never used it, but after the recent mess made by the last disaster they suffered, you would think they would have learnt to be honest with their customers and that, for me, is the issue here - I don't think they are being honest.
Capping this emergency withdrawal to £100 should have worked to limit the damage. If I'd been robbed of a hundred quid like this I'd be a bit miffed, but as long as the bank sorted it out I'd probably be happy overall that I had this facility at my disposal. If however I found out that they had allowed NINE separate "emergency" withdrawals without challenging it and nine hundred of my hard-earneds were burning a hole in some chav's pocket, I would lose the plot.
Also - It's a bloody phone app FFS - why wasn't it locked down to the registered mobile number of the account holder?
The reports said that the customer was not registered for mobile banking yet the facility was supposed to be based on the mobile banking service to which he was NOT subscribed.
I guess NitWit bank thought (in so far as they can think) "Oh look no number registered they must all be OK". Incompetent does not even scratch the surface of their failures.
Not a Natwest Customer are you.
When you register for Internet Banking with Natwest those same details also work for phone banking (When I signed up it clearly stated I would get access to both using the same security details).
Also fail Natwest should never have allowed someone to use the function 2 times let alone 9 times in a few days
I've used this a couple of times for scambaiting.
1) Lad sends an email promising you an ATM card preloaded with x million dollars.
2) Ask lad for a scan of the ATM card to prove he's genuine.
3) Tell lad you've withdrawn $5000 using the app and "card" details, and thank him.
AC because scambaiters are shy retiring people.
Years ago (1980`s) I used my cashcard at an atm and was presented with someone elses account. Being a broke student, I withdrew the maximum £50 (i think) and never heard anything about it, or had it happen again.
Maybe there was a bit of dirt on the magstrip or something that screwed it up as it only happened the once and putting the card back into the same atm a few minutes later showed my account as normal.
So atm`s are not 100% reliable and secure (or wernt 25 years ago) as banks make out.
Sounds about right.
My uncle fixes cash machines and refused to use them until about 15 years ago, before that he fixed them but withdrew his money from the counter.
Security at that time was a joke, so much so that the emergency legislation - to block reporting of issues - was used (twice I think?) in the 80's for cash machine security issues. From memory once it was for the 'everyone has the same default pin' issue and the other for being able to access any account if you created a card withh the mag strip set a certin way.
Security now is much, much better, but banks are still bastards.
The last time I had money stolen (£600 of Ryanir flights appearing from nowhere) they tried to say that since the card was chip and pin they wouldn't refund it. I laughed down the phone and said I would send them articles on how to get around chip and pin and they relented straight away and refunded me. My worry is how many people just take them at face value and don't get refunded, for what is in reality the banks liability.
I was told, after about 50+ SO's on my business account over a year that they "could not decline setting up a standing order if one was sent through" .... despite the fact they did not have my signature on and the accounts were all linked to cc topup accounts (I found out not Natwest who were less than interested).
Their attitude to fraud was comical and bordered on the criminal so I wouldn't trust them if they told me the sky was blue.
is that with NatWest it works and the SecureKey is just crap that is good for generating random numbers for use in games of chance.
I'll have to take the SecureKey to Grosvenor Victoria Casino or Crockfords and see if works there.
.. by revealing personal details possibly through a phishing attack, a claim that is impossible to prove or refute.
They did this in an attempt to deny liability for accepting a mobile banking transaction made on behalf of an account holder that had not signed up for mobile banking. Something they simply should not have done, and rendering all other discussions of the security of their systems moot. Those security systems should never even have been tested in this case.
Kettle calling pot... colour check please ?
This has a long history, the following link shows the problem in 2005 and before.
http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
It's no wonder I don't trust the banks, don't get me started on the "Verified by VISA" crap which forces you to give up your rights!
I know people who loved this app and are gutted the option is withdrawn.
They use it instead of giving their kids access to their bank cards. Little Timmy wants 20 to get leathered on white cider at the local park with his friends... just request a 20 cash withdrawal from the atm next to the park..write the six digit number down for little Timmy and he can take the cash out himself on the way there.
showed that they were able to read the screen text of a Mobe from 60 metres away (that's nearly 200 feet) using high resolution CCTV and a good-guessing algorithm. Assuming this 6 digit text is displayed on the mobile screen of the victim, then just have to check if there are any high resolution CCTV cameras within the 122 thousand square foot zone centered around the victim...hmmm which country has one or two CCTVs lying around?
Another way is to illegally host your own 3G/GSM/GPRS base station using either a (hacked) nanoBTS (HomeNodeB) or an open-source OpenBTS/Asterisk/GNUradio/IMSIcatcher. The resultant Man-in-the-Middle attack on Mobile Data couldt scoop lots of credentials/secrets/App-comms. This has been tried allegedly in several places around the world, tho' I think the crims are currently going for millions of $$$ rather than £900 with this tech.
Don't PANIC!
Most new ATMs have a small camera in them, pointing at the user.
Do RBS group take a photo of the withdrawer of money via the EasyCash system?
Might be useful incase the transaction is disputed. However, if the withdrawer is known to the account, it would then come down to she-said-he-said.