back to article NatWest customer services: We're aware of security glitch

Brit retail bank NatWest is backtracking on previous claims that it was aware of a security glitch at the log-in stage that requested customers to enter more digits of their password than existed. A little over a week ago, a potential security issue emerged when this writer was asked to enter the 11th digit of a password to an …

  1. Doctor Syntax Silver badge

    “in order to more thoroughly investigate"

    OK, a split infinitive isn't actually reckoned to be ungramatical. Throwing in an adjective as well is just plain ugly.

    OTOH I take it that "exceeding authority" is PR-speak for telling the truth.

  2. ukgnome

    A bank that can't count?

    I think I wan't to withdraw!

    1. Jane Fae

      I understand that bankers generally consider withdrawal an unnecessary procedure...

    2. Alister

      I think I wan't to withdraw!

      Congratulations, that must be one of the most obscure greengrocer's apostrophes I've ever seen.

      1. CrazyOldCatMan Silver badge

        obscure greengrocer's apostrophes

        Not so much feral, more 'reverted to wild and slaughtered all the humans within easy reach'..

    3. IsJustabloke
      Thumb Up

      re Bank that cant't count

      A very long time ago I had an account with Lloyds. being a callow youth I ahd to pay for my car insurance in installments but the company concerned used to require 3 post dated cheques (I said it was a long time ago!)

      I can't remember exactly why but I chose to close my account with Llyods, genuinely forgetting that i had written the cheques. The last of the cheques was presented after I had closed the account. For reasons best known to themselves it was cleared and paid. They duely sent me a letter saying I was overdrawn and I should do something about it, I wrote back saying, I don't have an account with you and went on my merry way.

      Every two or three months I'd receive a statement indicating i was £55 overdrawn and I'd ignore it. This went on for a while and then suddenly a statement arrived that indicated a positive balance.

      I wandered into the branch and asked the cashier if the statement was correct, he said yes so I withdrew it and closed the account (again!)

      It was like real life monopoly :D

      1. I ain't Spartacus Gold badge
        Devil

        Re: re Bank that cant't count

        Did you win second prize in a beauty contest the next day?

        Winner, Donald Trump...

  3. Dan 55 Silver badge

    Next time, screenshot it and post it on Twitter with a link to the story

    You'll be amazed at how they change their tune.

    "We can't be arsed to do our job properly unless you hang out your dirty laundry in public on Twitter" approach to customer service really gets on my tits.

    1. Doctor Syntax Silver badge

      Re: Next time, screenshot it and post it on Twitter with a link to the story

      "We can't be arsed to do our job properly unless you hang out your dirty laundry in public on Twitter" approach to customer service

      AFAICS customer service was doing its job - it even escalated the problem, a step which seems to be unknown to many these days. The tech side -trying without success.. It's PR that needs to be hung out to dry.

      1. Anonymous Coward
        Anonymous Coward

        Re: Next time, screenshot it and post it on Twitter with a link to the story

        "The tech side -trying without success."

        The "tech side" in this case are probably an outsourced bunch of 1st line response subcontinent morons, not the people who actually wrote the code. Having said that, how hard can it be to find the section of code that generates PIN digit numbers on the login web page? I would suggest not very.

        1. Ryan 7

          Re: "how hard can it be..."

          Given that the login is already obfuscated by accepting random characters in place of the full string, I can fully imagine this being a separate locked-down system that just passes an authenticated pass/fail flag back to the 'main' server.

          Agree that PR need stringing out for such a blatant attempt for a cover-up.

          "I saw the problem myself"

          "No you didn't"

      2. Dan 55 Silver badge

        Re: Next time, screenshot it and post it on Twitter with a link to the story

        I bet it'd get allocated more time and a higher priority if PR so ordained because things were getting embarasskng on Twitter.

      3. CrazyOldCatMan Silver badge

        Re: Next time, screenshot it and post it on Twitter with a link to the story

        It's PR that needs to be hung out to dry

        Well - you do have to remember that PR is the slightly-backward ugly cousin of HR (HR exists to protect the company from the employees, PR exists to protect the company from the public).

        It's where the people who fail the HR empathy tests[1] go.

        [1] Which, in most HR departments I've seen, consists of filtering out anyone that has, or seems to have, any shred of empathy.

    2. Anonymous Coward
      Anonymous Coward

      Re: Next time, screenshot it and post it on Twitter with a link to the story

      Have El reg seen a screen shot they can trust or reasonably expect to be of the problem?

      Can El Reg advise the person to carry out a subject access request for their notes...and call recordings...this should include contact with technical...any refusal on security grounds or excessive redacting is usually a give away?

      1. iron

        Re: Next time, screenshot it and post it on Twitter with a link to the story

        "Have El reg seen a screen shot they can trust or reasonably expect to be of the problem?"

        Try reading the second paragraph. I'm guessing El Reg trust their authors.

        1. Jane Fae

          Re: Next time, screenshot it and post it on Twitter with a link to the story

          LOL!

          I even scanned in the letter from customer services together with their "interesting" admissions.

          The most joyous bit was discussing this letter with their Press Office, during which convo one could almost literally hear the gears grinding as official spokesperson attempted to explain how their customer services bod had just gone off piste and made this up wholesale without actually saying they'd done that...

  4. Anonymous Coward
    FAIL

    Had simi9lar issues

    Trying to op[en a new account with them 2 months ago; it didnt matter how many times they reset the password for us, it kept saying we were entering the wrong password.

    In the end this, and their total inability to understand that someone born in China might actually be a UK citizen, made us go elsewhere.

    Still waiting for that Norman Muntz icon.

    1. Anonymous Coward
      Anonymous Coward

      Re: Had simi9lar issues

      You may need a new keyboard judging by your

      1. Kane
        Mushroom

        Re: Had simi9lar issues

        "You may need a new keyboard judging by your"

        By your what? BY YOUR WHAT??!?

        1. CrazyOldCatMan Silver badge

          Re: Had simi9lar issues

          "You may need a new keyboard judging by your"

          By your what? BY YOUR WHAT??!?

          By the look of it, sudden bursts of silen

    2. Flywheel

      Re: Had simi9lar issues

      Hmmm, so is your 11th digit a "9" by any chance? C'mon, we have to know...

      1. Jane Fae

        Re: Had simi9lar issues

        No. My 9th digit is an 11!

        1. VinceH
          Coat

          Re: Had simi9lar issues

          "No. My 9th digit is an 11!"

          So that would be 'B' (or 'b') then?

          I think I'll be needing my coat again.

    3. Jane Fae

      Re: Had simi9lar issues

      OK...do drop me a line if you're interested. We weren't 100% convinced by the explanation and if loads of people have had similar we might revisit...

      1. chas49

        Re: Had simi9lar issues

        I have had to reset password several times on a new Ulster Bank (part of same group) account. Seems to be OK now but I'm sure I wasn't getting the password characters wrong....

    4. Ogi

      Re: Had simi9lar issues

      > Trying to op[en a new account with them 2 months ago; it didnt matter how many times they reset the password for us, it kept saying we were entering the wrong password.

      That is interesting, because for the last few months I have had the exact same problem. I have been banking with Natwest for years, always with the same credentials, when a few months ago, without warning, no matter how many times I would type it in, it would say I was entering the wrong password. After 3 attempts it would lock me out and I would have to re-register for online banking.

      So I have to register again, then it would work (because you can click "continue to online banking" straight from the registration confirmed page, so it doesn't prompt you for credentials), until I logout, then when I try to log in again I get exactly the same error.

      It came to be that every time I wanted to log in to online banking, I had to re-register. After doing this 4-5 times, I kind of gave up, and just moved my account across to a competitor, along with all my Direct Debits and savings, thereby ridding myself of this problem (not to mention that my faith in their ability to actually keep my account secure is in doubt, if they can't do something as simple as count the number of characters in my password, I dread to think how the rest of their system is coded).

      1. UriGagarin

        Re: Had simi9lar issues

        Your title might actually be the answer

        - If you have that god awful IBM Trust software installed (Nat West really really pushes to have it installed) there is a setting that converts some l3tt3rs into numb3rs.

        Can't remember what it is precisely, but it caused my wife's work business account no end of problems due to it. Took ages to find that out. Of course there's nothing on the Nat West site to check it.

  5. A K Stiles
    Joke

    If you just tell them what your password is

    then they'll be able to replicate the fault in a test system and determine where the issue is coming from.

  6. Mike 125

    password specifications..

    " this writer was asked to enter the 11th digit of a password to an online account that only contained nine characters."

    This probably stems from another frequent failure in password specification. They always specify n_charsmin, but very rarely n_charsmax. Isn't it time there was a standard for this stuff?

    1. Doctor Syntax Silver badge

      Re: password specifications..

      "Isn't it time there was a standard for this stuff?"

      A standard? There are lots of standards. Just pick one.

      1. CrazyOldCatMan Silver badge

        Re: password specifications..

        A standard? There are lots of standards. Just pick one.

        No, no, no. *Far* more fun to generate another one. After all, even if it only becomes the standard in your organisation, it'll be your standard and they can never sack you..

        Especially if you make it as internally-consistent as Windows.

    2. jmch Silver badge

      Re: password specifications..

      I really hate this "Enter the 1st, 3rd, 10th characters of your password" BS.

      a) As a user, if you know the password, it's much easier to just type the whole password than faff about with identifying the nth characters

      b) From a security POV, it means that the server somewhere has access to the plaintext password so it can compare nth characters, instead of hashing the passowrd when it is set, storing the hash and forgetting the password. So it's less secure than using the whole password

      1. TitterYeNot

        Re: password specifications..

        "From a security POV, it means that the server somewhere has access to the plaintext password so it can compare nth characters, instead of hashing the passowrd when it is set, storing the hash and forgetting the password. So it's less secure than using the whole password"

        While you make a good point about using using a password hash rather than the password, the servers handling authentication are much less likely to have been compromised with malware due to little Johnny browsing soapytitwank.com (or similar delights) than your browser / PC / phone i.e. in real life making users type in their whole password on a personal device is probably less secure.

        1. Doctor Syntax Silver badge

          Re: password specifications..

          "the servers handling authentication are much less likely to have been compromised with malware"

          OTOH if your device is compromised you lose control over your own passwords and, frankly, the bank isn't going to care about that. If the authentication server is compromised they lose control over everyone's passwords and. of course, the bank ... Yes, you can see why they're choosing such an insecure option.

          Seriously, there are two aspects to risk. One is the probability that something will go wrong, the other is the scale of going wrong.

      2. MonkeyBob

        Re: password specifications..

        Would it not be possible to hash each character in your password, add a slat to it as well to make it a bit harder to brute force if the DB bacame compromised.

        1. really_adf

          Re: password specifications..

          Would it not be possible to hash each character in your password, add a slat to it as well to make it a bit harder to brute force if the DB bacame compromised.

          Unfortunately, that's barely better then storing the password in the clear, since there aren't many different characters (OK, including all of Unicode takes it to ~10^6), and you'd be able to find the password character by character - in parallel if you want.

          The interface for a system to store passwords, issue challenges for certain characters, and validate the response seems fairly simple, which should make it much easier to develop a secure, isolated system for this purpose.

          In other words, in this case, making sure those passwords won't leak seems achievable, with reasonable care.

          However, the implementation also seems like it should be fairly simple, which ought to preclude the sort of issue in this story...

  7. BeakUpBottom

    So has your account been compromised?

    Because that's pretty much the only conclusion if they are denying a simple system bug is the cause ?!

    1. Anonymous Coward
      Anonymous Coward

      Re: So has your account been compromised?

      Are you seriously suggesting the PR dept. who WILL be in "oh sh*t! damage limitation mode" are significantly more credible that a supervisor who has spoken to technical and and put sh*t in writing?

      Was it asking for some pre-encryption hash character? Is there an error in handling certain characters...I can think of one major financial co that allows % but not * in passwords.

  8. Forget It
    Facepalm

    Obscurity through Security

    perhaps

  9. Lee D Silver badge

    I abandoned NatWest in the 1990's when they were still insisting you needed to use IE with ActiveX controls to access online banking as other browsers "weren't secure".

    To be honest, working in IT back then, I was hardly the front-runner of new technology in everyday life anyway, but I just moved to a bank that had a vague understanding of what SSL actually did.

    1. Roj Blake Silver badge

      Re: I abandoned NatWest in the 1990's

      I abandoned NatWest in the 1990s when they refused to send out my new card because I'd moved and not told them about it. However, I hadn't moved and was still receiving statements etc.

      This was the second time this had happened.

  10. Roopee Silver badge
    FAIL

    PayPal Fail

    PayPal recently allowed me to set a password that was longer than their maximum, then kept refusing my login, presumably because it was truncating my input before comparing hashes, so I had to jump through the hoops to reset it. I figured out the problem by trial and error.

    On a related issue, the practice of the UI not telling you the password requirements until after you've typed one that doesn't meet them, is still rife, and still wasting people's time.

    1. Andrew Moore

      Re: PayPal Fail

      Ha, had exactly that same problem setting up a new router yesterday. Eventually I realised that the password (passphrase) I was using was longer than it expected. A quick factory reset and a shorter password later...

      1. Richard Parkin

        Re: PayPal Fail

        Yes, I wondered if that was what happened here and that the 11th character was recorded somewhere. It’s happened to me, allowing more characters entered and seem accepted, on several sites. If you use a password manager you are confident you have entered the right password and so it’s worth finding out what the max number is and truncating your password.

    2. VinceH

      Re: PayPal Fail

      Ryanair have in the past similarly had a password set up that doesn't validate the password according to the rules they declare: Second half (ish) of this.

      1. Angry IT Monkey
        Joke

        Re: PayPal Fail

        > Ryanair have in the past similarly had a password set up that doesn't validate the password according to the rules they declare: Second half (ish) of this.

        I imagine that costs extra.

        I'll get my coat...

    3. jmch Silver badge
      Mushroom

      Re: PayPal Fail

      " the UI not telling you the password requirements until after you've typed one that doesn't meet them"

      GRRRRR!!

      >>

  11. Outer mongolian custard monster from outer space (honest)

    I wonder if chars 9,10 and 11 are %0a ;)

  12. tiggity Silver badge

    9

    Did NatWest at some point impose a max 9 char password?

    If I was risk averse enough to do online banking I would want to create a (complex) password a lot longer than 9 chars

    1. phuzz Silver badge
      Facepalm

      Re: 9

      It's worse than that, they'll ask you to select the (eg) 3rd, 5th and 2nd characters of your password. So, not only does your password have to be somewhat memorable (no copy/pasting, dropdowns only), but presumably to do such a thing, they must be storing your password with reversible encryption.

  13. Anonymous Coward
    Anonymous Coward

    IT support are clearly using the Spinal Tap version of the website.

  14. Huw D

    I've seen this - not on my current account, but on my Credit Card.

  15. nigeb

    Yes! I've had this happen, twice, but not recently - probably over a year ago.

    When I queried Natwest they suggested that I might have mis-keyed the customer number and thereby attempted to log into another customer's account - one with a longer password than mine.

    I guess this is possible so since then I've been very careful to get it right. If it happens again I'll know it's their fault.

    1. Jane Fae

      This story happened to me and eventually they said the same thing. Must have entered the account number wrong.

      Though I am pretty sure a) I did not and b) in my initial convo with customer services they acknowledged an attempt to log on to my account

  16. GreggS

    some member of their customer services team had exceeded their authority

    By telling the truth.

  17. Susan Vash
    Paris Hilton

    So just to be clear. The bank ask for the nth digit of your password and compare it to what?

    Doesn't this method of security (asking for 3 out of n digits/characters of your password) require that the password is itself stored in plain text or did I miss the bleeding obvious (yes, yes, I guess you could encrypt the password, but do you decrypt it into secure memory? and do you keep the encryption key safe?).

    Paris as the dumb-blonde look may yet come back to haunt me :D

    1. Anonymous Coward
      Anonymous Coward

      Re: Comparing password characters

      The password will be stored in a database, encrypted by a key. The key will be held in an HSM. The 3 characters and their positions will be passed to the HSM (it's a standard function call for HSMs) where the encrypted password will be decrypted, the characters matched and a yes/no answer returned. All of this will happen within the HSM - so the password is never exposed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Comparing password characters

        > The password will be stored in a database, encrypted by a key.

        You can believe that all you want but I know for certain that a major non-banking player in the UK held plain text passwords because I manipulated them into telling me what my password was.

        1. Angry IT Monkey

          Re: Comparing password characters

          > You can believe that all you want but I know for certain that a major non-banking player in the UK held plain text passwords because I manipulated them into telling me what my password was.

          The password could be stored using reversible encryption, PCI compliance allows this for card numbers which don't change often if at all.

          Of course the "encryption" could just be strrev() or Igpay Atinlay and nothing excuses giving out passwords. Bad major non-banking player!

  18. ValleyBoy

    I love the NatWest

    I once had a standing order set up, transferring money from my Sister's account to my savings account.

    I got a letter one day, stating something to the effect of "There is not enough money in your account, to transfer from your sisters account to yours. We have charged you £25"

    I went into the bank and asked them to explain. They read it, then re-read it a few times with a confused expression, then said it was clearly a mistake and they'd sort it out.

    A few days later, my Sister got a letter: "There is not enough money in your Brother's account, to transfer from your account to your Brother's account. £25 - ker-ching"

    Mind you, I still bank with them...

  19. Anonymous Coward
    Thumb Up

    NatWest online...

    ...press for action!

  20. EnviableOne
    Facepalm

    RBS group IT issues Again

    I just dont see why they dont tear the lot down and start again.

  21. ShortLegs

    Ha, Nat West.

    Back in 1991 (long story short) I wanted to close my account with them. They wanted to photocopy my Forces ID card, and refused to allow me access to my funds unless I did so. I refused to leave the bank, so they threatened to call the police. I was only too glad to oblige, knowing Plod would call the RMP, and when Plod arrived, they duly did.

    RMP listened for about thirty seconds before calling in SIB

    Cue the bank manager trying to explain why he had over 700 photocopied ID cards as he was led away in handcuffs, charged under the Offical Secrets Act.

    Still gives me a little giggle.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like