"The bank last week reported profits of £3.1bn for 2019 (PDF), nearly double the £1.6bn of the year before."
Might want to check that out too.
British customers of High Street banking brand Natwest are being advised not to use the domain natwest.co.uk – by none other than Natwest itself. Reg reader Dan Mygind, while doing some routine online banking, spotted a rather alarming certificate error while trying to visit natwest.co.uk. That error – a common name mismatch …
RBS announced that they were no longer going to divest the retail banking of the English RBS branches to a revitalized Williams and Glynn (which had been their plan) several years ago.
Instead, in order to shed some branches (which had been mandated by the European rules about government bail-outs after the 2008 financial crisis), they just shut the majority of RBS branches in England. My nearest branch is now about 45 miles away from my home (excluding the Cardiff branch, which I would have to fly to).
Fortunately, when they closed the RBS branches, they were allowed to effectively merge the retail banking for both RBS and Nat West, so RBS customers can now use a Nat West for their physical banking. This actually makes it easier for me, which is unusual in the banking world in this day and age.
My NaffWest small business account was a remote office somewhere daan saaaaf with no contacts so when they decided to get rid of our pesky accounts instead of hiving off Williams & Glyn, they did a deal with a handful of banks to take on those accounts, including Starling, whose £1000 no-strings bribe won my affection.
a pretty amatuer mistake though(if its a simple cet renewel or similar)? I bet somebody is extremely redfaced and never working in the banking I.T again.
As the article says , even the perception of security problems is horrifically damaging.
Its on a par with clocking off and leaving the door unlocked on the cockup scale
They dont do themselves any favours. I dont know why banks dont just operate all functions from the one well know , friendly domain name , instead the sites branch off and use horrific looking alternative top level domains , whilst at the same time telling people not to follow dodgy links.
I found a webpage once where a guy had parodied this , cited all the current banks examples and set up similar domians to illustrate the stupideness of it .
I wish i could find that again
Barclays (try to) insist you submit the "know your customer" information via a third party form-filling website and refused to offer any other route when challenged. Apparently they can't offer me financial products if I fail to submit the data, so basically a win-win in their case.
It's not even summer yet and it looks like the interns are running the site(s).
Aside from the cert-mismatch:
- http://natwest.co.uk has a 301 to http://www.natwest.com/default.aspx. Rule: DO NOT include the name of the default file.
- Redirect from HTTP to HTTP instead of HTTPS.
- Second redirect from HTTP goes to HTTPS (subdomain personal.natwest.com), again pointing to default.aspx.
- Chrome is reporting a lot of cross-site resources over HTTP with an incorrectly set attribute - and the promise that a future version of Chrome will block those.
- Chrome is also complaining about deprecated JS functions on the site, along with helpful hints like "deprecated because of its detrimental effects to the end user's experience".
- 4.4 MB (that is MEGABYTES) just to load the "not found" page...
- Their mortgage tracker does not resolve my mortgage application currently in progress (I called them up and they said its a technical problem and to try again later)
- Their online complaints page doesn't recognise any UK address as a valid UK address, and even if you use the "International address" option to type in your address directly, the submit form has an error (so you can't submit any complaints)
- Emails to them (marked delivered) seem to vanish in the bowls of their system, forcing someone to go hunting around for them, if they even find them.
- If you call them, they can usually pull up needed information, but do apologise as "their system is having some problems"
- Both me and other people I know have been victims of fraud on their natwest card in the last 2 months. In one case, their new natwest card came pre-defrauded (before they even used the new card the first time, there was a fraudulant transaction from Holland for Netflix on it). I had never been the victim of fraud until 2 months ago.
Quite a mess really. Something is going on in the bowels of that bank.
'Their online complaints page doesn't recognise any UK address as a valid UK address, and even if you use the "International address" option to type in your address directly, the submit form has an error (so you can't submit any complaints)'
Pretty sure that's intentional.
Compared to their first attempt at a web banking service about 20 years ago, that isn't actually too bad.
Back then, the entire thing was written in Java. It caused Netscape to crash. It loaded in a pop-up window with no title bar "for security reasons".
The emails every so often letting me know my latest paperless statement is available- so the vast majority of emails I've had from them- say in bold caps that they will never require the card reader to log in. The latest T&C leaflet says they might. This conditions customers to either accept security risks or lose service, and could even strand people abroad.
Come to think of it, https://www.natwest.com is the exact length of the shortened URL's--which makes https://natwest.com shorter than the shortened URL's.
I'm not going to bother to look, but I suppose they were either login, support, or announcement pages. Still, it would be so easy to launch a phishing campaign with shortened URL's for this incident. Why condition customers to think that such a practice is normal?
Does anyone want to try to convince me that the use of URL shorteners
No, they've long been classed as a risK because they: leak information; allow tracking; are good way to insert malware here.
But numpties who try and use Twitter for customer service deserve all the shit they get!
Heh, had to look... Whether or not that's really the bank that they threw up the temporary server issuing the 404, it gets a B's and C's for weak TLS settings (no TLS 1.2 but does do TLS 1.0, etc.)--in addition to the name mismatch--not that there's anything worth securing there. I guess it was more important to get that out there quickly then well. But, it shows what happens when you don't keep up with your renewals?
(To be fair, the other destinations came up A+ though.)
Ah yes, had a good chuckle recently at banks now charging 40% for pre-arranged overdraft.
Mortgage rates 4% (comparison sites will show lower because they all use an introductory period figure).
Savings? Go for five year deposit with a bank you've never heard of before and you might hit 2%. Much more likely 1.5%, anything with on-demand withdrawal will be 0.5% or less.
Personal banking is a side-show for most of these companies. People have to have it, so they can charge what they like.
Coventry has a regular saver paying 2.5%, max monthly deposit is £500, withdrawals permitted subject to 30 days loss of interest on the amount withdrawn, so near-enough an instant access account in practice.
Virgin Money has a regular saver paying 2%, max monthly deposit is £250, withdrawals permitted without penalty.
But, yes, the savings rates on offer from larger banks and building societies are mediocre at present. It's almost as if the whole system is about to collapse: I read an article recently (which I now can't find again) about how home-buying/mortgaging for people under 45 has dropped vastly because of inflated costs and the size of deposits needed. If the banks can't lend to people (who are unable to borrow) then they'll make no money on any savings lent out (and, yes, I am aware that most of the lending is actually pretend, rather than actual, money, but still...)
There are probably not so many people who have such large sums of cash hanging around, however, compared with those who just want to save what's left in their bank account at the end of the month.
And for those that do have a lot to save, they'd be better investing in an investment fund, possibly a more cautious one with rather more bonds and fewer equities, to try to get a better return than cash savings.
I gave up on Natwest many years ago when they told me that I couldn't use any other browser as I had to use Internet Explorer (4?) as it was "more secure". When in reality their online banking consisted of an ActiveX plugin putting a fake padlock icon into a frame that was really just an insecure site.
I mean, it wasn't quite the dark ages of the Internet, but even they should have known that that was a really bad way of doing things, and I knew enough to complain.
I moved my accounts as soon as I realised they were serious and wouldn't be changing any time soon.
I can't imagine their IT has come on any better since then, to be honest.
I've slowly worked my way through all the major highstreet banks for similar things - everything from literally laughing in my face when I applied to a mortgage (so I went to the place next door and got one basically the same day, for exactly what I was asking to), deliberately holding onto cheques for the maximum clearance period despite 10 years of paying them in (because on that ONE occasion delaying it would take me overdrawn for a fraction of a second before the next payment cleared) and don't even get me started on the 2FA device that I "had to" change to a smartphone app, but couldn't without first receiving... a 2FA device in the post that I literally used once to put the code into the app and then threw away.
I've ended up on Monzo, but I'm sure that won't be the last move. At least they do seem to have some semblance of understanding of a secure interface, however.
Banks and mortgages. Rant time.
Rant, rant. Called my then-bank, Lloyds, to ask if they did a particular type of mortgage.
"You'll have to go to a branch to discuss that"
So make an appointment, arrange for my wife to come up to Canary Wharf.
Person comes out some 5 minutes after appointment time, pleasantries are exchanged.
"So, this is the type of mortgage we're looking for"
"Sorry, we don't do that".
End of meeting. Seething. Could have told me that on the fsck'ing phone.
They push you to mortgage brokers, don't they? But why, in this day & age?
"mortgage brokers are another bunch of parasites who's entire industry should have been replaced by a database by now."
Sort of. Many 10's of companies existed in the UK in 2008 employing rooms full of Mortgage Advisors whose job was to extract maximum profit from the client by pretending to have access to secret deals with the actual mortgage providers. They could swiftly get you a 125% mortgage no questions asked that would sit like a yoke around your neck for the rest of your life. Those companies don't exist any more.
Every mortgage I've started (2) and every mortgage transfer I have done after the fixed period (3) has been done online off the back of my own research (quick look on a couple of comparison sites). That method has saved me a lot of money over speaking to an advisor. That said my mother, my sister, my 25yo niece for flips sake would feel extremely vulnerable making that decision without the Lloyds or HSBC advisor walking them though it in branch. They will accept the 3% interest rather than the 2% I pay for 'peace of mind'.
Lloyds stopped paying sales commission to their mortgage advisors a few years ago and offer no other incentive to sell, beyond not getting shouted at by managers. So Lloyds mortgage advisors aren't parasites, they are just marginally costly human Valium for technophobes.
Better than ours, about 10 years ago we were told we had to go into a branch and meet with a mortgage specialist. When we did they opened up the same page on the back site we had, they then called the public mortgage centre number and handed me the phone..
To this day I have no idea why we were asked to go in, it was a waste of 3 hours out of work.
I entered https://www.natwest.co.uk and got a security error.
Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for www.natwest.co.uk. The certificate is only valid for the following names: www.natwest.com, corporate.natwest.com, natwest.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
They fixed http://natwest.co.uk, which now redirects to https://personal.natwest.com. But they haven't fixed any of these:
https://natwest.co.uk still has the dodgy certificate and doesn't redirect anywhere else.
https://www.natwest.co.uk is the same.
http://www.natwest.co.uk redirects to https://www.natwest.co.uk, which has the dodgy certificate.
They clearly must own all of these names; I can't understand why they haven't fixed all of them. They're not even getting rid of 15% of their workforce.
A few years back, RBS made you go to a completely different site while some merger was going on. However if you went directly to that site, it wouldn't let you log in. It was actually 3 separate steps to get to the correct site.
Then the merger collapsed and the whole débâcle started once again.
After that mess (along with extortionate overdraft fees), I left.
It was actually a de-merger. The idea was that all of the retail RBS customers in England and Nat West customers in Scotland would become customers of a new bank which RBS first tried to set up as a separate entity, and then tried to sell off, leaving the remainder of RBS/Nat West to concentrate on commercial banking. This new bank was going to be a revitalized Williams and Glyn, a bank that had been taken over by Nat West last century.
The move you talked about was to aid them separating the IT systems, but I think that the eventual cost was regarded as prohibitive, and no other bank was interested in buying the new bank out.
The goal was to reduce the number of branches in each institution to a level that the European rules on government bail-outs required. Instead, what they've done is just shut down the RBS branches in England.
I don't see why Natwest and the Coop shouldn't be both placed on the naughty step.
1) Natwest seems to be having trouble with keeping their certificates in order. Thereby posing security problems for their customers.
2) The Coop or at least their Britannia subsidiary have been having problems with their "automated services" since Monday with no sign of a fix. Which means in my sister's case the inability to access her ESA and PIP payments. The DWP have paid the money in and the Britannia have confirmed that the money is in her account it's just that the bloody system refuses to let her get hold of it.
Why on earth are we paying these idiots so much to look after our money?
NW brought in new feature last year - EVERY time I log in they send me a "one time code" via SMS, yes EVERY SINGLE TIME no matter what browser I use on my home PC. They claim this is to improve security for customers.
Of course readers here will know that this is considered a very weak way to do it, quite easily spoofed. But it is their latest security inprovement,
Why do so many large companies insist on 2FA via SMS only?
It's almost as though they don't listen when so many of us tell them that we don't get a mobile phone signal!
It is the digital dark ages when you are no longer able to perform basic banking etc. because the charlatans operating the phone networks will not provide basic coverage to many parts of the UK. The phone sign coverage maps are pure lies in some areas (such as mine where I should get 4G, but don't get anything unless I walk to the bottom of my garden, where I can sometimes get 3G.) At least smart meters don't work!
Everyone else is backpedalling away from sms as a form of MFA due to the prevalence of sim-swap-fraud and the fact it brings every mobile phone retailer into your security scope.
But not the banks nooo, they are all running screaming towards it because it's feckin cheap for them.
I'm pointing the finger of shame at you Nationwide.
Lloyds bank tell me that soon I will get an SMS message every time I use my visa card online, and I will have to enter that code to authorise the payment.
I have tried explaining to them that I don't have a cellphone (and I don't want one). Their response was that in that case I will no longer be able to make online purchases. I told them that is really poor service and they said that all of the other banks are doing it too.
"I have tried explaining to them that I don't have a cellphone (and I don't want one). Their response was that in that case I will no longer be able to make online purchases."
HSBC are taking a similar line. It might be interesting to see the response if invoking the Equality Act...
Halifax Bank are taking the exact same approach. No cellphone? No online banking for you!
At least, that was the case until I sent them a nastygram citing the disability discrimination act (I'm deaf so can't use phones, therefore don't have a phone, of any kind). I then got sent a document to sign absolving them of any liability should my account be hacked as a result of not having a cellphone to send an SMS code to.
Personally, I feel it to be safer anyway, with the rise in SIM swap fraud.
One of the banks I'm with will apparently be providing the option to use a land-line. I suppose this is better than nothing.
They do all seem to be moving to a curious combination of insecure and inconvenient though, when the classical choice has been one or the other (and the best choice is neither, as inconvenient often eventually leads to insecure and vice-versa). Why has my card reader widget, which is perfectly good 2FA that I've been using for years, now being replaced with SIM 2FA, which depends on an insecure system, a physical device that is at pretty high risk of being stolen, network coverage and having one in the first place?
"But not the banks nooo, they are all running screaming towards it because it's feckin cheap for them."
Yup. The new Payment Services Directive requires "strong customer authentication", and they're picking the cheapest option, and deploying 1-2 years after a large-scale hack was perpetrated in Germany using said method (and against Metro Bank last year). Sounds about right. *facepalm*
"...they send me a "one time code" via SMS,",
Aye, they threatened to do that to me as well, until I told them that I do not have a mobile 'phone nor had I any intention of getting one. In the end I had to go to the branch and have a somewhat heated argument with a manager about their proposal and how it was not going to work in my case. In the end we compromised, they would hold off on the SMS malarky and I agreed to let them know if I was intending any foreign travel or wanted to make an expensive purchase.
This creeping assumption that everybody has a mobile 'phone and thus arranging their business around said assumption is something that really puts my back up. Luddite? Maybe, but there is a bit of rebellion stirring in me and I will not let them dictate how and where I chose to do business with such companies.
"This creeping assumption that everybody has a mobile 'phone and thus arranging their business around said assumption is something that really puts my back up. "
More than 10% of the UK *adult* population does not own a mobile phone. The assumption/requirement for one by companies is tedious.
"More than 10% of the UK *adult* population does not own a mobile phone. "
I'm in that 10% too. Not because I don't want one, but because from when they became financially viable for businesses to hand them out to those employees with a need for them, I've always been in a job where I get a free one. There's no reason for me to pay out for a personal one since I don't use it much for personal use anyway.
I think the number of people who do online purchases *and* don't have a mobile phone is probably very much lower than 10%.
However, in that group are both my wife and my father, who both have mobile phones, but leave them turned off because the only reason they have them is for emergency use. They both still use land-lines for telephony.
But the banks are very short sighted. I just overheard a conversation between my father and Nat West where he was trying to report a misplaced card, and they asked him to confirm when either his mortgage or rent payment went out, and when his TV license was paid. My father has owned his house outright for over 20 years, and is over 75 so (currently) does not pay for a TV license. He volunteered the date and amount of his council tax, but was told that was not unique enough.
Fortunately, they did accept it when he said what the energy company he pays regularly, even though he could not remember either the date or what the current amount was. But I get the feeling that if he had had another agent on the phone, he might not have been allowed to report his card missing.
The assumptions about information people have to hand that will be accepted as some form of identity are ridiculous, and I've had problems with my youngest son, who left education without a bank account, my mother-in-law and now my father trying to provide enough information that satisfied the banks.
And I echo the frustration about 2FA using SMS, as where I work the provider of the number that the bank has does not get signal, and I'm not going to switch phone company just for the bank. It may mean that I will no longer be able to make on-line purchases while I am at work.
I failed a telephone banking security check when I answered every question correctly including the address of the bank my account was with, when and where I had opened my account and the exact amount in one of my accounts. I compalined and received compensation in the form of a bottle of champagne. They reviewed the recording of my call. The result of the investigation was that the employee concerned had left, that their records did not go back to when I opened my account so my answers to some questions appeared incorrect but it was actually their records that were wrong and they just didn't understand why he had rejected some of the correct answers.
As it happened it was not a disaster so I was happy but if you can fail when all answers are correct I can imagine that there are quite a few cases were people cannot access there own accounts.
Probably not. It's more likely just the Dunning Kruger effect - ignorance cannot identify itself.
In engineering terms (and probably in terms of general forethought) the common standard of expertise is infinitesimally above zero, and as was found at Equifax, there's typically no strategy except making (taking) money and negligible oversight of operations.
A less significant (but revealing) instance has been the last six months or so at the Startpage search engine home page. There's supposed to be a visible box round the search term entry box so you can see where to type it in. However this box disappears for days at a time, sometimes only re-appearing once you've clicked on it (helpful, as you obviously already know where it is by then). Sometimes it's present when the page loads but disappears after a couple of searches, not to be seen again for a week. It's obvious that someone suffering from the Dunning Kruger effect is being allowed to continuously tinker with the interface. Probably the same applies at the bank.
An information lawyer of my acquaintance once told me "the banks don't have better security than you - they have better PR".
Everyone should be aware that nothing banks do is for anyone's good, apart from themselves. They aren't interested in security, unless it affects their bottom line.
Case in point 1: lloyds bank tries to load a flash plugin when you go to the login page. Whether or not it's a real security risk, people know flash is unsafe, so why not just get rid of it. A perceived threat can be harmful too.
Case in point 2: Banks had agreed to do more checking when making online payments. Their own code of conduct was to cross-check the payee you specify when making a payment against the actual owner of the account. And yes they did this. Except they didn't. There are two methods of making payments to other accounts within the UK: BACS and 'Faster Payments'. Most personal and small business accounts default to using FP, and don't give you a choice as to how payments are made. Payments are instant. I can send money to anybody with a UK bank account and the money will be instantly transferred. The older, lesser used BACS is more sedate, taking 3 days or so to wend its way to the recipient. BACS has been around for decades. FP only in the last few years. However, the important point here is that the extra checking that the banks decided to implement is ONLY checked for BGC payments, i.e. the type of payment that most personal payments are not.
I actually think it was a buy-out. Nat West got themselves into an awful mess and nearly went down in the late '90's, and were vulnerable to a hostile buy-out, and that is what RBS did.
I never understood how a smaller bank was able to buy a bigger one, even if the bigger one was in trouble, but such is commerce.
When RBS bought Nat West I was a natwest customer It was a massive step backwards in terms of their electronic banking capability. RBS were at least ten years behind Natwest in tehcnology and their customer service was awful. It would probably have been OK if RBS moved to use Natwest systems but they did it the other way around. It was deeply frustating 5 years later when you still couldn't do things that used to be easy before RBS purchased NatWest.
I think the reason RBS purchased NatWest was that RBS were reckless and willing to borrow a lot of money. Natwest were a bit stodgy and sensible.
ISTR NatWest’s forays into investment banking played a part in their downfall.
“ in 1997, NatWest Markets, the corporate and investment banking arm formed in 1992, revealed that a £50m loss had been discovered, revised to £90.5m after further investigations.”
Wikipedia also reminded me that they’d tried to do a merger with Legal & General, which went down like a lead balloon, and seems to have been the final straw.
All worked out well for RBS, in the end, eh? ;-).
Surprisingly, NatWest is actually one of the (slightly) better banks when it comes to online banking. Unlike Santander and many others, they offer a free card reader. As it requires you to have your card and to know your PIN it's a lot more secure than the predictable telephone questions where the answers are often widely known and/or shared, e.g. postcode, email address, DoB, mother's maiden name etc.
I fell out with NatWest a good few years ago when I had an "Advantage Private" current account which cost me a pretty penny in yearly charges. One day I ended up going overdrawn by about £4 for literally a few hours and they still decided to charge me a £40 fee for doing so. I asked my personal manager to refund it, and she basically said "computer says no." Hardly a personal service then, was it?
Later that week I took my custom across the road to Nationwide where I've been ever since. They have also had their moments of being shit mind you, but at least they didn't try and charge me £££ a year for the privilege.
Biting the hand that feeds IT © 1998–2020