back to article Don't use for online banking, Natwest bank tells baffled customer

British customers of High Street banking brand Natwest are being advised not to use the domain – by none other than Natwest itself. Reg reader Dan Mygind, while doing some routine online banking, spotted a rather alarming certificate error while trying to visit That error – a common name mismatch …

  1. Anonymous Coward
    Anonymous Coward

    "The bank last week reported profits of £3.1bn for 2019 (PDF), nearly double the £1.6bn of the year before."

    Might want to check that out too.

  2. Anonymous Coward
    Anonymous Coward

    Maybe related to RBS announcing recently that they are changing their name to NatWest ?

    1. MyffyW Silver badge

      In other news returns NXDOMAIN

      (gets coat, the cactus green one with beige trim)

      1. Anonymous Coward
        Anonymous Coward

        Williams and Glynn - Old news

        RBS announced that they were no longer going to divest the retail banking of the English RBS branches to a revitalized Williams and Glynn (which had been their plan) several years ago.

        Instead, in order to shed some branches (which had been mandated by the European rules about government bail-outs after the 2008 financial crisis), they just shut the majority of RBS branches in England. My nearest branch is now about 45 miles away from my home (excluding the Cardiff branch, which I would have to fly to).

        Fortunately, when they closed the RBS branches, they were allowed to effectively merge the retail banking for both RBS and Nat West, so RBS customers can now use a Nat West for their physical banking. This actually makes it easier for me, which is unusual in the banking world in this day and age.

        1. ElectricPics

          Re: Williams and Glynn - Old news

          My NaffWest small business account was a remote office somewhere daan saaaaf with no contacts so when they decided to get rid of our pesky accounts instead of hiving off Williams & Glyn, they did a deal with a handful of banks to take on those accounts, including Starling, whose £1000 no-strings bribe won my affection.

  3. FireBurn

    Oh dear, who mucked up renewing the certs? Will that be an extra form added to all future cert renewals from now on?

    1. robidy

      Did they organise it via Microsoft Teams last week?

    2. batfink

      That'll be either the work experience kids, or do I smell the heady aroma of something being outsourced to a low-cost supplier somewhere?

      1. Anonymous Coward
        Anonymous Coward

        It's probably more along the lines of IT has been telling them for weeks but IT doesn't have access to the account to renew or the requisition process takes ages.

        That's usually the problems I have that cause certs to not be renewed.

    3. Prst. V.Jeltz Silver badge

      a pretty amatuer mistake though(if its a simple cet renewel or similar)? I bet somebody is extremely redfaced and never working in the banking I.T again.

      As the article says , even the perception of security problems is horrifically damaging.

      Its on a par with clocking off and leaving the door unlocked on the cockup scale

  4. PacketPusher

    Scotland & Brexit?

    Perhaps they think that Scotland my exit the UK after Brexit and want to avoid the .UK TLD.

    1. Fred Dibnah

      Re: Scotland & Brexit?

      Hence also the rename from RBS to NatWest.

      1. Anonymous Coward

        Re: Scotland & Brexit?

        To eventually be renamed ScotNatWest?

        1. BrownishMonstr

          Re: Scotland & Brexit?

          Seems easier just to call it ScatWest

      2. Peter Gathercole Silver badge

        Re: Scotland & Brexit?

        It is the holding company at the top of the pyramid that they've renamed. Everything else is the same.

        While this may indicate that they could be dropping the Scottish identity completely, that is not the case yet.

      3. Anonymous Coward
        Anonymous Coward

        Re: Scotland & Brexit?

        They could keep the RBS acronym though.

        Renamed Bank for Sweaties.

  5. Peter X

    So not then?

    I have bookmarked? Despite it obviously being the shitest domain they could've used.

    1. Doctor Syntax Silver badge

      Re: So not then?

      "Despite it obviously being the shitest domain they could've used."

      You think that's shittier than a URL shortening service?

    2. Jess--

      Re: So not then?

      Glad I'm not the only one using directly rather than following links from /

      I must spend too much time moving money though as pressing "N" in my address bar gives me as the first option and as the second.

    3. Prst. V.Jeltz Silver badge

      Re: So not then?

      They dont do themselves any favours. I dont know why banks dont just operate all functions from the one well know , friendly domain name , instead the sites branch off and use horrific looking alternative top level domains , whilst at the same time telling people not to follow dodgy links.

      I found a webpage once where a guy had parodied this , cited all the current banks examples and set up similar domians to illustrate the stupideness of it .

      I wish i could find that again

      1. Warm Braw

        Re: So not then?

        Barclays (try to) insist you submit the "know your customer" information via a third party form-filling website and refused to offer any other route when challenged. Apparently they can't offer me financial products if I fail to submit the data, so basically a win-win in their case.

    4. Captain Scarlet

      Re: So not then?

      Yup and one that ended up in OpenDNS's Phishtank many times.

      1. Captain Scarlet

        Re: So not then?

        Hi Downvoter, just to confirm when I used Phishtank and was someone who checked it I can confirm on multiple occassions Phishtank listed the website as a Phishing site.

  6. wolfetone Silver badge

    This bank costs real money.

  7. cream wobbly

    In context of a domain mismatch...

    "I'll use a URL shortener - that's sure to clear things up!"

    1. tiggity Silver badge

      Re: In context of a domain mismatch...

      To be fair that could well have been the social media service used mangling the URLs into a "shortened" form, the likes of Twitter don't like raw URLs

  8. Drew Scriver

    The interns are early this year

    It's not even summer yet and it looks like the interns are running the site(s).

    Aside from the cert-mismatch:

    - has a 301 to Rule: DO NOT include the name of the default file.

    - Redirect from HTTP to HTTP instead of HTTPS.

    - Second redirect from HTTP goes to HTTPS (subdomain, again pointing to default.aspx.

    - Chrome is reporting a lot of cross-site resources over HTTP with an incorrectly set attribute - and the promise that a future version of Chrome will block those.

    - Chrome is also complaining about deprecated JS functions on the site, along with helpful hints like "deprecated because of its detrimental effects to the end user's experience".

    - 4.4 MB (that is MEGABYTES) just to load the "not found" page...

    1. Ogi
      Thumb Down

      Re: The interns are early this year

      In addition:

      - Their mortgage tracker does not resolve my mortgage application currently in progress (I called them up and they said its a technical problem and to try again later)

      - Their online complaints page doesn't recognise any UK address as a valid UK address, and even if you use the "International address" option to type in your address directly, the submit form has an error (so you can't submit any complaints)

      - Emails to them (marked delivered) seem to vanish in the bowls of their system, forcing someone to go hunting around for them, if they even find them.

      - If you call them, they can usually pull up needed information, but do apologise as "their system is having some problems"

      - Both me and other people I know have been victims of fraud on their natwest card in the last 2 months. In one case, their new natwest card came pre-defrauded (before they even used the new card the first time, there was a fraudulant transaction from Holland for Netflix on it). I had never been the victim of fraud until 2 months ago.

      Quite a mess really. Something is going on in the bowels of that bank.

      1. GreyWolf

        Re: The interns are early this year

        There's a lot of shit in the bowels of that bank.

        1. Ogi

          Re: The interns are early this year

          I can accept there being shit in the bowels, that is what they are there for (up to a point).

          It is when it starts overflowing everywhere that it becomes a problem. I think we are seeing that happen now.

      2. Anonymous Coward
        Anonymous Coward

        Re: The interns are early this year

        'Their online complaints page doesn't recognise any UK address as a valid UK address, and even if you use the "International address" option to type in your address directly, the submit form has an error (so you can't submit any complaints)'

        Pretty sure that's intentional.

      3. Test Man

        Re: The interns are early this year

        "In one case, their new natwest card came pre-defrauded (before they even used the new card the first time, there was a fraudulant transaction from Holland for Netflix on it)."

        What the f....?!?!?!

    2. katrinab Silver badge

      Re: The interns are early this year

      Compared to their first attempt at a web banking service about 20 years ago, that isn't actually too bad.

      Back then, the entire thing was written in Java. It caused Netscape to crash. It loaded in a pop-up window with no title bar "for security reasons".

      1. Boufin

        Re: The interns are early this year

        The one before that was Internet Explorer only, and used some port that my employer would not allow. Mind you in those days they had branches, so it was not such a huge problem.

  9. Anonymous Coward
    Anonymous Coward

    They similarly fucked up with the card readers

    The emails every so often letting me know my latest paperless statement is available- so the vast majority of emails I've had from them- say in bold caps that they will never require the card reader to log in. The latest T&C leaflet says they might. This conditions customers to either accept security risks or lose service, and could even strand people abroad.

  10. GnuTzu

    URL Shortener

    "The correct address is :"

    Does anyone want to try to convince me that the use of URL shorteners in a security discussion is a good practice or good example for the general public?

    1. A.P. Veening Silver badge

      Re: URL Shortener

      It is a perfect example for the "Don't" list.

      1. GnuTzu

        Re: URL Shortener

        Come to think of it, is the exact length of the shortened URL's--which makes shorter than the shortened URL's.

        I'm not going to bother to look, but I suppose they were either login, support, or announcement pages. Still, it would be so easy to launch a phishing campaign with shortened URL's for this incident. Why condition customers to think that such a practice is normal?

        1. GnuTzu

          Re: URL Shortener

          BTW, I know there are shortened-URL resolvers out there. Anyone know of a browser addon that resolves a shortened URL in a pop or such? Or, is this just a fantasy?

        2. Doctor Syntax Silver badge

          Re: URL Shortener

          "Why condition customers to think that such a practice is normal?"

          For banks and building societies it's SOP to condition customers to think any dodgy practice is normal.

          1. Anonymous Coward
            Anonymous Coward

            Re: URL Shortener

            Followed by passing all costs for fraud onto customers and forcing them to fight for any compensation.

            Bonus points for selling "fraud protection insurance" AND being denied compensation due to following the banks SOP...

      2. Evil Harry

        Re: URL Shortener

        "It is a perfect example for the "Don't" list."

        To be fair, so is any URL with the word "NatWest" in it. I've had far too many bad experiences with them and promised myself I'd never knowingly use them again.

        1. 's water music

          Re: URL Shortener

          I've had far too many bad experiences with them and promised myself I'd never knowingly use them again

          You are the demographic they are chasing wither their URL shorteners

    2. Charlie Clark Silver badge

      Re: URL Shortener

      Does anyone want to try to convince me that the use of URL shorteners

      No, they've long been classed as a risK because they: leak information; allow tracking; are good way to insert malware here.

      But numpties who try and use Twitter for customer service deserve all the shit they get!

  11. GnuTzu

    Qualys Results on the 404

    Heh, had to look... Whether or not that's really the bank that they threw up the temporary server issuing the 404, it gets a B's and C's for weak TLS settings (no TLS 1.2 but does do TLS 1.0, etc.)--in addition to the name mismatch--not that there's anything worth securing there. I guess it was more important to get that out there quickly then well. But, it shows what happens when you don't keep up with your renewals?

    (To be fair, the other destinations came up A+ though.)

  12. cb7

    Of course profits are up. They cut the miserly interest they were paying on savings accounts to a whole 0.1%.

    Maybe I need to become a SAS (Savings Account Slut) and regularly move my money to whichever bank pays the highest interest.

    1. Richard 12 Silver badge

      Moving savings is trivial, no reason not to

      1. Mike Pellatt

        Yeah, but good luck with finding a rate that's >50% of the inflation rate (esp for instant access).

        Or even >25%.

        Investments - risk of losing money.

        Cash savings - guarantee of losing money.

        1. ibmalone

          Ah yes, had a good chuckle recently at banks now charging 40% for pre-arranged overdraft.

          Mortgage rates 4% (comparison sites will show lower because they all use an introductory period figure).

          Savings? Go for five year deposit with a bank you've never heard of before and you might hit 2%. Much more likely 1.5%, anything with on-demand withdrawal will be 0.5% or less.

          Personal banking is a side-show for most of these companies. People have to have it, so they can charge what they like.

          1. Prst. V.Jeltz Silver badge

            soooo buy-to-let then?

          2. Anonymous Coward
            Anonymous Coward

            Savings interest rates

            Coventry has a regular saver paying 2.5%, max monthly deposit is £500, withdrawals permitted subject to 30 days loss of interest on the amount withdrawn, so near-enough an instant access account in practice.

            Virgin Money has a regular saver paying 2%, max monthly deposit is £250, withdrawals permitted without penalty.

            But, yes, the savings rates on offer from larger banks and building societies are mediocre at present. It's almost as if the whole system is about to collapse: I read an article recently (which I now can't find again) about how home-buying/mortgaging for people under 45 has dropped vastly because of inflated costs and the size of deposits needed. If the banks can't lend to people (who are unable to borrow) then they'll make no money on any savings lent out (and, yes, I am aware that most of the lending is actually pretend, rather than actual, money, but still...)

            1. Anonymous Coward
              Anonymous Coward

              Re: Savings interest rates

              5% on naff all is naff all. People with "savings" looking for a return are saving more than £6000 in one go, let alone £500 a month, at just 2.5%

              1. Anonymous Coward
                Anonymous Coward

                Re: Savings interest rates

                There are probably not so many people who have such large sums of cash hanging around, however, compared with those who just want to save what's left in their bank account at the end of the month.

                And for those that do have a lot to save, they'd be better investing in an investment fund, possibly a more cautious one with rather more bonds and fewer equities, to try to get a better return than cash savings.

        2. commonsense

          Marcus is about 1.2% at the moment. Santander 1-2-3 is 1.5% up to 20k. Inflation is 1.76% according to Google.

          Quite easy to find really.

          1. Anonymous Coward
            Anonymous Coward

            Santander 1-2-3 is 1.5% up to 20k

            But it is about to drop to 1%. Plus there's a £5/month fee, which further drops the effective rate to 0.7% even if you have the full £20K invested.

          2. Mike Pellatt

            Still losing money in real terms, though.

    2. FrogsAndChips Silver badge

      If you're thinking of moving your money, you should also consider the switching incentives (we'll give you £xxx if you switch to us), that can pay much more than a better interest rate.

  13. Lee D Silver badge

    I gave up on Natwest many years ago when they told me that I couldn't use any other browser as I had to use Internet Explorer (4?) as it was "more secure". When in reality their online banking consisted of an ActiveX plugin putting a fake padlock icon into a frame that was really just an insecure site.

    I mean, it wasn't quite the dark ages of the Internet, but even they should have known that that was a really bad way of doing things, and I knew enough to complain.

    I moved my accounts as soon as I realised they were serious and wouldn't be changing any time soon.

    I can't imagine their IT has come on any better since then, to be honest.

    I've slowly worked my way through all the major highstreet banks for similar things - everything from literally laughing in my face when I applied to a mortgage (so I went to the place next door and got one basically the same day, for exactly what I was asking to), deliberately holding onto cheques for the maximum clearance period despite 10 years of paying them in (because on that ONE occasion delaying it would take me overdrawn for a fraction of a second before the next payment cleared) and don't even get me started on the 2FA device that I "had to" change to a smartphone app, but couldn't without first receiving... a 2FA device in the post that I literally used once to put the code into the app and then threw away.

    I've ended up on Monzo, but I'm sure that won't be the last move. At least they do seem to have some semblance of understanding of a secure interface, however.

    1. Anonymous Coward
      Anonymous Coward

      Banks and mortgages. Rant time.

      Rant, rant. Called my then-bank, Lloyds, to ask if they did a particular type of mortgage.

      "You'll have to go to a branch to discuss that"

      So make an appointment, arrange for my wife to come up to Canary Wharf.

      Person comes out some 5 minutes after appointment time, pleasantries are exchanged.

      "So, this is the type of mortgage we're looking for"

      "Sorry, we don't do that".

      End of meeting. Seething. Could have told me that on the fsck'ing phone.

      They push you to mortgage brokers, don't they? But why, in this day & age?

      1. Prst. V.Jeltz Silver badge

        mortgage brokers are another bunch of parasites who's entire industry should have been replaced by a database by now.

        1. Bendacious

          "mortgage brokers are another bunch of parasites who's entire industry should have been replaced by a database by now."

          Sort of. Many 10's of companies existed in the UK in 2008 employing rooms full of Mortgage Advisors whose job was to extract maximum profit from the client by pretending to have access to secret deals with the actual mortgage providers. They could swiftly get you a 125% mortgage no questions asked that would sit like a yoke around your neck for the rest of your life. Those companies don't exist any more.

          Every mortgage I've started (2) and every mortgage transfer I have done after the fixed period (3) has been done online off the back of my own research (quick look on a couple of comparison sites). That method has saved me a lot of money over speaking to an advisor. That said my mother, my sister, my 25yo niece for flips sake would feel extremely vulnerable making that decision without the Lloyds or HSBC advisor walking them though it in branch. They will accept the 3% interest rather than the 2% I pay for 'peace of mind'.

          Lloyds stopped paying sales commission to their mortgage advisors a few years ago and offer no other incentive to sell, beyond not getting shouted at by managers. So Lloyds mortgage advisors aren't parasites, they are just marginally costly human Valium for technophobes.

      2. Halfmad

        Better than ours, about 10 years ago we were told we had to go into a branch and meet with a mortgage specialist. When we did they opened up the same page on the back site we had, they then called the public mortgage centre number and handed me the phone..

        To this day I have no idea why we were asked to go in, it was a waste of 3 hours out of work.

  14. mollcons

    I just entered and was automatically re-directed to So that appears to work correctly.

    1. diodesign (Written by Reg staff) Silver badge

      They've fixed it, then, it seems. It was throwing certificate errors earlier.


      1. Andrew 99

        I entered and got a security error.

        Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for The certificate is only valid for the following names:,,

        Error code: SSL_ERROR_BAD_CERT_DOMAIN

      2. Dale 3

        They fixed, which now redirects to But they haven't fixed any of these: still has the dodgy certificate and doesn't redirect anywhere else. is the same. redirects to, which has the dodgy certificate.

        They clearly must own all of these names; I can't understand why they haven't fixed all of them. They're not even getting rid of 15% of their workforce.

  15. IGotOut Silver badge

    This is nothing

    A few years back, RBS made you go to a completely different site while some merger was going on. However if you went directly to that site, it wouldn't let you log in. It was actually 3 separate steps to get to the correct site.

    Then the merger collapsed and the whole débâcle started once again.

    After that mess (along with extortionate overdraft fees), I left.

    1. Peter Gathercole Silver badge

      Re: This is nothing

      It was actually a de-merger. The idea was that all of the retail RBS customers in England and Nat West customers in Scotland would become customers of a new bank which RBS first tried to set up as a separate entity, and then tried to sell off, leaving the remainder of RBS/Nat West to concentrate on commercial banking. This new bank was going to be a revitalized Williams and Glyn, a bank that had been taken over by Nat West last century.

      The move you talked about was to aid them separating the IT systems, but I think that the eventual cost was regarded as prohibitive, and no other bank was interested in buying the new bank out.

      The goal was to reduce the number of branches in each institution to a level that the European rules on government bail-outs required. Instead, what they've done is just shut down the RBS branches in England.

  16. philmck

    The URL is still throwing an error for me (not redirecting to a secure URL).

  17. macjules

    Slight objection

    May I request that you do not show the Co-operative in the same frame as NatWest. One is a household name brand and banking operation with a disgraced former CEO famous for destroying it's assets and reputation. The other had Paul Flowers as it's CEO.

    1. nematoad

      Re: Slight objection

      I don't see why Natwest and the Coop shouldn't be both placed on the naughty step.

      1) Natwest seems to be having trouble with keeping their certificates in order. Thereby posing security problems for their customers.

      2) The Coop or at least their Britannia subsidiary have been having problems with their "automated services" since Monday with no sign of a fix. Which means in my sister's case the inability to access her ESA and PIP payments. The DWP have paid the money in and the Britannia have confirmed that the money is in her account it's just that the bloody system refuses to let her get hold of it.

      Why on earth are we paying these idiots so much to look after our money?

  18. Maverick

    NW brought in new feature last year - EVERY time I log in they send me a "one time code" via SMS, yes EVERY SINGLE TIME no matter what browser I use on my home PC. They claim this is to improve security for customers.

    Of course readers here will know that this is considered a very weak way to do it, quite easily spoofed. But it is their latest security inprovement,

    1. Caver_Dave Silver badge


      Why do so many large companies insist on 2FA via SMS only?

      It's almost as though they don't listen when so many of us tell them that we don't get a mobile phone signal!

      It is the digital dark ages when you are no longer able to perform basic banking etc. because the charlatans operating the phone networks will not provide basic coverage to many parts of the UK. The phone sign coverage maps are pure lies in some areas (such as mine where I should get 4G, but don't get anything unless I walk to the bottom of my garden, where I can sometimes get 3G.) At least smart meters don't work!

      1. Vin

        Re: 2FA

        Check if your phone supports Wi-fi calling.

        It’s been a real life saver for me.

        1. 0laf

          Re: 2FA

          Everyone else is backpedalling away from sms as a form of MFA due to the prevalence of sim-swap-fraud and the fact it brings every mobile phone retailer into your security scope.

          But not the banks nooo, they are all running screaming towards it because it's feckin cheap for them.

          I'm pointing the finger of shame at you Nationwide.

          1. Anonymous Coward
            Anonymous Coward

            Re: 2FA

            Lloyds bank tell me that soon I will get an SMS message every time I use my visa card online, and I will have to enter that code to authorise the payment.

            I have tried explaining to them that I don't have a cellphone (and I don't want one). Their response was that in that case I will no longer be able to make online purchases. I told them that is really poor service and they said that all of the other banks are doing it too.

            1. ibmalone

              Re: 2FA

              Did you ask them what they'd do if all the other banks jumped off a bridge?*


            2. Anonymous Coward
              Anonymous Coward

              Re: 2FA

              "I have tried explaining to them that I don't have a cellphone (and I don't want one). Their response was that in that case I will no longer be able to make online purchases."

              HSBC are taking a similar line. It might be interesting to see the response if invoking the Equality Act...

              1. Allan 1

                Re: 2FA

                Halifax Bank are taking the exact same approach. No cellphone? No online banking for you!

                At least, that was the case until I sent them a nastygram citing the disability discrimination act (I'm deaf so can't use phones, therefore don't have a phone, of any kind). I then got sent a document to sign absolving them of any liability should my account be hacked as a result of not having a cellphone to send an SMS code to.

                Personally, I feel it to be safer anyway, with the rise in SIM swap fraud.

              2. ibmalone

                Re: 2FA

                One of the banks I'm with will apparently be providing the option to use a land-line. I suppose this is better than nothing.

                They do all seem to be moving to a curious combination of insecure and inconvenient though, when the classical choice has been one or the other (and the best choice is neither, as inconvenient often eventually leads to insecure and vice-versa). Why has my card reader widget, which is perfectly good 2FA that I've been using for years, now being replaced with SIM 2FA, which depends on an insecure system, a physical device that is at pretty high risk of being stolen, network coverage and having one in the first place?

          2. Anonymous Coward
            Anonymous Coward

            Re: 2FA

            "But not the banks nooo, they are all running screaming towards it because it's feckin cheap for them."

            Yup. The new Payment Services Directive requires "strong customer authentication", and they're picking the cheapest option, and deploying 1-2 years after a large-scale hack was perpetrated in Germany using said method (and against Metro Bank last year). Sounds about right. *facepalm*

    2. nematoad

      "...they send me a "one time code" via SMS,",

      Aye, they threatened to do that to me as well, until I told them that I do not have a mobile 'phone nor had I any intention of getting one. In the end I had to go to the branch and have a somewhat heated argument with a manager about their proposal and how it was not going to work in my case. In the end we compromised, they would hold off on the SMS malarky and I agreed to let them know if I was intending any foreign travel or wanted to make an expensive purchase.

      This creeping assumption that everybody has a mobile 'phone and thus arranging their business around said assumption is something that really puts my back up. Luddite? Maybe, but there is a bit of rebellion stirring in me and I will not let them dictate how and where I chose to do business with such companies.

      1. Anonymous Coward
        Anonymous Coward

        "This creeping assumption that everybody has a mobile 'phone and thus arranging their business around said assumption is something that really puts my back up. "

        More than 10% of the UK *adult* population does not own a mobile phone. The assumption/requirement for one by companies is tedious.

        1. John Brown (no body) Silver badge

          "More than 10% of the UK *adult* population does not own a mobile phone. "

          I'm in that 10% too. Not because I don't want one, but because from when they became financially viable for businesses to hand them out to those employees with a need for them, I've always been in a job where I get a free one. There's no reason for me to pay out for a personal one since I don't use it much for personal use anyway.

        2. Peter Gathercole Silver badge

          But is it a fair assumption?

          I think the number of people who do online purchases *and* don't have a mobile phone is probably very much lower than 10%.

          However, in that group are both my wife and my father, who both have mobile phones, but leave them turned off because the only reason they have them is for emergency use. They both still use land-lines for telephony.

          But the banks are very short sighted. I just overheard a conversation between my father and Nat West where he was trying to report a misplaced card, and they asked him to confirm when either his mortgage or rent payment went out, and when his TV license was paid. My father has owned his house outright for over 20 years, and is over 75 so (currently) does not pay for a TV license. He volunteered the date and amount of his council tax, but was told that was not unique enough.

          Fortunately, they did accept it when he said what the energy company he pays regularly, even though he could not remember either the date or what the current amount was. But I get the feeling that if he had had another agent on the phone, he might not have been allowed to report his card missing.

          The assumptions about information people have to hand that will be accepted as some form of identity are ridiculous, and I've had problems with my youngest son, who left education without a bank account, my mother-in-law and now my father trying to provide enough information that satisfied the banks.

          And I echo the frustration about 2FA using SMS, as where I work the provider of the number that the bank has does not get signal, and I'm not going to switch phone company just for the bank. It may mean that I will no longer be able to make on-line purchases while I am at work.

          1. Alan Johnson

            Re: But is it a fair assumption?

            I failed a telephone banking security check when I answered every question correctly including the address of the bank my account was with, when and where I had opened my account and the exact amount in one of my accounts. I compalined and received compensation in the form of a bottle of champagne. They reviewed the recording of my call. The result of the investigation was that the employee concerned had left, that their records did not go back to when I opened my account so my answers to some questions appeared incorrect but it was actually their records that were wrong and they just didn't understand why he had rejected some of the correct answers.

            As it happened it was not a disaster so I was happy but if you can fail when all answers are correct I can imagine that there are quite a few cases were people cannot access there own accounts.

          2. ibmalone

            Re: But is it a fair assumption?

            I think the number of people who do online purchases *and* don't have a mobile phone is probably very much lower than 10%.

            Maybe. But you also need it simply to access your account online. I now need to enter a code just to see my statements.

    3. John Brown (no body) Silver badge

      "EVERY time I log in they send me a "one time code" via SMS, yes EVERY SINGLE TIME"

      Well, it's a one time code innit, so obviously you use it once and next time you need a new one :-)

  19. legless82

    Thanks a bunch El Reg

    I managed to escape Stoke on Trent 20 years ago, but that picture of the Hanley branch of Natwest has brought the PTSD flooding back.

  20. Drat


    When banks subject their customers to shenanigans like this it is no wonder so many will later get tricked so easily.

    1. Adam Trickett

      Re: Great

      Even when they don't screw up, the train their customers to do unsafe things and then say it's the users fault when they get scammed...!

      Makes you wonder if it's cheaper to blame the customer than actually do things properly...?

      1. Mike 137 Silver badge

        "Makes you wonder if it's cheaper to blame the customer than actually do things properly...?"

        Probably not. It's more likely just the Dunning Kruger effect - ignorance cannot identify itself.

        In engineering terms (and probably in terms of general forethought) the common standard of expertise is infinitesimally above zero, and as was found at Equifax, there's typically no strategy except making (taking) money and negligible oversight of operations.

        A less significant (but revealing) instance has been the last six months or so at the Startpage search engine home page. There's supposed to be a visible box round the search term entry box so you can see where to type it in. However this box disappears for days at a time, sometimes only re-appearing once you've clicked on it (helpful, as you obviously already know where it is by then). Sometimes it's present when the page loads but disappears after a couple of searches, not to be seen again for a week. It's obvious that someone suffering from the Dunning Kruger effect is being allowed to continuously tinker with the interface. Probably the same applies at the bank.

        An information lawyer of my acquaintance once told me "the banks don't have better security than you - they have better PR".

  21. Anonymous Coward
    Anonymous Coward

    I use It has a valid cert so it's fine.

    Obviously not... But how many regular computer users understand the *huge* difference between and

  22. tomban

    The correct address

    >> The correct address is:

    That's easy to remember! M -Y - L - O - y - T - e - h - Z ----------- v

  23. anthonyhegedus Silver badge

    typical bank snafu

    Everyone should be aware that nothing banks do is for anyone's good, apart from themselves. They aren't interested in security, unless it affects their bottom line.

    Case in point 1: lloyds bank tries to load a flash plugin when you go to the login page. Whether or not it's a real security risk, people know flash is unsafe, so why not just get rid of it. A perceived threat can be harmful too.

    Case in point 2: Banks had agreed to do more checking when making online payments. Their own code of conduct was to cross-check the payee you specify when making a payment against the actual owner of the account. And yes they did this. Except they didn't. There are two methods of making payments to other accounts within the UK: BACS and 'Faster Payments'. Most personal and small business accounts default to using FP, and don't give you a choice as to how payments are made. Payments are instant. I can send money to anybody with a UK bank account and the money will be instantly transferred. The older, lesser used BACS is more sedate, taking 3 days or so to wend its way to the recipient. BACS has been around for decades. FP only in the last few years. However, the important point here is that the extra checking that the banks decided to implement is ONLY checked for BGC payments, i.e. the type of payment that most personal payments are not.

  24. Anonymous Coward
    Anonymous Coward

    We have asked further questions of Natwest and will update this article if the bank, these days a wholly owned subsidiary of Royal Bank of Scotland, responds.

    One of the biggest mistakes Natwest made was to get in bed with RBS.

    1. Peter Gathercole Silver badge

      I actually think it was a buy-out. Nat West got themselves into an awful mess and nearly went down in the late '90's, and were vulnerable to a hostile buy-out, and that is what RBS did.

      I never understood how a smaller bank was able to buy a bigger one, even if the bigger one was in trouble, but such is commerce.

      1. Richard 12 Silver badge


        Turns out they could get a really good deal from their bank manager.

      2. Anonymous Coward
        Anonymous Coward

        RBS purchase of Natwest

        When RBS bought Nat West I was a natwest customer It was a massive step backwards in terms of their electronic banking capability. RBS were at least ten years behind Natwest in tehcnology and their customer service was awful. It would probably have been OK if RBS moved to use Natwest systems but they did it the other way around. It was deeply frustating 5 years later when you still couldn't do things that used to be easy before RBS purchased NatWest.

        I think the reason RBS purchased NatWest was that RBS were reckless and willing to borrow a lot of money. Natwest were a bit stodgy and sensible.

      3. James R Grinter

        ISTR NatWest’s forays into investment banking played a part in their downfall.

        “ in 1997, NatWest Markets, the corporate and investment banking arm formed in 1992, revealed that a £50m loss had been discovered, revised to £90.5m after further investigations.”

        Wikipedia also reminded me that they’d tried to do a merger with Legal & General, which went down like a lead balloon, and seems to have been the final straw.

        All worked out well for RBS, in the end, eh? ;-).

  25. Gerry 3

    Not quite as bad as Santander et al

    Surprisingly, NatWest is actually one of the (slightly) better banks when it comes to online banking. Unlike Santander and many others, they offer a free card reader. As it requires you to have your card and to know your PIN it's a lot more secure than the predictable telephone questions where the answers are often widely known and/or shared, e.g. postcode, email address, DoB, mother's maiden name etc.

    GCHQ have warned the banks that SMS verification is insecure, but most have ignored their advice. This guy found out the hard way.

  26. Wilseus


    I fell out with NatWest a good few years ago when I had an "Advantage Private" current account which cost me a pretty penny in yearly charges. One day I ended up going overdrawn by about £4 for literally a few hours and they still decided to charge me a £40 fee for doing so. I asked my personal manager to refund it, and she basically said "computer says no." Hardly a personal service then, was it?

    Later that week I took my custom across the road to Nationwide where I've been ever since. They have also had their moments of being shit mind you, but at least they didn't try and charge me £££ a year for the privilege.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon