If NatWest texts you about online banking fraud, don't click the link British customers of the NatWest bank should be on their guard against a particularly convincing SMS-based phishing scam, Action Fraud warns. The spoofed texts being sent out by fraudsters “could catch you out if it appears in an existing message thread,” the UK's national fraud & cyber reporting centre advised on Wednesday. …
is that the so called 'Microsoft Support Centres' called John use all the time
so do the PPI Claims scammers
etc
etc
etc
There seems nothing that Ofcom (them again) will do about it.
The Telco's (not only BT I might add) won't do anything because theyt get paid (possibly) to let the shitbags get access to the UK PSTN.
OFCOM are a bunch of toothless numpty's IMHO.
As more and more people take to shifting their money about online - yes, it's become much more professional these days.
What grinds my gears is how much harder it's making life, if you really do want to shift your money about online. I tried to move some (of my own) money from Blighty to New Zealand a couple of months ago. It took weeks. It would literally have been quicker to get on a plane, stuff my trousers full of banknotes, and flown back - that's how convenient "internet banking" is now, if you want to do something international.
All because the banks assume I'm laundering my money, and want proofs of identity that, frankly, are not easy to provide from 11,000 miles away.
Technology is supposed to make this kind of thing easier. I can tell you first-hand, it's got noticeably harder in the last 10 years.
"stuff my trousers full of banknotes, and flown back"
Make sure you declare if you are carrying more than NZ$10,000 or more in cash, or foreign equivalent, otherwise they will catch you with the money sniffing dogs
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11348609
Is that we've managed to create a phone system where messages can be convincingly enough spoofed that one caller ID can appear to come from a different number.
Is there no way that telephone systems can detect a discrepancy between where a message or call actually comes from and where it says it comes from?
Number spoofing is illegal in the UK but many of these come in from services outside the UK and there are no checks to validate the source. Although you think they would be able to validate UK numbers.
RCS may be the way forward and it's slowly replacing SMS in some parts.
https://en.wikipedia.org/wiki/Rich_Communication_Services
I managed 12 years internet banking without giving the bank my email address, for exactly the same reasons. It meant constant "reminders" when logging in, but I could then sit back and scoff at all the phishing emails.
Unfortunately it came to the point where it was literally impossible to do anything without filling in the compulsory email field. I fear my mobile number may be prised out my hands the same way.
Yesterday I heard a story about NatWest on BBC news.
It seems that they send out password-reset SMS messages for online banking. But it's perfectly possible to persuade the mobile network to redirect messages to another phone. The BBC reporter did this with a colleague's mobile number, whereupon she was able to log in to the account, change the security credentials, and transfer money to her own account. Apparently it's happened to a number of NatWest customers in real life.
When they devised the password-reset scheme, didn't anyone think to ask whether sending to a mobile phone really guarantees the identity of the recipient? Let's hope NatWest don't start running piss-ups in breweries/
Get your facts right.
The BBC report DOES NOT say money was paid away - only that someone accessed an account of a colleague.
Paying away means setting up new payee - which requires a Chip'n'Pin verification phase.
So - if I have access to your mobile phone and can convince someone at the bank to change the log-on credentials.....I have access to the same information as if I intercepted your printed statements.
Please - there is a weak spot in ID reset procedure, but nothing here indicates a flaw in paying away. Unless you have additional information ?
Thanks
>Get your facts right.
>The BBC report DOES NOT say money was paid away - only that someone accessed an account of a colleague.
Your facts are wrong I heard this go out - she added new payee and made a payment to her account (she just needed to click 'I've lost my card reader' and the new payee process was reset by SMS). The other journo checked her account and the payment was received a few seconds later.
Natwest have made changes in response but there have already been several other cases with much larger sums being lost - the piece was a response to this as Natwest had told other victims that they were at fault since the system was secure.
"NatWest’s own advice"
I regularly have to log-in to NatWest Bankline.
On logging out, there is currently a warning about 'vishing' - to see which, you need to have Flash installed.
I commented about it on Twitter, asking if NatWest were trying to be ironic.
This post has been deleted by its author
Quite a few VOIP providers allow you to specify whatever caller ID you want, including invalid numbers. Having a different caller ID to the number you are calling from has legitimate uses, the most common being the display of your company switchboard number in place of the number of the line you are actually calling from.
Look at the JPMorgan hacks, deep system intrusion is coming to a bank near you soon! So, I'd like a means to place limits on external transfers, and cap payouts (even to utilities). But if this can only be done using online banking itself and / or 2FA, or spoofable telephone banking, then we're screwed! In bank haste to close branches they didn't restrict online-banking features, only support. WTF???
They've not spoofed a number, just using the caller ID string "NatWest" which is the same as the bank uses for official texts, and means the message comes up in existing threads on most phones.
The message is
"We have identified some unusual activity on your Online Banking. Log In via the secure link http://95.141.35.213/default.aspx to avoid account suspension."
Of course anyone with sense then logs in using the normal website not a non-secure link.
Page looks like a reasonable copy of the normal login page, asks for the normal subset of password/number. On entering a customer number of 11111111, then comes the switch - to avoid suspension please enter all your bank account numbers to unlock access.
So all in all it's quite sophisticated.
Maybe I'm missing something, but how does a spoofed message lead to a phone handset being cloned and then dropped off the telco network - this was what happened to the guy who initially reported the NatWest Banking App vulnerability in the You and Yours piece.
Isn't this advice just smoke and mirrors to mask the more fundamental issue - ie that customer phone numbers were being used as trusted digital signatures.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
