NatWest Steps Up Online Banking Security Following Scam

NatWest is tightening its online security precautions after it emerged criminals were able to get access to accounts and transfer money without using any login details

The bank is being blamed for lax security protection that put users at risk of having their account details bypassed after criminals were able to take control of a victim’s phone number to redirect SMS messages and gain access to personal information.

Scammed

The flaw was first uncovered by BBC Radio 4’s You and Yours program, which was investigating the issue following a number of complaints from victims of similar schemes.

Criminals are able to carry out the scam by first reporting a victim’s handset as lost or stolen to their mobile network, before requesting that the victim’s phone number be swapped over to one of their own SIM cards, allowing them to be able to receive SMS messages sent to the victim’s number.

The criminals can then call NatWest and claim they’ve forgotten their online login details, such as customer ID number, password, or PIN.

NatWest is not able to give this out straight away, but instead, following its Two-Factor Authentication policy, sends a code via text to the victim’s number, which can then be used by the criminals on its site to reset and change the password and PIN, and gain control of the bank account.

Moving forward

NatWest, whose parent company Royal Bank of Scotland (RBS) Group says it will also step up its security following the investigation, has admitted that its security needs improving, and says it is set to release a number of new regulations to do so.

“We’re implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email and text, to alert them any time a change is made to their contact details on online banking, in a similar way to Apple and Google,” a a community manager on NatWest’s official forum stated.

“We are also introducing a ‘cooling off period’ of three days, which prevents payments being made via the mobile app when a reactivation has taken place.”

Are you a security pro? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago