Tightening of NatWest security follows investigation into ‘SMS swapping’ campaign
NatWest is tightening its online security precautions after it emerged criminals were able to get access to accounts and transfer money without using any login details
The bank is being blamed for lax security protection that put users at risk of having their account details bypassed after criminals were able to take control of a victim’s phone number to redirect SMS messages and gain access to personal information.
The flaw was first uncovered by BBC Radio 4’s You and Yours program, which was investigating the issue following a number of complaints from victims of similar schemes.
Criminals are able to carry out the scam by first reporting a victim’s handset as lost or stolen to their mobile network, before requesting that the victim’s phone number be swapped over to one of their own SIM cards, allowing them to be able to receive SMS messages sent to the victim’s number.
The criminals can then call NatWest and claim they’ve forgotten their online login details, such as customer ID number, password, or PIN.
NatWest is not able to give this out straight away, but instead, following its Two-Factor Authentication policy, sends a code via text to the victim’s number, which can then be used by the criminals on its site to reset and change the password and PIN, and gain control of the bank account.
NatWest, whose parent company Royal Bank of Scotland (RBS) Group says it will also step up its security following the investigation, has admitted that its security needs improving, and says it is set to release a number of new regulations to do so.
“We’re implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email and text, to alert them any time a change is made to their contact details on online banking, in a similar way to Apple and Google,” a a community manager on NatWest’s official forum stated.
“We are also introducing a ‘cooling off period’ of three days, which prevents payments being made via the mobile app when a reactivation has taken place.”
Are you a security pro? Try our quiz!