UK high street bank NatWest has admitted that a serious flaw in its online banking system is enabling criminals to hack into accounts and drain them through two different ways – either by accessing the accounts using stolen smartphones, or by impersonating victims to get their phone calls and SMS text messages forwarded to another SIM card.
Journalists from BBC Radio 4's You and Yours consumer radio programme were contacted by a number of people who had money stolen from their bank accounts. One of the victims, Robert from East Anglia, said that he lost £3,000 ($4,240) and that NatWest tried to blame him for the theft, even though £500 of the money was spent on an online betting website at the exact same time that he was sitting in a NatWest branch speaking to a bank employee in an attempt to solve the problem.
The journalists tested the scam on a BBC radio producer's NatWest account and found that they were able to steal £1.50 from her online banking account without needing to know her PIN, online banking account password or security question answers.
BBC Radio 4's fraud reporter Shari Vahl, said: "It was really easy. I took our producer's mobile phone and so I was receiving all her texts and phone calls. I then contacted the bank and pretended that I had lost all of the login details, the pin and passwords."
SIM swap fraud
As BBC Radio 4 illustrated, one method to hack into someone's bank account is to simply pick up their phone when they're not looking and ask the bank for a new unique code. However if a criminal is willing to put in some effort, there's also another way – and they don't even need to know you.
According to the National Fraud Intelligence Bureau, part of the City of London Police, SIM-swap fraud (also known as "SIM splitting") is possible if criminals are able to access a victim's bank statement or other information about the victim on the internet. The criminal obtains a blank SIM card through an insider at a mobile operator or by purchasing one over the internet, and then calls up the mobile operator pretending to be the victim and complaining that their phone has been stolen, using the details gained about the victim to get past the security check.
Following their usual anti-theft procedures, the mobile operator immediately cancels the SIM card on the "stolen" phone so that the theoretical thief can't make calls on it, and instead activates the SIM card belonging to the criminal, which makes the victim's actual phone stop working.
Some UK banks include two-factor authentication as one of their security measures, which involves sending users a unique code to their mobile phone every time they want to log in to their online banking account.
So after the criminal has an activated SIM card, all the victim's text messages and phone calls are routed to the new SIM card, where the criminal can access the unique code and use it to log into the victim's online banking account to transfer funds to another account.
In South Africa, First National Bank (FNB) and MTN have been implicated in a SIM-swap scam that saw hackers steal hundreds of thousands of rands from customers, who are now looking to form a class action lawsuit against the banks as they have not been reimbursed for the thefts.
NatWest's response to online banking flaw
When faced with the evidence, NatWest admitted to Radio 4 that its systems are "not good enough", and since then, the bank has placed a new warning about SIM-swap fraud on its website, as well as instituting a new three-day cooling off period rule to prevent payments from being made using the mobile banking app after a SIM has been reactivated.
"We take the safety and security of our customers extremely seriously and we thank You & Yours for bringing this important matter to our attention.
"We are working closely with Financial Fraud Action UK and mobile phone providers to enhance our customer authentication processes as fraudsters become more sophisticated. We are implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email, text and phone, to alert them to changes that have been made to their contact details.
"We are also introducing a cooling off period of three days to prevent payments being made via the mobile app when a re-activation has taken place.
"The specific example put to us by You & Yours requires multiple pieces of personal information, some of which are not publically available, and control of the customer mobile phone. Our records show that of all the people who enrol in online banking and forget their details, only 0.01per cent are fraudulent.
"We encourage all of our customers to protect their phone using a passcode or Touch ID, keep details of their PIN and online banking details secure and to get in touch with us as soon as possible if they believe they have been a victim of fraud.
"As stated in our Digital Promise, if a customer does fall victim of fraud in this way, we will refund them."