Natwest Bank Accounts Raided through Stolen Phones

By   ISBuzz Team
Writer , Information Security Buzz | Mar 07, 2016 05:00 pm PST

Cybercriminals have been able to snatch thousands of pounds from Natwest bank accounts using stolen mobile phones. Natwest has admitted that a serious flaw in its online banking system has allowed criminals to raid accounts. Security experts from Tripwire, ESET and Proofpoint provide advice for users.

[su_note note_color=”#ffffcc” text_color=”#00000″]Lamar Bailey, Sr. Director, Security R&D at Tripwire :

“The popularity of mobile banking has made it easier for people to keep up with their finances and get alerts in almost real time when abnormalities occur but it has also had an adverse affect on security. Many mobile banking users have reduced the complexness of their password because 14 digits with Caps, special characters and number is just a pain to type in on a mobile device. Many banking systems use the same passwords for both mobile and online banking so changing the password can greatly reduce the security of the account accessible via phone or the internet.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at ESET:

“The problem with any type of activity on your mobile phone is understanding exactly what it’s capable of. Nowadays we do so much on our smartphones and sometimes fail to consider the security implications of such practices, mobile banking is one of those things. The ability to check our balance on the move or pay someone for services without having to trek to the bank or have all your paperwork in front of you seems like a great idea but remember if you can, then technically so can someone else. I know that could be said about your desktop machine but how often do you leave your PC on the train or lose it while commuting?

Now, sadly you cannot control how secure your banking organisation is apart from picking and choosing which one to use, but you can make things very hard for anyone getting hold of your phone and gaining access to its contents. Ensuring you have some kind of lock protection and preferably if a pin code is used then longer than 4 digits will help to keep your phone safe. Also consider whether you actually need mobile banking, are you going to use it? Do you NEED to use it? Also if possible speak to your bank and ask them how they verify you are who you say you are. You may be able to put some of your own protection in place like using your own code words whenever certain tasks are requested like password or mobile number changes. We often think “data protection” is there to cause us misery especially when you want to do a simple thing like change your spouse’s details but when someone tries to masquerade as that person to get your details you will be happy when they follow the rules and make sure it’s really you.”[/su_note]

[su_note note_color=”#ffffcc” text_color=”#00000″]Ryan Kalember, SVP Cybersecurity Strategy at Proofpoint:

“These issues highlight just how critical mobile devices have become. For most people, they hold more sensitive, personal information than any other device, including not just banking credentials, but the means of accessing nearly every aspect of our digital and, increasingly, our real world lives. Given this concentration of risk, both users and organisations must be very cautious in how they use mobile devices and mobile apps, so that a missing or stolen device is an inconvenience rather than a catastrophe.”[/su_note]