October 9th, 2012 at 08:20 UTC by Dan Cvrcek
It has been four or five months since NatWest launched a new function in its mobile phone app – GetCash. The goal was to allow customers to withdraw cash from NatWest’s ATMs without a debit or credit card. The app receives a six digit code that customers can type into an ATM and get as much as £100 at a time. I am not sure how useful it is as I personally forget my mobile phone more often than my wallet but it appears that some crooks found it very useful indeed.
A news about the service being suspended broke out on 6th of October and it has been covered in BBC Breakfast today. I have several thoughts related to this incident.
- A point made by BBC was that if you use the app you are safe but all you who are NatWest customers and do not use mobile phones and GetCash should check your statements. It means that as a customer I did not want to use any service, I did not authorise bank to allow access to my money through a mobile phone (I may not even have one) but I should make sure that I do not use it.
- NatWest stated that it returns money to customers as a gesture of good-will. I am not an expert in T&Cs but it occurs to me that bank’s responsibility is much larger than usual. Especially if customers’ losses were incurred because of misuse of their date of birth and address – something that can be hardly kept secret.
- NatWest set a transaction limit but no additional overall limit per account. It has been reported that some customers lost as much as £1,000 before they noticed suspicious activity on their account.
- I discussed a problem related to mobile banking apps’ authorisations a few months’ back. The core of my argument was two-fold. Firstly, banks increase “value” of information that can be changed fairly easily. Secondly, there is a problem of notifying customers of activation of the new service – especially as we are used to drop by to a branch when we want to make any changes to our bank account.
- My experience is that it is not very difficult to change my mobile phone number over the phone (you need someone’s date of birth, address, and account number) but there was not much value in it for crooks to exploit it. It is not the case any more. The value of a mobile phone number associated with a bank account has increased dramatically. An unregistered PAYG number linked to a bank account of crook’s choice may be worth much more than thought – £1,000 in the case of GetCash.
- There is no hint, as yet, about the GetCash app being hacked. It means that there are easier ways to get money from bank customers who may have never heard about mobile banking. Ways that are related to overall system architectures rather than bugs in software. Common Criteria use the term “Target of Evaluation” that defines the boundary of a security system and software bugs form only a small part of security evaluations. Mobile banking invalidates a lot of assumptions and security analysis of the overall system architecture becomes more important than penetration testing – you can read a bit more about this in another post.
I hope we learn more details about this incident. It is important for everyone who has a bank account as it took crooks only a few months to take the “GetCash” phrase literally.