It has been four or five months since NatWest launched a new function in its mobile phone app – GetCash. The goal was to allow customers to withdraw cash from NatWest’s ATMs without a debit or credit card. The app receives a six digit code that customers can type into an ATM and get as much as £100 at a time. I am not sure how useful it is as I personally forget my mobile phone more often than my wallet but it appears that some crooks found it very useful indeed.
A news about the service being suspended broke out on 6th of October and it has been covered in BBC Breakfast today. I have several thoughts related to this incident.
- A point made by BBC was that if you use the app you are safe but all you who are NatWest customers and do not use mobile phones and GetCash should check your statements. It means that as a customer I did not want to use any service, I did not authorise bank to allow access to my money through a mobile phone (I may not even have one) but I should make sure that I do not use it.
- NatWest stated that it returns money to customers as a gesture of good-will. I am not an expert in T&Cs but it occurs to me that bank’s responsibility is much larger than usual. Especially if customers’ losses were incurred because of misuse of their date of birth and address – something that can be hardly kept secret.
- NatWest set a transaction limit but no additional overall limit per account. It has been reported that some customers lost as much as £1,000 before they noticed suspicious activity on their account.
- I discussed a problem related to mobile banking apps’ authorisations a few months’ back. The core of my argument was two-fold. Firstly, banks increase “value” of information that can be changed fairly easily. Secondly, there is a problem of notifying customers of activation of the new service – especially as we are used to drop by to a branch when we want to make any changes to our bank account.
- My experience is that it is not very difficult to change my mobile phone number over the phone (you need someone’s date of birth, address, and account number) but there was not much value in it for crooks to exploit it. It is not the case any more. The value of a mobile phone number associated with a bank account has increased dramatically. An unregistered PAYG number linked to a bank account of crook’s choice may be worth much more than thought – £1,000 in the case of GetCash.
- There is no hint, as yet, about the GetCash app being hacked. It means that there are easier ways to get money from bank customers who may have never heard about mobile banking. Ways that are related to overall system architectures rather than bugs in software. Common Criteria use the term “Target of Evaluation” that defines the boundary of a security system and software bugs form only a small part of security evaluations. Mobile banking invalidates a lot of assumptions and security analysis of the overall system architecture becomes more important than penetration testing – you can read a bit more about this in another post.
I hope we learn more details about this incident. It is important for everyone who has a bank account as it took crooks only a few months to take the “GetCash” phrase literally.
NatWest have also recently written to customers telling them that paper statements will be provided quarterly rather than monthly from early 2013, making it even harder to keep on top of frauds such as this one.
Analysis of system architecture is ALWAYS more important than penetration testing. Testing shows what flaws the testers happened to find; analysis shows where there are flaws to be found. Given serious incentives (generally present in financial applications), it can be assumed that any flaws that exist will eventually be found, and not necessarily by friendlies.
@Richard I. Polis:
” … analysis shows where there are flaws to be found.”
This assumes that:
a) the architecture being analysed is an adequately realistic replica of reality; and
b) the system is simple enough that analysis can, in principle, discover the flaws.
I agree that analysis is a necessary ingredient, and usually the most cost-effective approach. But it is rarely adequate by itself. There are plenty of theoretically secure systems which in reality have yawning holes that you don’t notice until you start actually poking around: the firedoor propped open for the smokers; the password that scores high on a password meter but can be guessed by anyone who sits at his desk for 5 minutes; the Ardennes Forest.
I wouldn’t mind betting that GetCash scored high and dry on a static architecture that assumed that mobile phone security was the phone companies’ problem: “out of scope” for the bank. Thus blinded to a whole line of approach, they didn’t notice that GetCash can be defeated with mobile phone shennanigans that don’t involve violating the phone companies’ security policies.