Where NatWest got it wrong

To paraphrase the saying, if it's not broken, why fix ("enhance") it?.. http://www.theregister.co.uk/2012/10/09/natwest_get_cash_removed/

What can you do if someone has phished your bank details, and personal ID details?  Helplines dont ask for your PIN, ever.  GetCash on the mobile phone should at least have allowed the helpline to text the getcash code to a known customer phone, not a random one.   Its procedure and implementation that is wrong.

Let me give you a hint: over 10bn (!) times a day, mobile phones worldwide are being reliably and securely authenticated, without any PIN.

@ Alexander. I agree with you. The decision by Natwest to suspend its Get Cash app, whilst being a wise one, has cast an unwarranted bad light on mobile based transacting. Since this first came to light there has been speculation as to the cause of the fraud losses, ranging from mobile operating systems, mobile hacking and zero-day exploits. The truth, I suspect, is rather more mundane. The fraudsters were able to download the app and register it with the victim’s debit card details because there was no strong authentication at the point of registration, simply knowledge based information which we all know can be gleaned by fraudsters in a number of ways, such as phishing.

Ironically, the customers who had actually downloaded and registered the app were safe from the fraud; it was those that hadn’t who were at risk. This episode therefore had nothing to do with the medium being a smart-phone but everything to do with the process employed in deploying and activating the app. There is no real difference between this and Internet banking losses through the reliance on PINs and Passwords alone.

In this and other instances that will surely follow, we need to look at the end-to-end process rather than casting a shadow over mobile banking.

Note: my comment is also posted under the NatWest report at https://www.finextra.com/news/fullstory.aspx?newsitemid=24147

@Alexander

Interesting article but it was a case of simple phishing and nothing more.  The only advantage to the fraudster of using GetCash was that the service allowed 'instant money laundering'.  It is nearly impossible for him to be traced versus him transfering money to another account.  The limits of GetCash are so low, and the code needs to be used within 3 hours that the service isn't that unsecure.  I can think of plenty worse implementations.

@Pat and @Michael

Thank you for your comments. I agree that, perhaps, the current problem with GetCash is phishing-related.

However, there is no evidence that it cannot be exploited on the platform level: at some point the GetCash code is shown "in the clear" on the phone's screen. Get malware to intercept that stage, display a bogus code, forward the real one, get cash.

The key factor here is critical: once the code has been generated by the app, NatWest has no control over who, how and when will be using it. It's ironic that, from that perspective, the name of the service sounds more like an invitation to fraudsters...

It is the normal cycle, banks issue a product, fraudsters find holes in it, banks react with different technology.

If everyone waited until there were well developed standards for everything, then we would have zero innovation and we'd still be transacting with cheques. I attended a Visa vendor forum last year where Visa stated that they would have mobile payment standards in place by 2015.... it's just too long.

Will fraud destroy mobile commerce? It certainly didn't destroy card commerce, despite the massive fraud levels, if the customer proposition is strong then it will survive.

The fact is, we need innovation to move things forward, the fraud prevention and security side will catch up later. In this case, it does seem that obvious flaws existed, which wasn't too smart.

@Peter

I agree with your viewpoint. The last paragraph summed it up well - was GetCash based on the best possible solution (irrespective of standards)? In my opinion - no. It was a commercial decision in their case, not a "technological" one.

Transaction-level frauds and account hijacking frauds are common. But this episode exposes another type of fraud where the victim / genuine customer neither put through a transaction nor even signed up for the said channel (GetCash). For the want of any standard name that I'm aware of, let me call this "Enrolment Fraud". No amount of transaction-level security will help prevent this fraud. Only a more secure enrolment process can reduce / eliminate it. It seems to me that some amount of friction - e.g. application signed in wet ink, branch visit to prove identity - and a corresponding drop in adoption rate will be an inevitable part of such a process. I don't envy banks their position of having to walk a tightrope between security and convenience on this one!

@ Ketharaman

I thought you'd call it "Get cash!" fraud :)

@AlexanderP: At the time GetCash was launched, you and I had concluded that this app would permit non-customers to receive money. I bet neither of us had thought that the term "non-customers" would go this far!