nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
NatWest customer services: We're aware of security glitch

Silver badge

“in order to more thoroughly investigate"

OK, a split infinitive isn't actually reckoned to be ungramatical. Throwing in an adjective as well is just plain ugly.

OTOH I take it that "exceeding authority" is PR-speak for telling the truth.

9
9
Silver badge

A bank that can't count?

I think I wan't to withdraw!

7
1

I understand that bankers generally consider withdrawal an unnecessary procedure...

6
0
Silver badge

I think I wan't to withdraw!

Congratulations, that must be one of the most obscure greengrocer's apostrophes I've ever seen.

49
0
Silver badge
Thumb Up

re Bank that cant't count

A very long time ago I had an account with Lloyds. being a callow youth I ahd to pay for my car insurance in installments but the company concerned used to require 3 post dated cheques (I said it was a long time ago!)

I can't remember exactly why but I chose to close my account with Llyods, genuinely forgetting that i had written the cheques. The last of the cheques was presented after I had closed the account. For reasons best known to themselves it was cleared and paid. They duely sent me a letter saying I was overdrawn and I should do something about it, I wrote back saying, I don't have an account with you and went on my merry way.

Every two or three months I'd receive a statement indicating i was £55 overdrawn and I'd ignore it. This went on for a while and then suddenly a statement arrived that indicated a positive balance.

I wandered into the branch and asked the cashier if the statement was correct, he said yes so I withdrew it and closed the account (again!)

It was like real life monopoly :D

29
1
Gold badge
Devil

Re: re Bank that cant't count

Did you win second prize in a beauty contest the next day?

Winner, Donald Trump...

7
0
Silver badge

obscure greengrocer's apostrophes

Not so much feral, more 'reverted to wild and slaughtered all the humans within easy reach'..

0
0
Silver badge

Next time, screenshot it and post it on Twitter with a link to the story

You'll be amazed at how they change their tune.

"We can't be arsed to do our job properly unless you hang out your dirty laundry in public on Twitter" approach to customer service really gets on my tits.

37
0
Silver badge

Re: Next time, screenshot it and post it on Twitter with a link to the story

"We can't be arsed to do our job properly unless you hang out your dirty laundry in public on Twitter" approach to customer service

AFAICS customer service was doing its job - it even escalated the problem, a step which seems to be unknown to many these days. The tech side -trying without success.. It's PR that needs to be hung out to dry.

23
0
Silver badge

Re: Next time, screenshot it and post it on Twitter with a link to the story

"The tech side -trying without success."

The "tech side" in this case are probably an outsourced bunch of 1st line response subcontinent morons, not the people who actually wrote the code. Having said that, how hard can it be to find the section of code that generates PIN digit numbers on the login web page? I would suggest not very.

7
4
Anonymous Coward

Re: Next time, screenshot it and post it on Twitter with a link to the story

Have El reg seen a screen shot they can trust or reasonably expect to be of the problem?

Can El Reg advise the person to carry out a subject access request for their notes...and call recordings...this should include contact with technical...any refusal on security grounds or excessive redacting is usually a give away?

1
1

Re: "how hard can it be..."

Given that the login is already obfuscated by accepting random characters in place of the full string, I can fully imagine this being a separate locked-down system that just passes an authenticated pass/fail flag back to the 'main' server.

Agree that PR need stringing out for such a blatant attempt for a cover-up.

"I saw the problem myself"

"No you didn't"

6
0
Silver badge

Re: Next time, screenshot it and post it on Twitter with a link to the story

"Have El reg seen a screen shot they can trust or reasonably expect to be of the problem?"

Try reading the second paragraph. I'm guessing El Reg trust their authors.

6
0
Silver badge

Re: Next time, screenshot it and post it on Twitter with a link to the story

I bet it'd get allocated more time and a higher priority if PR so ordained because things were getting embarasskng on Twitter.

0
0
Silver badge

Re: Next time, screenshot it and post it on Twitter with a link to the story

It's PR that needs to be hung out to dry

Well - you do have to remember that PR is the slightly-backward ugly cousin of HR (HR exists to protect the company from the employees, PR exists to protect the company from the public).

It's where the people who fail the HR empathy tests[1] go.

[1] Which, in most HR departments I've seen, consists of filtering out anyone that has, or seems to have, any shred of empathy.

0
0

Re: Next time, screenshot it and post it on Twitter with a link to the story

LOL!

I even scanned in the letter from customer services together with their "interesting" admissions.

The most joyous bit was discussing this letter with their Press Office, during which convo one could almost literally hear the gears grinding as official spokesperson attempted to explain how their customer services bod had just gone off piste and made this up wholesale without actually saying they'd done that...

0
0
Silver badge
FAIL

Had simi9lar issues

Trying to op[en a new account with them 2 months ago; it didnt matter how many times they reset the password for us, it kept saying we were entering the wrong password.

In the end this, and their total inability to understand that someone born in China might actually be a UK citizen, made us go elsewhere.

Still waiting for that Norman Muntz icon.

5
0
Anonymous Coward

Re: Had simi9lar issues

You may need a new keyboard judging by your

6
0
Bronze badge

Re: Had simi9lar issues

Hmmm, so is your 11th digit a "9" by any chance? C'mon, we have to know...

3
0

Re: Had simi9lar issues

OK...do drop me a line if you're interested. We weren't 100% convinced by the explanation and if loads of people have had similar we might revisit...

1
0

Re: Had simi9lar issues

No. My 9th digit is an 11!

14
0
Silver badge
Coat

Re: Had simi9lar issues

"No. My 9th digit is an 11!"

So that would be 'B' (or 'b') then?

I think I'll be needing my coat again.

1
0
Ogi

Re: Had simi9lar issues

> Trying to op[en a new account with them 2 months ago; it didnt matter how many times they reset the password for us, it kept saying we were entering the wrong password.

That is interesting, because for the last few months I have had the exact same problem. I have been banking with Natwest for years, always with the same credentials, when a few months ago, without warning, no matter how many times I would type it in, it would say I was entering the wrong password. After 3 attempts it would lock me out and I would have to re-register for online banking.

So I have to register again, then it would work (because you can click "continue to online banking" straight from the registration confirmed page, so it doesn't prompt you for credentials), until I logout, then when I try to log in again I get exactly the same error.

It came to be that every time I wanted to log in to online banking, I had to re-register. After doing this 4-5 times, I kind of gave up, and just moved my account across to a competitor, along with all my Direct Debits and savings, thereby ridding myself of this problem (not to mention that my faith in their ability to actually keep my account secure is in doubt, if they can't do something as simple as count the number of characters in my password, I dread to think how the rest of their system is coded).

3
0

Re: Had simi9lar issues

Your title might actually be the answer

- If you have that god awful IBM Trust software installed (Nat West really really pushes to have it installed) there is a setting that converts some l3tt3rs into numb3rs.

Can't remember what it is precisely, but it caused my wife's work business account no end of problems due to it. Took ages to find that out. Of course there's nothing on the Nat West site to check it.

0
0
Silver badge
Mushroom

Re: Had simi9lar issues

"You may need a new keyboard judging by your"

By your what? BY YOUR WHAT??!?

1
0

Re: Had simi9lar issues

I have had to reset password several times on a new Ulster Bank (part of same group) account. Seems to be OK now but I'm sure I wasn't getting the password characters wrong....

1
0
Silver badge

Re: Had simi9lar issues

"You may need a new keyboard judging by your"

By your what? BY YOUR WHAT??!?

By the look of it, sudden bursts of silen

3
0
Silver badge
Joke

If you just tell them what your password is

then they'll be able to replicate the fault in a test system and determine where the issue is coming from.

1
0

password specifications..

" this writer was asked to enter the 11th digit of a password to an online account that only contained nine characters."

This probably stems from another frequent failure in password specification. They always specify n_charsmin, but very rarely n_charsmax. Isn't it time there was a standard for this stuff?

0
1
Silver badge

Re: password specifications..

"Isn't it time there was a standard for this stuff?"

A standard? There are lots of standards. Just pick one.

14
0
Silver badge

Re: password specifications..

I really hate this "Enter the 1st, 3rd, 10th characters of your password" BS.

a) As a user, if you know the password, it's much easier to just type the whole password than faff about with identifying the nth characters

b) From a security POV, it means that the server somewhere has access to the plaintext password so it can compare nth characters, instead of hashing the passowrd when it is set, storing the hash and forgetting the password. So it's less secure than using the whole password

9
0

Re: password specifications..

"From a security POV, it means that the server somewhere has access to the plaintext password so it can compare nth characters, instead of hashing the passowrd when it is set, storing the hash and forgetting the password. So it's less secure than using the whole password"

While you make a good point about using using a password hash rather than the password, the servers handling authentication are much less likely to have been compromised with malware due to little Johnny browsing soapytitwank.com (or similar delights) than your browser / PC / phone i.e. in real life making users type in their whole password on a personal device is probably less secure.

2
0

Re: password specifications..

Would it not be possible to hash each character in your password, add a slat to it as well to make it a bit harder to brute force if the DB bacame compromised.

0
0

Re: password specifications..

Would it not be possible to hash each character in your password, add a slat to it as well to make it a bit harder to brute force if the DB bacame compromised.

Unfortunately, that's barely better then storing the password in the clear, since there aren't many different characters (OK, including all of Unicode takes it to ~10^6), and you'd be able to find the password character by character - in parallel if you want.

The interface for a system to store passwords, issue challenges for certain characters, and validate the response seems fairly simple, which should make it much easier to develop a secure, isolated system for this purpose.

In other words, in this case, making sure those passwords won't leak seems achievable, with reasonable care.

However, the implementation also seems like it should be fairly simple, which ought to preclude the sort of issue in this story...

1
0
Silver badge

Re: password specifications..

"the servers handling authentication are much less likely to have been compromised with malware"

OTOH if your device is compromised you lose control over your own passwords and, frankly, the bank isn't going to care about that. If the authentication server is compromised they lose control over everyone's passwords and. of course, the bank ... Yes, you can see why they're choosing such an insecure option.

Seriously, there are two aspects to risk. One is the probability that something will go wrong, the other is the scale of going wrong.

2
0
Silver badge

Re: password specifications..

A standard? There are lots of standards. Just pick one.

No, no, no. *Far* more fun to generate another one. After all, even if it only becomes the standard in your organisation, it'll be your standard and they can never sack you..

Especially if you make it as internally-consistent as Windows.

0
0

So has your account been compromised?

Because that's pretty much the only conclusion if they are denying a simple system bug is the cause ?!

2
0
Anonymous Coward

Re: So has your account been compromised?

Are you seriously suggesting the PR dept. who WILL be in "oh sh*t! damage limitation mode" are significantly more credible that a supervisor who has spoken to technical and and put sh*t in writing?

Was it asking for some pre-encryption hash character? Is there an error in handling certain characters...I can think of one major financial co that allows % but not * in passwords.

0
0
Facepalm

Obscurity through Security

perhaps

4
0
Silver badge

I abandoned NatWest in the 1990's when they were still insisting you needed to use IE with ActiveX controls to access online banking as other browsers "weren't secure".

To be honest, working in IT back then, I was hardly the front-runner of new technology in everyday life anyway, but I just moved to a bank that had a vague understanding of what SSL actually did.

3
0
Silver badge

Re: I abandoned NatWest in the 1990's

I abandoned NatWest in the 1990s when they refused to send out my new card because I'd moved and not told them about it. However, I hadn't moved and was still receiving statements etc.

This was the second time this had happened.

2
0
FAIL

PayPal Fail

PayPal recently allowed me to set a password that was longer than their maximum, then kept refusing my login, presumably because it was truncating my input before comparing hashes, so I had to jump through the hoops to reset it. I figured out the problem by trial and error.

On a related issue, the practice of the UI not telling you the password requirements until after you've typed one that doesn't meet them, is still rife, and still wasting people's time.

15
0
Silver badge

Re: PayPal Fail

Ha, had exactly that same problem setting up a new router yesterday. Eventually I realised that the password (passphrase) I was using was longer than it expected. A quick factory reset and a shorter password later...

2
0
Silver badge

Re: PayPal Fail

Ryanair have in the past similarly had a password set up that doesn't validate the password according to the rules they declare: Second half (ish) of this.

0
0
Silver badge
Mushroom

Re: PayPal Fail

" the UI not telling you the password requirements until after you've typed one that doesn't meet them"

GRRRRR!!

>>

2
0

Re: PayPal Fail

Yes, I wondered if that was what happened here and that the 11th character was recorded somewhere. It’s happened to me, allowing more characters entered and seem accepted, on several sites. If you use a password manager you are confident you have entered the right password and so it’s worth finding out what the max number is and truncating your password.

0
0
Joke

Re: PayPal Fail

> Ryanair have in the past similarly had a password set up that doesn't validate the password according to the rules they declare: Second half (ish) of this.

I imagine that costs extra.

I'll get my coat...

1
0

I wonder if chars 9,10 and 11 are %0a ;)

3
0
Silver badge

9

Did NatWest at some point impose a max 9 char password?

If I was risk averse enough to do online banking I would want to create a (complex) password a lot longer than 9 chars

1
1
Silver badge
Facepalm

Re: 9

It's worse than that, they'll ask you to select the (eg) 3rd, 5th and 2nd characters of your password. So, not only does your password have to be somewhat memorable (no copy/pasting, dropdowns only), but presumably to do such a thing, they must be storing your password with reversible encryption.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing