How secure are cardless cash machine withdrawals?
Are systems used to allow customers to withdraw money from cash machines without their cards as secure they could be?
NatWest recently launched two new systems, Emergency Cash and Get Cash, which generate a security code allowing customers to withdraw money from cash machines. But one NatWest customer lost more than £900 when fraudsters stole his money via this new platform.
The NatWest advertisement publicising the cash machine security code system suggests if you have lost your card, you have no need to worry, and uses the slogan "helpful banking."
But Tim from London had a very different response from NatWest after he found that fraudsters had taken £950 from his account in August using a security code downloaded using a NatWest app.
The money disappeared in 11 cash machine withdrawals in just three days, each one not exceeding the £100 limit NatWest imposes per cardless cash machine withdrawal.
Tim had never heard of the Emergency Cash nor Get Cash systems and banks rarely discuss with customers how a fraud has been carried out, so when Tim phoned to report the fraud NatWest refused to tell him what had happened.
But his bank statement had "emergency cash" next to each transaction and in another call to the bank, Tim got some clarity: "She began to read my file aloud. She said you've been defrauded by an iPhone application for emergency cash. None of this I knew."
Tim was registered for online banking, but not mobile banking, so he could not have used the app which was used to make the withdrawals.
And making 11 cash machine withdrawals in three days - six of which were in just one day - was not Tim's normal spending pattern.
NatWest quickly accepted he had not made the withdrawals, and Tim thought a refund would be straightforward.
But NatWest then accused him in a letter of giving his personal details to a fraudster via a phishing email: "Customers are required to keep their card details and Pin secure at all times. After taking the circumstances of the fraud into account, I am not in a position to refund the disputed transactions."
But although Tim has received such emails, he has never sent his banking details to anyone.
After Money Box contacted NatWest, it said it would refund Tim the £950 as a gesture of goodwill.
But Tim says he still wants to know how a fraudster managed to sign up for mobile banking on his account, download the app, and carry out 11 cash machine withdrawals: "It's a huge liability which you don't actually know about. I had to find out what Emergency Cash was. I don't want it as a facility."
NatWest said it had strong security measures in place for its Emergency Cash and Get Cash withdrawal systems but admitted fraudsters had in some instances been able to withdraw money using both systems: "We are fully committed to the prevention of fraud and have stringent security procedures in place in this regard. The Get Cash app is only available through the mobile banking App, not as a standalone application.
"Enrolment for the app requires the customer to first register for online banking, then mobile banking and can then proceed to download the app for their mobile."
It said applicants for mobile banking, needed to supply a combination of card and personal details, and their online banking number.
A letter is then sent to the customer's home address alerting them to the fact that mobile banking has been activated.
Tim still does not know how fraudsters were able to obtain these details and NatWest will not tell him.
Dr Steven Murdoch, from Cambridge University's Computer Lab, believes any criminal who finds a way round the security - like the man who defrauded Tim - would be amply rewarded: "I'm sure a lot of fraudsters are thinking about using this application because it's now relatively easy for banks to identify fraudulent transactions and reverse them, even several days after they've happened.
"They can use it to get cash I that's what's going to make it a priority for them."