As much as banks make lots of money out of the money that goes through my account, they still all tempt me with account features and offers, and yesterday I received an update from Natwest Bank about the features on my account. I was very pleased to here that I had Green Flag breakdown recovery I must say, but then another feature screamed out at me with my ever-so hacker security conscious hat on.
I now have a feature called "Emergency Cash" which works by allowing me to, should I lose or have my card stolen, withdraw cash (£300) out of an any one of Royal Bank of Scotland linked ATMs without the use of a card. This morning, with that in mind I have done a little research to find out how this works and it goes like this.
Call the Lost and Stolen card line. Report card lost or stolen. Then you are offered "Emergency Cash". You then have to answer three security questions i.e. Mothers maiden name, the value of a direct debit, first and fifth letter of password, that sort of thing. You will then be issued with a PIN that is valid for three hours and one use only. Find an RBS linked ATM, press any of the six blank (numberless) keys on the pad and you are presented with an "Emergency Cash" screen.
Now, I'm not going to lie and say this is not a cool feature for a bank to offer, but on the flipside is this not a massive security risk that the bank is taking on. Let's assume that they're using a really good entropy type algorithm to generate the PINs, and still we have the weak link of a system in the bank. Take control of the banks system - not easy I know, but not impossible - you could generate numbers vast swathes of PINs and start having a withdrawal fest.
Next time I go to a Natwest machine or other RBS one I'm definitely going to have a look at getting the mysterious Easter Egg hidden features of the machine to display... I am a nerdy geek after all.