Tuesday, April 29, 2008

Emergency Cash?

As much as banks make lots of money out of the money that goes through my account, they still all tempt me with account features and offers, and yesterday I received an update from Natwest Bank about the features on my account. I was very pleased to here that I had Green Flag breakdown recovery I must say, but then another feature screamed out at me with my ever-so hacker security conscious hat on.

I now have a feature called "Emergency Cash" which works by allowing me to, should I lose or have my card stolen, withdraw cash (£300) out of an any one of Royal Bank of Scotland linked ATMs without the use of a card. This morning, with that in mind I have done a little research to find out how this works and it goes like this.

Call the Lost and Stolen card line. Report card lost or stolen. Then you are offered "Emergency Cash". You then have to answer three security questions i.e. Mothers maiden name, the value of a direct debit, first and fifth letter of password, that sort of thing. You will then be issued with a PIN that is valid for three hours and one use only. Find an RBS linked ATM, press any of the six blank (numberless) keys on the pad and you are presented with an "Emergency Cash" screen.

Now, I'm not going to lie and say this is not a cool feature for a bank to offer, but on the flipside is this not a massive security risk that the bank is taking on. Let's assume that they're using a really good entropy type algorithm to generate the PINs, and still we have the weak link of a system in the bank. Take control of the banks system - not easy I know, but not impossible - you could generate numbers vast swathes of PINs and start having a withdrawal fest.

Next time I go to a Natwest machine or other RBS one I'm definitely going to have a look at getting the mysterious Easter Egg hidden features of the machine to display... I am a nerdy geek after all.

9 comments:

Anonymous said...

If someone strikes lucky and guesses a valid pin how can you prove that it wasn't you who took the dosh out?

In theory someone down on his heels could keep stabbing numbers into the RBS ATM until it pays out. Rather like a fruit machine, except you don't have to put any money in.

Anonymous said...

I wonder if I could (ahem) borrow one of those machines that randomly press buttons on mobile phones to test the durability of the keypad.

Attach to cash machine, sit back and wait.

Old BE said...

Tell me your PIN and I will go and test it for you. I will only charge £300 for this service.

Anonymous said...

May need to try this. My card was cancelled because of fraud 3 weeks ago. New one hasn't arrived. I have no cash!

Might give it a go - will tell you if it works.

Pete Chown said...

Presumably you have to enter your account number, as well as the PIN? So to defraud the system, you'd have to know (i) someone's account number, and (ii) that they had requested an emergency PIN but not used it yet.

That doesn't sound too bad; you can't just go up to an ATM and start pressing buttons. If you do find out this information, your average payoff for each guessed PIN is £0.03 (£300 payoff divided by 10,000 possible PINs.) That doesn't sound worthwhile for an attacker.

That reminds me of something I've always wondered about PINs. Banks have millions of customers, so if they choose PINs randomly, some people will end up with things like 1234 or 0000. Many customers who are allocated numbers like that will ring up and say that the system has gone wrong (probably telling the bank staff their PIN number in the process). So do banks actually screen out numbers like that, to avoid this problem, even though in some sense it makes the system less secure because there are fewer numbers to choose from?

Not a sheep said...

What Easter Egg feature, I am intrigued... Love that sort of thing, still have a PC with Excel 97 so I can play...

Anonymous said...

If 10,000 people lose their cards at the same time, then every pin will work. Bonanza!

Alex said...

I have actually been a victim of fraud using this system last week - someone removed £60 from my account and left me without a working debit card.

Alex said...

I have actually been a victim of fraud using this system last week - someone removed £60 from my account and left me without a working debit card.