The GetCash system involves calling an operator and receiving a special code that can be entered at the ATM to facilitate a cash withdrawal. But reports emerged last week that fraudsters were using the system to steal money from victims’ accounts. In one instance noted by the BBC, victim ‘Tim from London’ “found that fraudsters had taken £950 from his account in August using a security code downloaded using a NatWest app.” Tim was registered for online banking, but not mobile banking – and didn’t have the the GetCash app. Nevertheless a fraudster had used GetCash to steal his money with repeated withdrawals over a short period of time.
This raises several issues. Firstly, who is responsible for account fraud? Although the bank is refunding the money as a gesture of goodwill, this came after the publicity from the BBC and following a letter that initially told Tim, “Customers are required to keep their card details and Pin secure at all times. After taking the circumstances of the fraud into account, I am not in a position to refund the disputed transactions.” The intuitive feeling is that the bank is clearly responsible for the fraud; but this can only ultimately be confirmed by the courts. In the meantime, this particular bank is maintaining the traditional position of blaming the customer and denying liability.
Dan Cvrcek has commented in the Cambridge University Computer Laboratory blog, “NatWest stated that it returns money to customers as a gesture of good-will. I am not an expert in T&Cs but it occurs to me that bank’s responsibility is much larger than usual. Especially if customers’ losses were incurred because of misuse of their date of birth and address – something that can be hardly kept secret.”
The second issue, however, is that there is as yet no suggestion that the GetCash app has been hacked. “It means that there are easier ways to get money from bank customers who may have never heard about mobile banking. Ways that are related to overall system architectures rather than bugs in software.” As society becomes more dependent upon computerized systems it is likely to come across more examples of the business process rather than the business software being hacked.
But it was easily prevented, says Pat Carroll, CEO of ValidSoft. “The problem can be solved by turning the customer’s mobile phone into a two-factor authentication device and the technology exists today to enable this capability. It is now possible for any bank to protect an App from fraudsters by making it compulsory for customers to register the App to their mobile phone - the technology exists to ensure that the bank can rely on the fact that the genuine customer is using a genuine phone.”
Meanwhile, Nat West has suspended the service for a ‘planned update.’ “We're currently updating the Get Cash application. The service will be back on our mobile app soon.”