The Natwest and Royal Bank of Scotland (RBS) online banking systems are vulnerable to a remote attack which allows an adversary to steal money from a customer's account. The vulnerability has arisen as a result of poor software engineering practice which neglected security. More precisely, the authentication mechanisms used by Natwest and RBS are dependent on six pieces of customer data, namely: name, date of birth, sixteen digit card number, three digit card security code (the number on the reverse of the card), sort code and account number. This information is publicly available and hence it can also be used by an adversary. Natwest and RBS have therefore failed in their duty to protect customers from financial fraud.
A video demonstrating this attack is available on YouTube:
@TechReport{2010-attacking-Natwest-online-banking,
author = "Ben Smyth and Chris Smith",
title = "{Exploiting Natwest and RBS online banking systems for profit}",
year = "2010",
number = "CSR-10-11",
institution = "School of Computer Science",
address = "University of Birmingham",
}