grandeduc - Fotolia

BBC reporter demonstrates mobile phone hack to steal from producer's bank account

A reporter on the BBC Radio Four You and Yours programme has managed to hack a NatWest online bank account and extract cash

NatWest Bank has been forced to make an emergency change to its online security following the broadcast of a major loophole.

Yesterday the BBC 4’s You and Yours programme revealed how it accessed the bank account of the show’s producer, by informing the producer’s mobile provider it wished to swap similar cards. This effectively changed the registered mobile number associated with the bank account.

Banks often use mobile phones for two-factor authentication, where a user receives a text message code they need to enter into their online bank account to reset login details.But given online security is a contstant battle, some financial institutes are begging to use biometrics to secure online accounts.

While mobile-based password resets can be extremely convenient for the user, You & Yours demonstrated a major flaw in the way it works in practice

A reporter at the show wrote on the BBC news site: “We decided to investigate You and Yours producer Natalie Donovan. I was able to break to her account without knowing her banking customer number, PIN or any passwords.”

Without knowledge of the bank account holder’s secret questions and answers normally used as a secondary security measure to unlock an account – such as the user's mother's maiden name, pet's name or first school – the reporter changed PIN and password to access the account.

Read more about banking security

“That allowed me to transfer £1.50 to my own bank account, all because I had control of Natalie's mobile phone,” the reporter wrote.

The bank issued a notice to online customers which said: “We take the security of your money seriously. The best way to protect yourself from fraud is to be in the know SIM swap is a genuine service which allows you to keep your existing phone number and change between different SIM sizes or phone providers.

"This technique is becoming increasingly common for use by fraudsters and third parties. The ability to utilise your mobile phone number to receive and make calls, receive and send text messages as well as use any provisioned data allowance can be motivation for illicit SIM swap.”

The bank recommend mobile phone users watch out for the tell tale signs of SIM card fraud – such as not being able to make or receive calls or text messages on their handsets.

In February 2016 HSBC UK announced plans to roll out voice biometric security technology, with more than 15 million customers in line for voice and fingerprint authentication services.

Read more on Security policy and user awareness