NatWest’s online banking has been pretty awful since I first used it. While they have overcome some of their early problems by now (like refusing most Mac browsers for no apparent reason, their site worked when faking the User Agent), their whole login system remains ridiculous as it requires you to enter three out of four digits of your PIN and three out of N characters of your Password.
The alleged ‘security’ advantage of that is that you never need to enter your complete credentials, meaning that a one-time snooper will only have a one-in-four-times-some-number-depending-on-the-length-of-your-password probability of being able to log in with what they snooped. Downsides of this are, usability-wise, that it’s extremely hard to enter three digits of your PIN as you cannot use your muscle memory for that (and why the fuck do they also alter the order of the digits at times?) and that, particularly with longer passwords, it can be hard to figure out which is the seventh letter in there. You may be tempted to write the password down to figure that out which, in turn, would be rather insecure.
Of course the huge security flaw of this system is that the bank has to store your PIN and password in clear text. Something which, presumably, should not be done in good practices.
Another issue I noticed was that when using their online banking website they still use the ridiculous URL nwolb.com rather than the human-readable natwest.co.uk. They also use an encryption certificate presumably belonging to
The Royal Bank of Scotland Group Plc. Of course one could assume that in the recent financial market shenanigans one of those banks bought/swallowed/whatevered the other and thus things are changing over. But should I need to care? Shouldn’t I expect that the name of the web-site the URL and the certificate owner are reasonably similar? If not, what is all that ‘information’ worth? Why would it be given to me? If people in such an obscenely rich ‘industry’ can’t get it right, how can one expect anybody else to? Have people already been told that falling for some phishing attack was ‘their own fault’ because they didn’t keep an eye on the URL and credentials of the site? Shouldn’t such statements be immediately revoked when seeing this?
Received data seems to be invalid. The wanted file does probably not exist or the guys at last.fm changed something.