[Video] 3 Major Issues in Nationwide, Including (Potentially) a Major Data Breach
Video download link | md5sum 41588754d32c7c1fb9291cffb1f2d70c
Nationwide Security Blunder or More?
Creative Commons Attribution-No Derivative Works 4.0
BANKING "online" or 'electronic-bank' security has become the joke of the town. Many "modern" banks use inadequate systems and there are new reports this week regarding famous banks cautioning customers about advanced phishing scams (see Daily Links), as usual blaming buzzwords and straw men like "AI" (chatbots or "HEY HI", which doesn't accurately describe LLMs).
In our case, it seems plausible or likely to be much worse than phishing. It looks like Nationwide has suffered a data breach because a highly sophisticated scam, not "HEY HI" chatbot, apparently uses people's names and postcodes to seem legitimate. If those messages are in fact legitimate, that's worrying for a number of other reasons.
So I phoned them up. And they refuse to take a report about this. Or rather, they make it unnecessarily hard. This has become rather typical, as businesses are good at taking money but rather reluctant to take complaints.
In my case, to make matters worse, the complaints number gets through to a person who deals with mortgages! No kidding, I even double-checked while on the line. She tried to blame this on me, but I assured her I phoned the correct number, so it seems like an IT issue (again). Lines crossed?
As they do not let customers talk to IT or to managers (but put them on hold and speak to some unspecified party), maybe they are contracting all this stuff (and staff) outwards.
Towards the end of the call we were comparing the link in her legitimate E-mail to mine, as it goes not to the same domain at our end (unless there's a misunderstanding). Suffice to say, a bank linking to some dodgy third-party domain with extensive tracking in the URL is a terrible security practice, which in itself constitutes a reportable issue. Whoever is responsible should/can/might be sacked on the spot if this was a deliberate design issue. But who knows... they try to not even talk about this issue and refuse to let you speak to the most suitable person. "Nobody else has this problem" would likely be the go-to excuse. "You're only a customer... who are you to care about our IT systems failing...?" (Like Sainsbury's [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]). I recorded the call (didn't plan to publish it; it's crude), so nobody can say I take it out of context. It's totally unedited, so there are some bits there that could be cropped out (albeit it would require further processing).
In the name of "cost-savings" (high profits, temporarily, so some managers bag bonuses) many banks nowadays want to reduce themselves to (just/at most) some overseas AWS ("clown computing") account. Instead of branches they want to herd customers into skinnerboxes with "apps" (or Web sites). This is a worrying trend, akin to some scenes from I, Daniel Blake. █