NAB Ignores own Security Advice

Sat 26 December 2015 | tags: NAB, Security, Best Practices, -- (permalink)

A bank that ignores their own security advice? Yep, that appears to be what NAB is doing.

A typical Email or SMS Scam goes something like this.

Your Internet Banking Account has been disabled due to suspicious activity. Please call this number XXXX-XXXX to restore access. Thanks Bank X Security Team

Sometimes it's calling a number, clicking a link, etc. It can be Email or SMS. And it can even be a cold call saying your account has been disabled until you verify some personal details.

The recommended way to deal with these, don't click links, go to the main website with the address you know, manually typing, not the address in the email/sms. Always call the main number of a number off the website, or the back of your card, don't call the number in the email/sms. Why is this the advice? Because anyone can setup a fake call centre with automated answer service. Anyone can setup a fake website that looks like your internet banking website login. It's called Phishing.

Now NAB is aware of these Scams, and so they offer great advice to their customers http://www.nab.com.au/personal/banking/nab-internet-banking/security/online-fraud-update/fraud-warnings-for-all-nab-customers.

What they also do is train their customers to ignore the advice.

Here is the SMS I got early Boxing Day

+61457521049 - 12:51 AM Hi there, we've noticed some suspicious activity on your NAB Visa Debit and we're worried it wasn't you. As a precaution we've placed a temporary block on the card. Please call us on our 24hr line, 1300 622 372 - Option 1 (+61 3 8436 7200). Thanks - NAB

Hold on, did NAB just ask me to call a number in the SMS? They sure did. Some quick Google of the number it was sent from turns up nothing. A Google of the numbers they want me to call does help, slightly. The first hit is a facebook post. Sorry, but Facebook is not the official source of NAB phone numbers, the NAB website is supposed to be. Eventually I find the 1300 number on a form, yes an obscure PDF form, that lists the NAB Fraud teams contact details. I do also find it on social media sites, twitter etc. But when trying to verify a banks phone number, you want it to be listed on the WEBSITE of the bank!

So yes, those numbers in that SMS are really the NAB Fraud Team's numbers. And Yes, the NAB Fraud Team recommends you don't respond to those suspicous SMSs, and even confirmed that you shouldn't respond when I called them. So why ask your customers to call a number that is stupidly hard to verify, and encourages your users to do the very thing you told them not to?

NAB, you need to sort our your website to list those numbers, and change your SMS to advise customers to call the number on the card, or the number on the main website, and not to list numbers in the SMS. I'm glad I took the 30 minutes out of my day to try and verify the number as my card had been suspended. But I almosted ignored the SMS totally because it is so typical of a phishing scam.

And for anyone who thinks that they should send the number because you might be overseas and have no internet etc. Best practices says when you are overseas you should be taking all those emergency contact details with you, have a couple of copies so that if your wallet gets stolen, you still have those details. If everything you have has been stolen even those details, the last thing you need to be worrying about is calling the number in an SMS to unblock your card. It's blocked like you want because it's stolen. If it's not stolen, you should already have the fraud team details with you because you are travelling.

Fork me on GitHub