| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to security flaws in mobile banking systems has happened again at NatWest, which is part of RBS. The incident involved a serious flaw in the online banking system that allowed criminals to raid accounts by exploiting vulnerabilities in the mobile banking services provided by NatWest [42146].
(b) The articles also mention that there are reports of similar problems with other banks, indicating that the software failure incident related to security vulnerabilities in mobile banking systems is not unique to NatWest but may have occurred at multiple organizations offering similar services [42146]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the article. The incident at NatWest's online banking system allowed criminals to raid accounts due to a serious flaw in the security systems. The flaw enabled fraudsters to take control of online accounts and snatch thousands of pounds through stolen mobile phones. This flaw in the design of the system allowed unauthorized access and fraudulent activities to occur [42146].
(b) The software failure incident related to the operation phase is also highlighted in the article. Customers reported money disappearing from their accounts without explanation, and when seeking help from the bank, they were often blamed for not keeping their bank details secure. This indicates a failure in the operation phase where customers' concerns were not adequately addressed, and the system's security measures were not effectively operational in preventing unauthorized access and fraudulent activities [42146]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident reported in the articles is primarily within the system. The failure was due to a serious flaw in the online banking system of NatWest, which allowed criminals to raid accounts by exploiting vulnerabilities in the mobile and internet banking services provided by the bank [42146]. The security systems of NatWest were found to be inadequate, allowing fraudsters to take control of online accounts and transfer money without the need for all the log-in details and passwords. The incident highlighted weaknesses in the authentication processes and security measures implemented within the bank's online banking system.
(b) outside_system: The software failure incident also involved contributing factors that originated from outside the system. Criminals were able to exploit vulnerabilities in the mobile phone system, such as hijacking mobile phone numbers and convincing mobile phone companies to transfer numbers to different handsets, in order to carry out fraudulent activities on the online banking accounts [42146]. This external factor of mobile phone vulnerabilities played a significant role in enabling the fraudsters to bypass the security measures within the NatWest online banking system. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
- The article reports a serious flaw in the online banking system of NatWest that allowed criminals to raid accounts, indicating a failure in the security systems of the bank [42146].
- Criminals were able to take control of online accounts and snatch money through stolen mobile phones, highlighting a vulnerability in the system that was exploited [42146].
- Thieves were able to take data from stolen mobile phones to drain funds from accounts, indicating a flaw in the system's security measures [42146].
(b) The software failure incident occurring due to human actions:
- The investigation revealed that it was possible to hack into an account using a stolen mobile phone, suggesting a potential oversight in the design or implementation of the security measures by the bank [42146].
- The article mentions that criminals were able to convince a mobile phone company to transfer a victim's number to a different handset, which was then used to run the fraud, indicating a social engineering aspect to the attack [42146].
- The fraud reporter was able to access a colleague's online bank account by pretending to have lost all login details and convincing the bank to send an activation code to the stolen phone, highlighting a vulnerability in the bank's verification process [42146]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The incident involved a serious flaw in the online banking system of NatWest, which allowed criminals to raid accounts through stolen mobile phones [42146].
- Criminals were able to convince a mobile phone company to transfer a victim's number to a different handset, which was used to run the fraud [42146].
(b) The software failure incident related to software:
- The security systems of NatWest were identified to have a serious failure, allowing fraudsters to take control of online accounts and snatch money [42146].
- Researchers were able to show it is possible to raid someone else’s bank account without having any of the log-in details and passwords [42146].
- The bank's system involved sending a unique authorization code to a customer's mobile phone by text, which could be exploited by criminals to set up new payees and transfer money [42146].
- The incident highlighted vulnerabilities in mobile banking services run by NatWest, indicating a software-related security issue [42146]. |
| Objective (Malicious/Non-malicious) |
malicious, non-malicious |
(a) The software failure incident reported in Article 42146 is malicious in nature. Criminals were able to exploit a serious flaw in NatWest's online banking system to raid accounts, allowing them to take control of online accounts and snatch thousands of pounds through stolen mobile phones. The fraudsters were able to manipulate the system to transfer money and gamble with stolen funds, indicating a deliberate intent to harm the system and its users [42146].
(b) Additionally, the incident involved non-malicious factors such as vulnerabilities in the security systems of NatWest's mobile banking services. These vulnerabilities allowed for unauthorized access and fraudulent activities to take place, highlighting failures in the system's design and implementation that were not intentionally introduced to harm the system but nonetheless led to security breaches and financial losses [42146]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The software failure incident related to poor_decisions is evident in the case of the NatWest online banking system. The incident allowed criminals to raid accounts by exploiting a serious flaw in the security systems of NatWest's online banking system. The bank's decision to implement a system where a unique authorization code is sent to a customer's mobile phone for setting up new payees and transferring money proved to be vulnerable to theft through details hacked from stolen mobile phones [42146]. This poor decision contributed to the security breach that enabled fraudsters to take control of online accounts and snatch thousands of pounds.
(b) The software failure incident related to accidental_decisions is seen in the oversight and unintended consequences of the security measures implemented by NatWest. The investigation revealed that criminals were able to exploit stolen mobile phones to access accounts without having the login details and passwords. This unintended consequence of the security measures, such as sending activation codes to mobile phones for account access, led to unauthorized access and fraudulent activities [42146]. The incident highlighted how mistakes or unintended decisions in the design and implementation of security measures can lead to significant vulnerabilities in the system. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the article as it highlights a serious flaw in the security systems of NatWest's online banking system that allowed criminals to raid accounts. The bank admitted that the incident occurred due to a failure in their security systems, indicating a lack of professional competence in ensuring robust security measures [42146].
(b) The software failure incident related to accidental factors is also apparent in the article. For example, the incident where criminals managed to convince a mobile phone company to transfer a victim's number to a different handset, which was then used to run the fraud, showcases how accidental vulnerabilities in the system can be exploited by malicious actors [42146]. |
| Duration |
temporary |
The software failure incident reported in the articles can be categorized as a temporary failure. The incident was due to contributing factors introduced by certain circumstances but not all. The failure was related to a serious flaw in the security systems of NatWest's online banking system, which allowed criminals to raid accounts by exploiting vulnerabilities in the mobile banking services [42146]. The bank acknowledged the failure and took immediate steps to enhance security measures, such as implementing a three-day cooling off period for online banking transactions and improving customer authentication processes to prevent similar incidents in the future. |
| Behaviour |
crash, omission, value, other |
(a) crash: The software failure incident in the article can be related to a crash behavior where the system loses state and does not perform its intended functions. This is evident from the fact that criminals were able to raid accounts due to a serious flaw in NatWest's online banking system, allowing them to take control of online accounts and snatch thousands of pounds through stolen mobile phones [42146].
(b) omission: The incident can also be linked to an omission behavior where the system omits to perform its intended functions at an instance(s). This is highlighted by the fact that fraudsters were able to raid accounts without having any of the log-in details and passwords, indicating a failure in the system to properly authenticate and authorize transactions [42146].
(c) timing: The timing behavior is not explicitly mentioned in the articles as a specific type of failure related to the software incident.
(d) value: The incident can be associated with a value behavior where the system performs its intended functions incorrectly. This is demonstrated by the fact that criminals were able to transfer money and set up new payees on existing accounts using stolen mobile phone data, leading to unauthorized transactions and financial losses for customers [42146].
(e) byzantine: The byzantine behavior, characterized by inconsistent responses and interactions, is not directly mentioned in the articles as a specific type of failure related to the software incident.
(f) other: The other behavior observed in this software failure incident is a security vulnerability that allowed criminals to exploit the system's authentication and authorization mechanisms. This vulnerability enabled unauthorized access to accounts, fraudulent transactions, and the potential hijacking of mobile phone numbers to carry out fraudulent activities [42146]. |