Yesterday in the BBC 4’s You and Yours programme, the reporter revealed how easily he accessed the bank account of the show’s producer, by informing the producer’s mobile provider he wished to swap similar cards. Using this trick, the reporter effectively changed the registered mobile number associated with the bank account. Once done, he was able to access the banking portal belonging to his producer. Banks often use mobile phones for two-factor authentication, where a user receives a text message code they need to enter into their online bank account to reset login details. However, this simple phishing trick can be used to trick the mobile service provider to swap the registered mobile number. While mobile-based password resets can be extremely convenient for the user, You & Yours demonstrated a major flaw in the way it works in practice A reporter at the show wrote on the BBC news site: “We decided to investigate You and Yours producer Natalie Donovan. I was able to break to her account without knowing her banking customer number, PIN or any passwords.” Without knowledge of the bank account holder’s secret questions and answers normally used as a secondary security measure to unlock an account – such as the user’s mother’s maiden name, pet’s name or first school – the reporter changed PIN and password to access the account. The bank in question, NatWest, has reworked its online security following the BBC’s report.