RBS card readers: can we get rid of them?

Delta-NC

I'm with RBS who in their wisdom implemented a bizarre new system for making payments online. You now have to use a daft card reader to move money on their online banking and soon also when you call them.

All they do is generate an extra password based on your card details and a random number given to you by RBS when you are making the payment. Which incidentally will do nothing to stop online fraud.

The real problem is that, being a guy, I don't have the facilities to be carrying around large amounts of crap in the off chance I may need it.

I have been away from my flat quite a bit recently due to family issues and for the last three months "conveniently paying my rent online" has turned into "fifteen minute phone calls and messing about" due simply to the fact I forgot to take this otherwise pointless piece of plastic with me.

These things are pointless, hugely inconvenient and a waste of our planet. This is why most european banks rejected them at the trial stage.

Does anyone know if there is a way to get RBS to disable this on my account? A guy at the branch said I could, and gave me a number to call. However those on the phone insist that I have to live with it.

Does anyone else find these devices hugely inconvenient? Would anyone be up for starting some kind of petition to have these wasteful devices scrapped? (Or at least integrated into our cards, which can be done)

(If this post is misplaced feel free to move it)

mr_fishbulb

How will they do nothing to stop online fraud? The number is different every time. Even if someone managed to get hold of your password and answers to secret questions (which don't change), they won't be able to transfer money unless they have the pseudo-random number from the card reader.

RBS would probably tell you that you are responsible for any losses on your account becuase you refuse to use their security system.

Kavanne

with rbs you only need the card reader to set up a NEW payment or payee, or amend it. If you just want to make a payment to an existing payee, then they wn't ask for the card reader

agsnu

Delta-NC wrote: »

All they do is generate an extra password based on your card details and a random number given to you by RBS when you are making the payment. Which incidentally will do nothing to stop online fraud.

Please explain your reasoning on this one.

Delta-NC

mr_fishbulb wrote: »

How will they do nothing to stop online fraud? The number is different every time. Even if someone managed to get hold of your password and answers to secret questions (which don't change), they won't be able to transfer money unless they have the pseudo-random number from the card reader.

agsnu wrote: »

Please explain your reasoning on this one.

It's quite simple as far as I see it. If someone is dumb enough to enter their details on a phishing site then this offers very little protection.

All the scammer would need to do is create a bot to run a "man in the middle" style attack. Have the user enter their username and password at which point the scammers bot logs into their RBS account and sets up a transfer. On the victims screen they can then add an extra stage to the login process using the details from the transfer page "For added security please login using your RBS card reader...." the victim enters the code as shown which is then sent to the phishing bot which steals all their money.

In RBSs credit I will say their system of using only partial passwords is good! Their system for debit payments online is also not to much of a problem. This card-reader system however offers very little protection to the kind of idiots who are caught out by these scams and yet causes mass inconvenience to every single RBS customer.

Perhaps the intent is to deter criminals away to other banks, but really I think this is over the top. If my inbox is anything to go by they are already deterred enough by the split password system.

Kavanne wrote: »

with rbs you only need the card reader to set up a NEW payment or payee, or amend it. If you just want to make a payment to an existing payee, then they wn't ask for the card reader

This isn't the case, as said the last three months I have had to call up to pay my rent to my landlord who is already a payee on my account.

mr_fishbulb wrote: »

RBS would probably tell you that you are responsible for any losses on your account becuase you refuse to use their security system.

Fine by me! I have no money anyway! :rotfl:

serious_saver

I had a similar problem with Nationwide. I set up an account to go travelling as their big incentive at the time was that there weren't any fees when abroad. Then they brought out these silly card readers whilst I was in North America, with no warning, so obviously I couldn't get hold of it. I naively assumed that because I had informed them that I would be travelling, they would be able to sort something out for me to allow me to do my banking but they told me there were NO exceptions. As a result I wasn't able to manage my account online for months. I was lucky that I was till able to use my card at all, as they sent new cards out to coincide with the readers, but at least (after numerous phone calls) they were able to keep it active for a few more months.

I am now with a bank that doesn't use card readers!

willo65

I would have expected the system to be the same as natwest where by you only use the card reader to set up a new payee. With barclays when you get one you need to use it everytime you log in and it is a pain.

agsnu

Delta-NC wrote: »

It's quite simple as far as I see it. If someone is dumb enough to enter their details on a phishing site then this offers very little protection.

All the scammer would need to do is create a bot to run a "man in the middle" style attack. Have the user enter their username and password at which point the scammers bot logs into their RBS account and sets up a transfer. On the victims screen they can then add an extra stage to the login process using the details from the transfer page "For added security please login using your RBS card reader...." the victim enters the code as shown which is then sent to the phishing bot which steals all their money.

This is a far more elaborate hack to execute. Entirely passive attacks, such as keystroke loggers, plain detail harvesting, etc are mitigated.

Adding payees is a relatively rare occurrence for most people, so the window of opportunity is massively decreased.

RBS' authorisation codes when adding a new payee have the last 4 digits in common with the account number that you are paying. Ignoring people being thick, in order for your attack to work, you'd have to be in the process of setting up a new payee to an account which had the last 4 digits in common with an account under the scammer's control. Either scammers would need 10,000 accounts or you'd need to be very unlucky.

This isn't the case, as said the last three months I have had to call up to pay my rent to my landlord who is already a payee on my account.

According to RBS, the only times you should have to use it are when you:

• Set up or change a single or regular payment instruction
• Make a payment for the first time online via a payment instruction that you set up separately from Digital Banking
• Create or amend a Standing Order
• Change the PIN or password you use to log in to Digital Banking

Are you saying that you had to use it in another circumstance, or was it covered by the 2nd bullet?

LilacPixie

I have only ever had to use mine setting up stuff online and never to make the actual payment. The biggest hassle I have is remembering which drawer I have flung it in as i only use it 1-2 times a year if that.

mluton

willo65 wrote: »

I would have expected the system to be the same as natwest where by you only use the card reader to set up a new payee. With barclays when you get one you need to use it everytime you log in and it is a pain.

No you don't, just click "Forgotten your PINsentry card reader?" on the Card reader entry screen.

And you can use your online banking, less a few features. HTH

mr_fishbulb

Delta-NC wrote: »

It's quite simple as far as I see it. If someone is dumb enough to enter their details on a phishing site then this offers very little protection.

All the scammer would need to do is create a bot to run a "man in the middle" style attack. Have the user enter their username and password at which point the scammers bot logs into their RBS account and sets up a transfer. On the victims screen they can then add an extra stage to the login process using the details from the transfer page "For added security please login using your RBS card reader...." the victim enters the code as shown which is then sent to the phishing bot which steals all their money.

You would have to be a very high profile target for someone to attempt a MitM attack on you. They would have to get between you and the bank site so the users would not have an SSL connection, or would get a certificate warning (granted most will just click OK to the warning).

Security is all about comparing the risk against the mitigation efforts. To me, the added security gained by 2 factor authentication, far outweighs the occasional inconvenience of the card reader.