RBS card readers: can we get rid of them?

aylithuk

Yes it might be a pain however if it's another method of stopping fraud then I am all for it. If you don't like using the card reader then just go back to using telephone banking (with you internet pin/password) When I forgot my card reader I just phoned the 24/7 team and they set up my new payee however for protection it was BAC'd 3 days rather then on faster payment just in case of fraud.

Also in case no one noticed it a genertic piece of equiment. Me and the girls at the office have 1 between 10 of us and it works on RBS and NW.

Ay

agsnu

mr_fishbulb wrote: »

You would have to be a very high profile target for someone to attempt a MitM attack on you. They would have to get between you and the bank site so the users would not have an SSL connection, or would get a certificate warning (granted most will just click OK to the warning).

I think the attack vector would more likely be some malware running locally on the machine. There have been reports of people visiting their bank web site in their local browser, by directly typing in the URL, and seeing the pages looking different (e.g. requiring complete security details rather than just single letters). It seems possible that said malware could inject JavaScript into the page locally, intercepting details and modifying the card reader security challenge. Can't really rely on SSL if your local machine is infected.

But it does seem unlikely.

Pint_Glass

I'm new to Barclays, and I am already hacked off with having to carry the reader with me if I wnat to use my laptop anywhere but home. If I wanted to use telephone banking i would, but I don't as the last time I did, my querey was't answered, and I spent 5 minutes listening to someone who wouldn't take no for an answer with a sales script.

mluton

Pint_Glass wrote: »

I'm new to Barclays, and I am already hacked off with having to carry the reader with me if I wnat to use my laptop anywhere but home. If I wanted to use telephone banking i would, but I don't as the last time I did, my querey was't answered, and I spent 5 minutes listening to someone who wouldn't take no for an answer with a sales script.

See my other post above, might be of help

Delta-NC

agsnu wrote: »

According to RBS, the only times you should have to use it are when you:

• Set up or change a single or regular payment instruction
• Make a payment for the first time online via a payment instruction that you set up separately from Digital Banking
• Create or amend a Standing Order
• Change the PIN or password you use to log in to Digital Banking

Are you saying that you had to use it in another circumstance, or was it covered by the 2nd bullet?

Yes, I have been making payments to my landlord ever since I moved here 8 months ago. I have had to go though this process every single time I make a payment to anyone.

mr_fishbulb wrote: »

You would have to be a very high profile target for someone to attempt a MitM attack on you. They would have to get between you and the bank site so the users would not have an SSL connection

I'm not meaning MitM in a traditional network sense. I'm talking about setting up an automated site which passes details to and from the user while itself accessing the RBS site. I know it would be more complex than just getting usernames and passwords but I don't think it would particularly difficult either.

aylithuk wrote: »

If you don't like using the card reader then just go back to using telephone banking (with you internet pin/password)

RBS have told me that this card reader will be required for phone banking too.

I have no intention of staying with RBS once my account is in credit :rotfl:

serious_saver

Basically cards readers are fine as long as you only use internet banking from home. If you need to do banking on the move, which as far as can tell is one of he mains points of internet banking, then they're a complete pain in there errrrr....neck.

scouselad1974

HSBC use a smaller unit that attaches to your key ring that creates random numbers, no card has to be placed into it, so it is a lot easier to take with you.

Extant

Delta-NC wrote: »

All the scammer would need to do is create a bot to run a "man in the middle" style attack. Have the user enter their username and password at which point the scammers bot logs into their RBS account and sets up a transfer. On the victims screen they can then add an extra stage to the login process using the details from the transfer page "For added security please login using your RBS card reader...." the victim enters the code as shown which is then sent to the phishing bot which steals all their money.

Does RBS not use the "sign" feature to authenticate payments? This requires you to give your PIN, a reference, and the amount you're paying to generate the eight digit code. This feature exists to prevent this very kind of attack from happening.

Delta-NC

It makes you enter your pin and an 8 digit code. The code isn't even stored in an image format which makes it easier to pick off the page and place on another.

Twister84

If you've been paying it online for the past 3 months, then you must already have the payee set up - therefore you don't need the card reader


Just in case you didn't know, if it helps, you can make faster payments from RBS branches to others banks. If it's rent, you should only need your chip & pin card and the account details the money is going to.

scouselad1974 wrote: »

HSBC use a smaller unit that attaches to your key ring that creates random numbers, no card has to be placed into it, so it is a lot easier to take with you.

Hmm, my brother's with HSBC and he doesn't have one...it sounds funky though!