Which banks don't use card readers for online transactions?

NFH

marvin wrote: »

Oh and can we please make sure that what you say is directed at Nationwide and no other bank as with the Nationwide you do not have to use this device once you use it everytime. They want you to use it to log into thir website everytime you want to make a payment. If it was just wehn setting up then it would be okish but the way the Nationwide use it stops their website being usable on the go.

Then I agree with you on that point. Card readers should be required only to set up a new payee, as that's what phishing involves. This is why Barclays from 17th May 2011 will downgrade their security to require card readers only in order to set up new payees, and even then, many approved payees will not require a card reader.

meer53

NFH wrote: »

No, they stop the web from being used in the way it shouldn't, i.e. for fraud.

So, you think all fraud starts on the web ? There are other ways of obtaining card details you know.

NFH

meer53 wrote: »

So, you think all fraud starts on the web ? There are other ways of obtaining card details you know.

No, why do you believe I think that?

NEH

We've got one of the new readers for Lloyds and i can testify they are a bit of a nightmare having to use it for every single transaction, for businesses it does make the process so much slower and a lot more fiddly...

Bank of Scotland/halifax don't have them yet but as they're part of Lloyds now it might only be a matter of time....

Derivative

marvin wrote: »

But it is not obvious that these provide any more safety than not.

You are clearly being obtuse here.
There is a debate to be had on whether it is worth the extra hassle, but it is definitely more safe.

Using a card reader in addition to a password is more secure than simply using the password (Halifax, Santander).

Personally I don't mind the extra 'hassle' as I'm sure I'd find having to chase after a few grand an issue.

MPH80

There is a debate to be had on whether it is worth the extra hassle, but it is definitely more safe.

Indeed.

Basic security principals:

Start with a simple mechanism - something you know - e.g. a password
To get more secure - make it two factor - introduce something you have
To get even more secure - go three factor - make it also something about you - e.g. a biometric.

What bank's had was a password. Now they've moved to the two factor. Not only do you have a password - the pin (e.g. something you know) - you've got something you have too - the card where the chip can't be duplicated - note that the chips still haven't been duplicated - you can man-in-the-middle/bypass the chip for EMV transactions or duplicate the mag stripe - but not the chip - which is what does the calculation for the card readers.

So let's look at the potential fraud avenues for the web banking sites:

1) Someone tempts you into putting your details into a fake website. Well - that's a problem with the password, as they now have it. With the card/pin mechanism - it does them no good without the card. So - a mass mailing won't help them here - it'd have to be very targetted. They'd have to have your card first.

2) Someone does a man-in-the-middle attack on you - faking the normal login screen. Well - that's good too. *Even* if they tempt you into entering the identify code from the card reader - it does them no good because to set up the new payee they have to get you to enter the code into the device. This requires that you are going to do this on the site! So - that's no good to the fraudster.

3) Someone puts a keylogger onto your machine. Well - again - this doesn't help them. They might get the one time identify code ... or they might get the code for you setting up a new payee. Either way - it doesn't help them.

4) Someone steals your card. Unless you've got the pin written down WITH the card - it's useless to them. The chip will lock itself after three attempts. Even if they have the card - they still need your internet banking code.

In the first three cases - a password would have fallen to the attack because they'd have also encouraged you to put your user ID in.

So why aren't they more secure?

You could argue that, for a careful person, a password or a bit of personal info is secure enough - but even a careful person might get a keylogger onto their computer from that USB stick the guy at work lent them (for example). Virus checkers do *not* catch everything. They take time to catch up, and even when they do they can miss things.

I prefer the idea I'm more protected than I was.

In the last month - I've had phishing emails for Lloyds ... Halifax ... HSBC ... Natwest. I've just checked. None of the others. Spot the trend? It's banks that aren't using card readers for login authentication.

M.

blueberrypie

EdgEy wrote: »

You are clearly being obtuse here.
There is a debate to be had on whether it is worth the extra hassle, but it is definitely more safe.

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

Derivative

blueberrypie wrote: »

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

There are weaknesses in the protocol used, that doesn't make it less safe than nothing at all.

notafan

MPH80 wrote: »

Indeed.

Basic security principals:

Start with a simple mechanism - something you know - e.g. a password
To get more secure - make it two factor - introduce something you have
To get even more secure - go three factor - make it also something about you - e.g. a biometric.

What bank's had was a password. Now they've moved to the two factor. Not only do you have a password - the pin (e.g. something you know) - you've got something you have too - the card where the chip can't be duplicated - note that the chips still haven't been duplicated - you can man-in-the-middle/bypass the chip for EMV transactions or duplicate the mag stripe - but not the chip - which is what does the calculation for the card readers.

So let's look at the potential fraud avenues for the web banking sites:

1) Someone tempts you into putting your details into a fake website. Well - that's a problem with the password, as they now have it. With the card/pin mechanism - it does them no good without the card. So - a mass mailing won't help them here - it'd have to be very targetted. They'd have to have your card first.

2) Someone does a man-in-the-middle attack on you - faking the normal login screen. Well - that's good too. *Even* if they tempt you into entering the identify code from the card reader - it does them no good because to set up the new payee they have to get you to enter the code into the device. This requires that you are going to do this on the site! So - that's no good to the fraudster.

3) Someone puts a keylogger onto your machine. Well - again - this doesn't help them. They might get the one time identify code ... or they might get the code for you setting up a new payee. Either way - it doesn't help them.

4) Someone steals your card. Unless you've got the pin written down WITH the card - it's useless to them. The chip will lock itself after three attempts. Even if they have the card - they still need your internet banking code.

In the first three cases - a password would have fallen to the attack because they'd have also encouraged you to put your user ID in.

So why aren't they more secure?

You could argue that, for a careful person, a password or a bit of personal info is secure enough - but even a careful person might get a keylogger onto their computer from that USB stick the guy at work lent them (for example). Virus checkers do *not* catch everything. They take time to catch up, and even when they do they can miss things.

I prefer the idea I'm more protected than I was.

In the last month - I've had phishing emails for Lloyds ... Halifax ... HSBC ... Natwest. I've just checked. None of the others. Spot the trend? It's banks that aren't using card readers for login authentication.

M.

Its getting silly though, these are just temporary fixes.

Chip and pin is hackable, people can clone cards so having a card reader isnt fraud proof - and someone mentioned on another thread that the codes they use have been cracked recently.

I just think banks could be a bit more intuitive with their security.

By all means make us more secure but do it in a better way - even a keyring would be better then these (seeing as you'll take your keys with you when you leave etc).

and as to third tier how long before people start taking out eyeballs and chopping off fingers!

dlk

sdavi3680 wrote: »

I'm with Nationwide and hate that I have to use a card reader every time I want to make a payment from my online account. Are there any banks that don't use them?

Thanks

I really wouldn't bother changing banks if that's your only problem with Nationwide. Within 2 years I'd be very surprised if any banks aren't using a device like that (although the pending HSBC ones that are a similar size to a credit card are at least a bit more portable than most).