Additional Online Banking Security Measures

Cmdr_Bond

Just interested to know which methods are used by which banks - personal accounts only. Also, I would like to know how much hassle they cause or how easy to use they are.

Santander (ex Abbey) uses "One Time Passcode", which sends texts to your mobile phone when setting up new payments (even to existing recipients), but other than that, it appears to keep out of the way. Only problem with this is, if you don't have a mobile (unlikely but possible) or don't register, you can't make new payments online.

In this instance, Santander have, IMO, done something right - I much prefer the idea of a OTP text to using a card reader.

[edit] changed mind

Cmdr_Bond wrote: »

... this is their demo page

Having just run through the demo - you do not need to key in the existing phone number when changing to a new phone number (like you have to do most password resets out there). It sends an OTP to the new number to confirm the change - but only sends a message to the old number. So in theory, you would know if someone had changed it behind your back.

...

[/edit]


I know Barclays uses PinSentry - I know little else about this.

So who does what, and how good / bad is it?




Abbey / Santander - One Time Passcode via SMS. Not overly intrusive, but not necessarily as secure as it at first appears. (see above)

Barclays - Card Reader - Intrusiveness currently unknown.

Co-op - Card reader

vinh1000 wrote: »

The co-operative bank also use a card reader as well to authenticate payments and transfers

Halifax / BoS - Some telephone verification.

vinh1000 wrote: »

Halifax/BoS may ask for telephone verificiation on certain high valued/risky transactions with their automated service

HSBC, Personal - Text code to mobile or landline for new payees.
HSBC, Business - One Time Key Device (:question: not a card reader :question:).

spenderdave wrote: »

HSBC business accounts use a one-time-key device, which works well. I gather it is cost which is why they haven't introduced it to their personal banking. But on that they do text a code to your mobile or landline when setting up new payees (in theory, it has not actually happened to me yet).

...

LLoyds, Personal - Automated call back system to mobile or landline when seeting up a new payee.
LLoyds, Business - Card Reader required to login in and for all payments.

Foggster wrote: »

Lloyds call you back when setting up a new payee, it is an automated system and you can choose to have it sent to your mobile or landline. You key in the number showing on screen and once confirmed a payment can be made. It is all very quick and easy.

The business account has the card/pin reader for logging in and all payments being made i.e. standing orders, direct payments etc. It is a faff when first using it and means you can bank on the move as easily because you have to remember to take the reader with you!

Nationwide - None yet, but a card reader is on the horizon.

vinh1000 wrote: »

Nationwide will be using a card reader shortly to authenticate payments and transfers and possibly used as additional security to login

RBS / NatWest - Card Reader - Just enough extra security with out being overly intrusive.

carrieh wrote: »

Both RBS and Nat West use a card reader. However you only ever have to use this twice for new payees - once when setting the payee up and once when making the first payment to that person or organisation. After that, you can make payments online to othat particular payee without using the card reader. It's a good system, not too intrusive (it would annoy me if I had to use the card reader every time) and with just enough security.

...

spenderdave

HSBC business accounts use a one-time-key device, which works well. I gather it is cost which is why they haven't introduced it to their personal banking. But on that they do text a code to your mobile or landline when setting up new payees (in theory, it has not actually happened to me yet).

It is wrong to assume everybody has a mobile. I do, but it is normally kept switched off and only used in emergencies. There are loads of people who do not consider it a necessity, regardless of what the media tell us. In my lifestyle I am normally at home (and an answerphone when I am not) so have little use for a mobile.

carrieh

Both RBS and Nat West use a card reader. However you only ever have to use this twice for new payees - once when setting the payee up and once when making the first payment to that person or organisation. After that, you can make payments online to othat particular payee without using the card reader. It's a good system, not too intrusive (it would annoy me if I had to use the card reader every time) and with just enough security.

I have doubts about the security of a code sent to a mobile phone. What's to stop anyone hacking into your bank account online, changing your mobile telephone number to their own, and then setting up a new payee? Or have I misunderstood the system? (Quite likely, as I haven't used it!)

Cmdr_Bond

spenderdave wrote: »

...

It is wrong to assume everybody has a mobile. I do, but it is normally kept switched off and only used in emergencies. There are loads of people who do not consider it a necessity, regardless of what the media tell us. In my lifestyle I am normally at home (and an answerphone when I am not) so have little use for a mobile.

Fair point, well made.

carrieh wrote: »

...

I have doubts about the security of a code sent to a mobile phone. What's to stop anyone hacking into your bank account online, changing your mobile telephone number to their own, and then setting up a new payee? Or have I misunderstood the system? (Quite likely, as I haven't used it!)

I have just looked into that, this is their demo page

Having just run through the demo - you do not need to key in the existing phone number when changing to a new phone number (like you have to do most password resets out there). It sends an OTP to the new number to confirm the change - but only sends a message to the old number. So in theory, you would know if someone had changed it behind your back.

So yeah, all in all not as good an idea as I first thought.

next please

Foggster

Lloyds call you back when setting up a new payee, it is an automated system and you can choose to have it sent to your mobile or landline. You key in the number showing on screen and once confirmed a payment can be made. It is all very quick and easy.

The business account has the card/pin reader for logging in and all payments being made i.e. standing orders, direct payments etc. It is a faff when first using it and means you can bank on the move as easily because you have to remember to take the reader with you!

Bloomberg

Cmdr_Bond wrote: »

Just interested to know which methods are used by which banks - personal accounts only. Also, I would like to know how much hassle they cause or how easy to use they are.

Santander (ex Abbey) uses "One Time Passcode", which sends texts to your mobile phone when setting up new payments (even to existing recipients), but other than that, it appears to keep out of the way. Only problem with this is, if you don't have a mobile (unlikely but possible) or don't register, you can't make new payments online.

In this instance, Santander have, IMO, done something right - I much prefer the idea of a OTP text to using a card reader.

I know Barclays uses PinSentry - I know little else about this.

So who does what, and how good / bad is it?

I have to grudgingly admit that Santander have actually come up with a really good idea. I never thought I would ever say this. :T

[Deleted User]

Nationwide will be using a card reader shortly to authenticate payments and transfers and possibly used as additional security to login
The co-operative bank also use a card reader as well to authenticate payments and transfers
Halifax/BoS may ask for telephone verificiation on certain high valued/risky transactions with their automated service
Metro Bank and Norwich Building Society none as of yet

and Santander's OTP is a good idea

Cmdr_Bond

vinh1000 wrote: »

...

and Santander's OTP is a good idea

I agree with that, I am just on the fence regarding the security of OTP, seeing as you do not have to authenticate changing the number. If someone has hacked your account and changed your password, then changed the phone number linked to OTP (probably with a burn phone), you will get a text to say the message has changed and THEY will get a confirmation code sent to the new number. If you can't call Santander immediately (and get through) you could end up with your account wiped out. I say could, I would have thought they could probably reverse the payment, but this is Santander we are talking about.

They just need to change the way you change your OTP number - and then it will be fine.

Eco_Miser

carrieh wrote: »

I have doubts about the security of a code sent to a mobile phone. What's to stop anyone hacking into your bank account online, changing your mobile telephone number to their own, and then setting up a new payee? Or have I misunderstood the system? (Quite likely, as I haven't used it!)

The first thing is the bank's internet security systems, the second is that the phone number has to be provided several days in advance of being used (I think, I get confused over which bank does which checks), and third, email confimation is sent of any changes made and payments set-up (again, I may be thinking of a different bank, but it certainly could all be done by one bank, and each element is done by some bank)

Cmdr_Bond

When I set up OTP, as I will have to do again soon when I get my new details, all I have to do is enter my phone number - they send an OTP to that number to confirm and off we go. No waiting, and if memory serves, no email.

[edit]
Just checked - definately no mail from them.

Eco_Miser

Cmdr_Bond wrote: »

When I set up OTP, as I will have to do again soon when I get my new details, all I have to do is enter my phone number - they send an OTP to that number to confirm and off we go. No waiting, and if memory serves, no email.

That's not good. The security of calling/texting is only effective when the number has been pre-arranged.

Ah, but you are talking about the initial set-up; the may be a waiting period after a change.

I know when I deleted my ex-work number I couldn't do transactions needing phone authorisation, even though my home number hadn't changed. (This was a slightly different system, they show a number onscreen, the phone rings, you pick-up and enter the number on the phone keypad. I thought the bank was A&L, but I may by mistaken on that.

Cmdr_Bond wrote: »

Just checked - definately no mail from them.

On reflection, it's Halifax that confirms every action by email.