Nationwide: does anyone logon with the card reader?

callum9999

MiserlyMartin wrote: »

Only certain banks have used this system. Criminals can get hold of card readers. They can clone cards and extract PIN information. Card readers DO NOT make things any more secure.

Well that fact that they need your card makes it more secure than a system where they don't need your card...

It doesn't make it 100% secure I agree, but more than if it wasn't there. You wouldn't be so quick to get in a strop if you were held liable and had all your money stolen would you.

MiserlyMartin

You just aren't getting it. You would rather have a system which is a right pain in the !!!! to use, that inconviences people, than the bank keeping its systems secure. While I admit that no system is 100% secure, its the banks responsiblity to do this and if your money is stolen due to an attack on your account through their systems... they are liable, NOT you.

Other banks use a call your landline service. this is much more secure and is not hard to use. Why defend the banks here, do you want more hassle from them?
This is a consumer website, you'll be telling me the HBOS should have been rescued next!

Scarpacci

MiserlyMartin wrote: »

You just aren't getting it. You would rather have a system which is a right pain in the !!!! to use, that inconviences people, than the bank keeping its systems secure.

That is how the bank keeps it secure. The security of the system can't be decoupled from consumers' hassle. Sure, the banks have a great responsibility to ensure the "back door" is locked and bolted, so no fraudster gets in, but that's not enough when the front door, through which all their customers get in, can be blown down. We are the weak link in the chain. The easiest point of entry is the one the customer uses. We can argue over methods but, as a general rule, the more "painful" it is for the customer, the more secure it is. The easier it is for consumers, the easier it would be for fraudsters to impersonate us and get through the door.

A call back would prove to be hassle for lots of people who like to check their banking outside of their home. Admittedly, they're often the same people who dislike card readers. Whatever they come up with will prove to be a terrible inconvenience (!) for some people.

Gromitt

MiserlyMartin wrote: »

You just aren't getting it. You would rather have a system which is a right pain in the !!!! to use, that inconviences people, than the bank keeping its systems secure. While I admit that no system is 100% secure, its the banks responsiblity to do this and if your money is stolen due to an attack on your account through their systems... they are liable, NOT you.

If someone breaks into the bank and steals your cash, then yes, they are liable. If your bank is protected with a simple username and password and some malicious software running on your PC transmits these details to a thief who empties your bank account, who is liable then? You can't blame the bank as according to them it was an authorised login. If you use some device which is not affected by your PC then you are safer and the bank is happier knowing that there customer portal is safer.

Lets take Santander as an example: To login they require: Customer ID, Registration ID, Passcode. Your passcode has to be a jumble of letters and numbers without sequences. These are bound to be written down by most people as they are impossible to remember. You are also sending the exact same data over the internet everytime you want to login to your account. Perfect for key logging software running without your knowledge.

Now if Santander supported using a card reader to login you don't need to remember anything apart from a PIN you already use (your customer id can be remembered by you browser). So, nothing is written down (more secure) and the data send across the net is different every time (more secure). If someone records it so what, its a one-time code (more secure).

See the difference?

MiserlyMartin

I see the difference. One is a massive pain in the !!!! to use. I'm not talking about using card readers to log in, I've never done it and that would be even worse. I am annoyed enough about having to use the damn thing to just to make a payment! And this is where Lloyds Banking group are good at with their callbacks. I notice that N&P building society take a dim view of logging into your online banking on a computer that is public or even at work, and that they are not liable for losses in that case. I think thats interesting... (they also say they are not liable for losses if their systems are down ie payment can't be made on time due to no service available, very poor.) A card reader would I suppose provide a little more of a hurdle for hackers to log in but for the amount of hassle they are its not worth it and if Nationwide require that method I'll move the accounts.

As for keylogging, citibank used a screen based keyboard to use to enter details with the mouse. Then they got rid of it, because customers told them that didn't like it. Were they wrong?

Gromitt

I think we'll just have to agree to disagree. I'd never use any bank account (as my main account) that didn't use a card reader to login and to authorise payments. Thats why I use Barclays and Nationwide. The later I had to complain before they would change my banking from memorable details to card reader.

Co-op support using a card reader for payment but not for logging in - crazy! If you have the technology implemented already - USE IT!

jalexa

Gromitt wrote: »

I think we'll just have to agree to disagree. I'd never use any bank account (as my main account) that didn't use a card reader to login ...

Natwest/RBS doesn't use the card reader to log-on. In fact there are regular dire warnings about never (being tricked) into using the card reader to logon.

I suspect a cryptologist would be able to explain the reason why using a card reader ahead of being logged on is a potential goldmine for returned codes. Read this and be very afraid...

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

Gromitt

Well yes, the card reader proves your identity. You need to make measures to ensure the bank has proven its identity first. You would never enter your customer id or any other such information into a non-secure site that hasn't identified itself properly. Its like emailing your credit card number to someone.

jalexa

Gromitt wrote: »

You need to make measures to ensure the bank has proven its identity first

Well yes, but all the the card reader does is proves posession of the card and knowledge of the PIN and any old reader because they are all (or were) the same. In fact the card-readers are a muggers charter because on a dark back-street can prove that a coerced PIN is genuine.

The RBS/Natwest logon procedure is actually very good. Only partial non-familial data is required, then you can determine from the logon whether it is your account you are connected to.

I do accept however that "man in the middle" can't be discounted. Not entirely sure as I am not a cryptologist if the card reader changes that.

Gromitt

I agree with you. To make the system as cheap as possible most banks use the same card and same PIN as your ATM card. I only know of Barclays which allow the use of an "Authentication card" which only works in the reader, not an ATM machine.

As for muggers, unless I intend on spending a lot of cash I normally only carry around with me my Nationwide card. My FlexAccount is typically around the £100 mark, so if I feel like I'm threatened and they want my PIN, I will give it to them.

Man in the middle can be used, but it takes a lot of processing power and, unless people are stupid enough to click links in emails, the ability to manipulate your internet traffic. Malware could also do the redirection at the PC end, but the middle man is likely to fail when the user gets asked for another challenge to confirm a transaction. I don't know of any reports which state you can retrieve the key certificate from multiple authenticated logins so the theif still needs access to your card.