Nationwide: does anyone logon with the card reader?

mohar10

I tried to find a relevant section to post this under but I don’t think this is covered elsewhere…yet

Here is my main point, is anyone else very worried about “card reader” security? I've been with Nationwide my adult life; they have always done well for me, I really can't fault them on anything and up until 3 weeks ago I would have highly recommended many of their saving products and general banking services, but I'm switching over to YBSa after my experiences of the last few weeks.

I think everyone should take a minute to consider what this little addition to on-line banking really means, Nationwide, HSBC and NatWest all now require this or have plans to make card reader mandatory for on-line banking operation and sign-on.

Anyone not with the Nationwide should know that 6 months ago they rolled out full card reader based security, where members can sign-in to the internet bank and give authentication for new and existing transaction with the card reader as opposed to being asked to answer old style memorable data validation questions.

For the year before that they had been slowly issuing card readers to everyone but until 6 months ago they where only used to authenticate new transactions and the reader was not requited for everything like it is today.

You will remember that a few weeks the Play station network had that personal data theft incident, so I contacted the helpline and stopped my debit card.

I was informed by the operative that the replacement card would take 7 – 10 working days to reach me and that I would not be able to use my existing card. I was also informed that to access cash I would need to take photo ID into a branch. I was not informed of any other loss of service.

In the past when I have requested my card stopped in this same way, the card reader authentication was disabled during the time I was without a card thus all normal banking functions remained accessible, once the account was accessed using memorable data instead. However on this latest occasion, I discovered, too late, that the memorable data route had now been canceled for everything except log in, so the stopping of the card meant that I could no longer access the money in my account at all, let alone pay bills. (my DD's still when out but that was all)

The first point is that this:
If your bank has card readers which are required for operating your account, what will they do in the event of a stopped card?

If like Nationwide the answer is to stop all access to your money on line then what provisions will they make to enable you to operate your account?

(The only solution so far suggested is that I should have set up Telephone self-service or an account with another bank for emergencies!)

Other questions to consider:
What happens when the batteries die?
Does the bank charge for replacement readers?

The second point is that this:
So here is a reasonable situation, I use my card at an ATM machine, there is a second card reader installed and camera so the bad guy gets my card and pin, he goes home creates a clone of my card then uses my pin and fake card to sign on my Nationwide online back and he can use this clone to do whatever he wants with my current account savings account and ISA. Nationwide appear to be aware that this is possible.

It is because the banks are aware of this, they now automatically suspend all access to your accounts when you report a lost stolen linked card – with your card details and a generic reader in his hands there is no other line of defense to stop the fraudster. Many banks use this card reader now and so not hard to come by and card readers which are being issued to us are all interchangeable.

In the old style system, the fraudster had to know a lot of facts or have some way of tricking you into giving all your security data over without raising suspension but now it seem not so much.

scragend

mohar10 wrote: »

Other questions to consider:
What happens when the batteries die?
Does the bank charge for replacement readers?

They don't charge for the first replacement you request, but they say they may charge for subsequent ones.

I found this out when I thought I had lost mine, only to find it on the same day the new one turned up!

rb10

mohar10 wrote: »

If your bank has card readers which are required for operating your account, what will they do in the event of a stopped card?

If like Nationwide the answer is to stop all access to your money on line then what provisions will they make to enable you to operate your account?

As you correctly said, you can still do transactions over the phone.

It is sensible to have a second way of accessing your account anyway, in case you were unable to use the internet (e.g. ISP problem, or computer breaks, etc).

mohar10 wrote: »

What happens when the batteries die?

Easy - Nationwide state that they will send a replacement out before the batteries die.

casper_g

mohar10 wrote: »

The second point is that this:
So here is a reasonable situation, I use my card at an ATM machine, there is a second card reader installed and camera so the bad guy gets my card and pin, he goes home creates a clone of my card then uses my pin and fake card to sign on my Nationwide online back and he can use this clone to do whatever he wants with my current account savings account and ISA. Nationwide appear to be aware that this is possible.

This shouldn't be a problem, as the first step of logging onto internet banking is to enter your customer number. This isn't printed on your card or related to any information stored on the card AFAIK, so the fraudster with the cloned card can't use it to get access to your internet banking. They can spend in stores using the card, of course.

mohar10

casper_g wrote: »

This shouldn't be a problem, as the first step of logging onto internet banking is to enter your customer number. This isn't printed on your card or related to any information stored on the card AFAIK, so the fraudster with the cloned card can't use it to get access to your internet banking. They can spend in stores using the card, of course.

Well I think that's about 50% right, they can find out any number of valid customer numbers (randomly and in the end mine too) its a metter of running a database of known costumier numbers ageist my cloned card's verification codes, indeed they may only have a 10% success rate, but well you can see the possibilities here.

Try this experiment, go to Nationwide internet bank sign in screen (anyone can go there), notice anything odd about it? it tells you "enter you customer number" and limits you to 10 digits, what if for example the system told you which numbers entered where and were not invalid. If the system did that, would it not in fact allow anyone to build up a database of valid customer numbers, well it does and thus you can.

with the old style memberable data input, if any part of the data was wrong the system just says there is a problem with the information and you (and the bad guy) dosent know which was wrong but now it's broken up into customer number and then the other parts, thus afer stage 1 says there is a problem with the information, nad guy KNOWS it was the customer number.

We already know that the chip and pin security which card reader security is based on has a known weakness whereby it is possible to bypass the need to enter a valid pin to get it to authorize an action, so this determination to forcibly introduce a new fatally flawed system reliant on another flawed system appears crazy!

If you think this isn't a problem, then why do Nationwide have this automatic policy to suspend all activity upon you stopping your linked card?

The more I learn about this, the more I dislike the idea, how about this as anouther example:

c 15 months ago, the cooperative bank also started to roll out card readers, but in April I think they changed their mind and instead of allowing you to lo sign-in with the thing, you are mow only required to use it to instruct new arrangements.

I think they suddenly found out about the above type of issue or maybe had customer feedback, so instead of dictating to heir members they played down the role of the card readers.

mohar10

rb10 wrote: »

As you correctly said, you can still do transactions over the phone.

It is sensible to have a second way of accessing your account anyway, in case you were unable to use the internet (e.g. ISP problem, or computer breaks, etc).

Easy - Nationwide state that they will send a replacement out before the batteries die.

Good idea, I did this 2 years ago, just in case, but made the error of not testing it for 12 months, now the self service system is NOT the equivalent to the internet bank, for example you cant set up new arrangements not even if you talk to a human.

I do wonder if Nationwide can really tell now often I use the reader, yes they could assume that every time a do anything with the internet banking service (as they force us to now) that I use it of for c 3 mins per action, and they could keep a record of this and over time could work out MTBF, then send out replauments accordingly, but I don't think they have put that much effort into it.

Olipro

mohar10 wrote: »

We already know that the chip and pin security which card reader security is based on has a known weakness whereby it is possible to bypass the need to enter a valid pin to get it to authorize an action, so this determination to forcibly introduce a new fatally flawed system reliant on another flawed system appears crazy!

supressing PIN submission will cause the transaction to complete in the same way it would if the merchant had performed a PIN Bypass transaction; this will only pass authorisation if the transaction is for a low amount, so whilst a criminal can defraud you out of say... a sandwich, your bank isn't going to authorise a PIN-bypassed transaction for a grand.

As for your earlier suggestion that someone could install something at the ATM to clone your card's chip for the purposes of using the clone in a card reader; it's impossible.

mohar10

Olipro wrote: »

supressing PIN submission will cause the transaction to complete in the same way it would if the merchant had performed a PIN Bypass transaction; this will only pass authorisation if the transaction is for a low amount, so whilst a criminal can defraud you out of say... a sandwich, your bank isn't going to authorise a PIN-bypassed transaction for a grand.

As for your earlier suggestion that someone could install something at the ATM to clone your card's chip for the purposes of using the clone in a card reader; it's impossible.

1) It used to be up to £5 for a bypass transaction but now its £15.00 (same as the contactless technology, I thnk there is an uppe limit of £50 for ATM's and the same bypass type trick can likly work for the card reader, the card reader and the bank are not linked so as long as the reader can be made to work, the internet bank cant know that the reader was tricked.

2) They don't need the chip, the important data is also on the strip, this is how the VV2 works to unlock the CHIP after 3 conservative attempts at the retail location.

If you think this isn't a problem, then why do Nationwide have this automatic policy to suspend all activity upon you stopping your linked card? I don't think I like the idea that it's possible to start building a database of all the Nationwide's internet bank customer numbers (I would hope its not so simple as it looks, i.e they shoul be seeing many attempts from one IP as an attack but I dout it very much).

Many groups seem to have a lot invested in the card reader system, so I can see why everyone really wants to believe its a bulletproof system, but it's just not, it look good until you start looking at it too closely.

Anyway back to my first point of my experience, that I was not given any warning about the suspension policy until after the event and found myself without any access to my accounts.

This is a fundamental change to my terms and conditions which I was not given adequate information about.

Olipro

mohar10 wrote: »

1) It used to be up to £5 for a bypass transaction but not its now £15.00 (same as that contact less technology) and the same bypass type can work for the card reader, the card reader and the bank are not linked so as long as the reader can be made to work the internet bank cant know that the reader was tricked.

2) They don't need the chip, the important data is also on the strip, this is how the VV2 works to unlock the CHIP after 3 conservative attempts at the retail location.

this is not how it works at all, go and read the EMV standard books rather than simply making up rubbish.

The chip generates an ARQC; the ARQC it will generate after the PIN is successfully submitted will differ from one generated without submitting the PIN, hence, if you insert a shim between the card and the reader and fake the "90 00" response from the card, the masked bits of the ARQC will not match what the bank is expecting and will not be usable on the victim's internet bank.

Your claim about unblocking the card is also complete tosh; the only way a card can be unblocked is by sending the correct enciphered PIN to the issuer, the issuer will then send a signed/encrypted update message to the card; depending on the issuer's policy, they may permit this from any terminal(typically an ATM) capable of online auth, or only through one they control themselves; it is impossible for a card to be unlocked offline unless you somehow have possession of the issuer's private key.

the CVV2 on the back of the card is no longer stored on either the chip or the magstripe, and hasn't been for several years now. the stripe and the chip both have their own verification value that isn't shared between either, however, its necessity for chip transactions is reduced these days since any authorisation using DDA is cryptographically assured and verified by the issuer.

As far as stopping your linked card goes; that is simply down to policy; There is no technical barrier to blocking a card for cash and purchases whilst leaving its ability to function for your internet banking intact, you need to argue that one out with Nationwide's management - but clearly, if they believe your card is stolen or otherwise in the hands of a third party, it would be expedient to disable it completely.

Finally... guessing a 10 digit customer number? are you joking?

mohar10

Olipro wrote: »

this is not how it works at all, go and read the EMV standard books rather than simply making up rubbish.

The chip generates an ARQC; the ARQC it will generate after the PIN is successfully submitted will differ from one generated without submitting the PIN, hence, if you insert a shim between the card and the reader and fake the "90 00" response from the card, the masked bits of the ARQC will not match what the bank is expecting and will not be usable on the victim's internet bank...................

Finally... guessing a 10 digit customer number? are you joking?

Lets go with the online acount acess is an “extra” service which they don't have to provide, if so, then why is it an "extra" secondary service has in my case effected all access, so it's not right to say its an "extra" service if it can do so. (remember the telephone service now offers less functionality then the online bank does and I've see more than a few restrictions on what you can do in branch n the the last 3 years alone).

Think what you want of my ranting. I'm just trying to help by telling others of my experances, I think the one point we can agree on (maybe) is that the banks will continue to say that chip and pin is infallible as long as they can, until the users help to evedance that it's not, we all know their computers "don't make mistakes" but in the end we should have a body of experances for the FSA to invistgate.

They currently say SDA has only been hacked in a lab, but they where saying the same thing about the now well kown YES CARD bypass not that long ago.

So until somone can exmplain the logic behind the automatic policy to suspend all activity upon you stopping your linked card, I'm go to say there must be an issue with this version of the technology (before full card reader rollout this lockout dident happen and now it does) otherwice why do it, the operative, in charge of Internet banking told me they do this for my protection (and he admited that they should have warned me about the complete lack of access), so that's what I base this on, insted of drawding on the published "standerd" which have some physical differances in the UK, mosty due to cost I would think.

I requestied MY CARD stopped NOT my ACCOUNT (again they should have warned me of he consequance of no cardreader access but dident), Playstationnetwrk only had my CARD number not my account number so closing down my curent account should not be neccessary, unless there is some other problem, I have a feeling that a form of YES CARD bypass maybe possable and a way of getting the next one time passcode.

There is clearly a direct logical disconnect between what the card tehnoloigy vendors say isn't possable and what the banks then have done to the implmentation.

CVV2 is now not the same as the standard nor is VV2 maybe not even the banking codes versions, (and I'm not saying you can unlock offline anyway, I'm saying there is a 2 way flow in information between the ATM and card's chip (as is done in YESCARD bypass (we don't use the full DDA)

There is no way of testing the home entered PIN with the internet bank as it cant access the PIN store either so the home card reader is offline but these card readers are meant to work like any retial reader, locking the card after 3 incorrect guesses, how can it do it off-line - 2 way exchange, (its meant to be more like the chip locking itsselfe but sill) so I say the card readers we have in the UK are not a direct decendent of the EMV standard, if this where the case as you say, it would not be a problem. but here we are, there must be some issue with how the system was implemented else why the automatic policy for my protection.

You don't need to guess the 10 digit customer number, that's my whole point, the system as is TELLS you (and the bad guy) if a valid number is entered, so yes the bad guy knows a lot of VALID customer numbers and not neccesserany mine but he still knows lots of VALID customer numbers which for example could be used in a fishiing attack.

So nationwide effectively give out the customer numbers (50%) of the internet bank access information) and we know that the system can't use time based generation of the passcode so this must be based on transaction counter stored on the card chip. we know the log-in pass code is meant to be a one time passcode, so we can assume the internet bank knows to move onto the next in the sequence of the known passcodes after each access attempt, seems like this could be used help now down the possibilities.