Nationwide: does anyone logon with the card reader?

mohar10

I’ve just found out that my little card reader takes 2 x CR2032, the type found in doorbells, watches and other items that are expected to consume small amounts of every over a long time. Because it just died (I think it's lasted a little over 2 years), what happened was it displayed ‘low battery’ for 5 actions than it died. So at least you have some warning befor your suck calling the 08257 help line.

But I also have an “accessibility” card reader, better then the little one, it has a big (3x 1.5CM) 2 line display and it has voice feedback, (took me 4 months to get one of these and in the process they sent me 7 (yes 7) of the little ones know, the system, at that time dident have the option to select which trype you where requestiog and the operatives dide'nt read the notes (good hing that hen hese where free), Anyway the big card reader takes 2 AAA batteries, much easier to find and cheaper too.

glider3560

mohar10 wrote: »

So at least you have some warning befor your suck calling the 08257 help line.

To avoid the call, you can logon with your password then send a secure message. Alternatively, one can be ordered at a branch or you can call 01793 656789.

noh

glider3560 wrote: »

To avoid the call, you can logon with your password then send a secure message. Alternatively, one can be ordered at a branch or you can call 01793 656789.

Or put a new battery in or use one of the other seven you already have.

noh

If you are really concerned about losing access to Nationwide online while a card is cancelled and reissued then open additional accounts with cards.
I have 3 different cards I can use in the reader to use internet banking. Two flex accounts and one regular savings.
A drop down list is provided to select the card you are using.

mohar10

noh wrote: »

Or put a new battery in or use one of the other seven you already have.

After the months of being sent the little ones I took them all back to my local branch to complain (in a bin liner all boxed up and unplened), I only use that little one at work (its there just in case really, can barley see the thing) the accessible one is much better.

mohar10

noh wrote: »

If you are really concerned about losing access to Nationwide online while a card is cancelled and reissued then open additional accounts with cards.
I have 3 different cards I can use in the reader to use internet banking. Two flex accounts and one regular savings.
A drop down list is provided to select the card you are using.

I also have two current accounts (soon to be less) with them (3 in total that could use the reader) and they stopped the lot for my protection without warning!!

I believed I had given myself every possible fail-safe but this situation is so strange and just plain wrong that everything I did to negate loss of service failed, and I'm willing to bet I'm not the only one with a false sense of security.

I had another call from the internet banking adviser today (2ed time they called me in 2 weeks), one of the funny taking you "through security" things they ask you is to name an account you hold then somtimes the current balance and I'm never within £1000 they dont seem to mind - why should the people around me know mow much money I have). Nat-wast do this a bit better, they pitck a transaction then ask you to fill in the gap, li.e on this date how much was this internal transfer to [end of account number], just enough information so you can answer but something anyone else would have very little change of getting right.

mohar10

glider3560 wrote: »

To avoid the call, you can logon with your password then send a secure message. Alternatively, one can be ordered at a branch or you can call 01793 656789.

I do like the idea of the secure message facility but I do think they have a built in filter system for initial responces which generates a reply from a database of scripted answers questions based on keywords you included in the message, maybe there is a moderator who see the results.

I have used it 4 times in the last 2 years and I've allways had to write a second strongly worked letter back about the nonsense answers I initially got form them,

Here is part of my most recent message ..."[FONT=&quot]In particular, I was not warned that this action would also prevent normal internet banking operations..." ... "[/FONT][FONT=&quot]In the past when I have requested my card stopped in this same way, the card reader authentication was disabled during the time I was without a card - thus all normal banking functions remained accessible once the account was accessed using Memorable Data. "[/FONT]

[FONT=&quot](the point here is that it USED to NOT work in this way and now without notice it does, I know this all they did was repeat that to me ![/FONT]


And here is part of the initial reply to that statement ..."[FONT=&quot]Nationwide does not make any changes to Internet Banking to allow members to access the service without the use of their cards in case they are stopped. "...[/FONT]

I followed this with a new reply ..."[FONT=&quot]It seems my previous message was not processed by a human, not only [/FONT][FONT=&quot]is the message received completely ridicules it makes no reference to my [/FONT][FONT=&quot]specific complaints regarding how I was not given very important information. [/FONT]

[FONT=&quot]By not reading my earlier letter, and by sending me a standard reply, you appear to have made the following open admission:[/FONT]
[FONT=&quot]1) [/FONT][FONT=&quot]You have confirmed it was correct for me to have notified you when my card was compromised;[/FONT]
[FONT=&quot]2)[/FONT][FONT=&quot]You have confirmed it is deliberate policy to make access to his account impossible for your customer when such a notification is made;[/FONT]
[FONT=&quot]3)[/FONT][FONT=&quot]You have confirmed it is also your policy to allow your account holders to incur financial penalties elsewhere as a result of following your instructions;[/FONT]
[FONT=&quot]4)[/FONT][FONT=&quot]You appear to have confirmed it is deliberate policy to keep these actions secret from your customers;[/FONT]
[FONT=&quot]5)[/FONT][FONT=&quot]By so doing you appear also to have confirmed that these actions are a deliberate breach of your customer charter and your statutory obligations."...[/FONT]


That got their attention

mohar10

Olipro wrote: »

supressing PIN submission will cause the transaction to complete in the same way it would if the merchant had performed a PIN Bypass transaction; this will only pass authorisation if the transaction is for a low amount, so whilst a criminal can defraud you out of say... a sandwich, your bank isn't going to authorise a PIN-bypassed transaction for a grand.

As for your earlier suggestion that someone could install something at the ATM to clone your card's chip for the purposes of using the clone in a card reader; it's impossible.

Here is how I see the issue regarding ATM cloning, as the CAP system is now adopted by many of the banks, the readers a easy to come by. We know how the onetime passcode is generated (the EMV standard is secret but there are only so many ways an offline OTP can operate), so its highly likely that this seed data is read/written to the cards chip (yes its encrypted but these ships only have so much capacity, maybe only 64 kb so it's likely not great by today's computation standards), so why can’t an illegal reader copy the transaction counter off the chip if it’s possible for a little home reader to read this data value in the first place?

The thing that really worries me is that the security of this system all seems to depend on the opposite of Kerckhoffs’ Principle.

mohar10

I think I just worked out why the self service phone banking system no longer allows you to set up new arrangements. You see, the default situation is that, if you set up self service after internet banking as least, your internet banking customer number is used as the customer number for the phone system as well and I'm sure regardless you would endup with this anyway, (have 2 ids for one member is that logical).

So it seems that Nationwide give away not only 50% of the internet access requirements via the card reader sign-on, they also give away 50% of the phone access information, the point here is that, unlike the internet pass-code, the phone system does not use one time pass-codes.

So (notionally) the fraudster only has to deal with 531441 possible pass-codes. I don't know what they do in terms of monitoring for this type of thing but I hope they do somthing now it seems anyone can just pick up a disposable mobile and start cracking into self service enabled accounts.

I'm sure it’s not that bad really, they do lockout access after 3 consecutive wrong attempts at the 3 digits picked from the code, and then you get redirected to the service team.

SaveTheEuro

LittleVoice wrote: »

I had been under the impression that using the card reader at log-in would avoid the need to use it again to make payments to an external account.

This has not been my experience - on two consecutive days I have logged in with the card reader but been required to use the card reader to make a payment to an external account (the same account on each day) which had been set up for some time and I believe had received payments in the past.

Is there some other requirement to avoid having to repeatedly use the card reader? Is it that if you log in with the card reader you only need to use the card reader again for the first payment out and not any subsequent ones in the same session? Or is it that you don't need the card reader just to set up a recipient.

I've asked NW about this but not expecting a reply for a while.

...............

Post script:
Received reply within about 10 hours of leaving secure message (which is good as the promise is to be within five working days). Boiler plate response of why they are introducing card readers and when they would ask customers to use it. So, as I find it is quicker and easier to user the memorable data by keyboard and mouse, there is a disincentive to use it for logging in with no gain of not having to use it again in the same online session.

I used the card reader to log in today and had to use it twice more to carry out transactions. Just why is it necessary to go through this procedure three times? Does it make sense to anyone?