MSE News: Coventry BS launches market-leading ISA to rival top easy-access savings accounts

broju

Stompa wrote: »

If I were to transfer from Cov BS flexible ISA 1 to Cov BS flexible ISA 2, then obviously the funds in ISA 1 would transfer to ISA 2. But what about the flexible allowance? Does that get transferred too?

As an example, suppose I have £50001 in ISA 1. I withdraw £50000 leaving a balance of £1. Under the flexible rules I would be permitted to redeposit that £50000 in ISA 1 before the end of the same tax year.

Now, if I were to transfer the £1 in ISA 1 to ISA 2, would I then be permitted to deposit that £50000 to ISA 2?

I'm guessing the answer is probably no.....

You're right. Your flexible allowance does not get transferred. I have clarified this with them by secure message. I have just subscribed the full amount of my flexible allowance and transferred to the new ISA.

Stompa

broju wrote: »

You're right. Your flexible allowance does not get transferred. I have clarified this with them by secure message. I have just subscribed the full amount of my flexible allowance and transferred to the new ISA.

Thanks for confirming, it did seem rather unlikely that the allowance would be transferred.

Rich2808

sausage_time wrote: »

My grid card arrived Day 2, and the rest of the details (including web ID) over another 4 letters which arrived Day 3. All up and running! A most curious login process, but now I know my trial £1 deposit has arrived I won't be doing it often, thankfully.

Yes – Coventry’s grid card is unusual but does provide an added level of security on top of the username, date of birth and three digits from your password.

I used to have a similar grid card with my Irish Allied Irish bank account before they introduced card readers but I am not aware of anyone else who uses them.

retiree

Skipton uses a similar system.

soulsaver

Rich2808 wrote: »

Yes – Coventry’s grid card is unusual but does provide an added level of security on top of the username, date of birth and three digits from your password.

I used to have a similar grid card with my Irish Allied Irish bank account before they introduced card readers but I am not aware of anyone else who uses them.

Bit off topic but:
Notts BS (not BeeHive) & Danske Bank also use a grid card; slightly different format than Cov.

Cov give you grid references to look up; my 2 examples give you a look up (not grid) reference to respond with the equivalent card code for that reference.

Stompa

Rich2808 wrote: »

Yes – Coventry’s grid card is unusual but does provide an added level of security on top of the username, date of birth and three digits from your password.

Having been a Coventry customer for a very long time, one curiousity I've noticed is that that when they ask for three characters from your password, they only ever use the first 5 characters and the last one. Any other characters never get asked for.

sausage_time

<geek>Asking for letters from a password sounds slight alarm bells with me. It probably means the password is stored as plain text on their sysems. If so, I hope they are never hacked.</geek>

eskbanker

sausage_time wrote: »

<geek>Asking for letters from a password sounds slight alarm bells with me. It probably means the password is stored as plain text on their sysems. If so, I hope they are never hacked.</geek>

<geekier>Asking for letters from passwords doesn't imply that - it's not as if the CS reps will have a password visible in front of them!

They'll be being prompted by the system to enter the 'randomly' selected character positions and the responses provided by the customer will be keyed in and sent via some sort of one-way hashing to be validated against an encrypted password, or at least that's how I'd expect it to work unless they have some particularly inadequate bodged system that they somehow managed to sneak past the FCA....

I presume the use of the first five characters and the last means that six-character passwords were originally in use (probably/hopefully a higher minimum now) so the system would seem to have some weaknesses but that's a long way from plain text storage of passwords!</geekier>

Stompa

sausage_time wrote: »

<geek>Asking for letters from a password sounds slight alarm bells with me. It probably means the password is stored as plain text on their sysems.</geek>

Hopefully, the fact that they ask for 3 characters out of 6 means that it's not stored as plain text, but only they will know!

etienneg

sausage_time wrote: »

<geek>Asking for letters from a password sounds slight alarm bells with me. It probably means the password is stored as plain text on their sysems. If so, I hope they are never hacked.</geek>

I'm not at all sure why you think this follows (or even probably follows).

What is pretty clear is that it avoids transmitting the whole password in any one message, ever, even encrypted. So a hacker would need to intercept multiple messages to have even a remote chance of getting the whole password. Also, the letter positions are not transmitted with the letters themselves, making piecing the password together even more difficult.

A similar system is used over the phone, where the customer service person asks for particular digits (chosen by their computer) and inputs the customer response. The computer verifies the response, and the customer service person never sees the whole password. Again, no reason to assume storage of the password as plain text.