Is the new SANTANDER Login secure ?

soulsaver

I have always had (and today from my bookmark):
Recognise this image and phrase?
"This is the image and phrase you have selected.
If you do not recognise these, do not log on. Instead Contact us."

Random selection of 3 characters from password.
"Enter the following characters of your Password."

Random selection of 3 characters from a 5 digit security number.
"Enter the following numbers of your Security Number. "

RG2015

RG2015 wrote: »

I share the concerns to some degree. Previously the login page had three elements; a personal image, an alpha-numeric password and a PIN. Now there is only one numeric only PIN.

I would further add that I can now access both the old and new login pages from different bookmarks.

It may not be less secure but it does feel a bit random and also lacking an explanation or any evidence of rigour.

I forgot also that the old login had a personal phrase along side the image to ensure that it was not a cloned site. This makes a four element login page in addition to the personal ID.

RG2015

colsten wrote: »

So, apart from lacking an explanation (never seen any company explain why their login is as it is), and no evidence of rigour (what evidence and what rigour are you after?), you think it might not be less secure, and you don't list any security issues. Let's see which ones the OP sees.

There is now only one security input, a five digit PIN.

Previously there were four, a personal image, a personal phrase, a ten character alpha numeric password and a five digit PIN.

In my opinion going down from 4 security elements to 1 limited (numeric only) PIN does appear to be less secure.

PS I do believe that banks often explain why they include their various security components. For example, they tell you they ask for things you know (personal information), things you have (card reader), personal attributes such as biometrics etc. This in turn does indicate a degree of rigour in their approach which is currently lacking from Santander's latest offering.

molerat

RG2015 wrote: »

If you now go in to the main Santander home page at santander.co.uk and click the login icon you will be presented with the new login page.

Still the old log in for both of us through that link. But there is a pop up with

Don’t worry if you see a different log on page on different devices, we’re rolling out the changes over a few weeks.

And MrsM's now alternates between the 2.

RG2015

I get this on Firefox.

Online Banking is changing

You’ll start to see a new look, and we’ll only ask you for your Personal ID and Security Number (also known as Registration Number or Customer PIN).

Don’t worry if you see a different log on page on different devices, we’re rolling out the changes over a few weeks.

RG2015

And this, so they are explaining their changes.

https://www.santander.co.uk/personal/support/ways-to-bank/changes-to-how-you-log-on-to-online-banking

alanwsg

I still get the 'old' login (i/d + 3 from P/W + 3 from PIN) from both my bookmark and via the Santander main page.

The "Is this your image" system was always useless anyway, any site pretending to be the Santander login page would simply fetch the image from the real page once it had your i/d.

glennevis

What may appear to be two security elements could in fact be three when you include machine identification.

colsten

RG2015 wrote: »

There is now only one security input, a five digit PIN.

Previously there were four, a personal image, a personal phrase, a ten character alpha numeric password and a five digit PIN.

In my opinion going down from 4 security elements to 1 limited (numeric only) PIN does appear to be less secure.

What would be the point of all those multiple codes when money cannot be syphoned out of your account to new payees because there is 2FA on payments? Even setting up an SO to an existing account goes through 2FA.

I grant you that it would be easier for a fraudster to get to staring at your balance than it was before. That is, it would be easier for them to do so if you were more negligent than you have probably been so far with your login data.

RG2015

colsten wrote: »

What would be the point of all those multiple codes when money cannot be syphoned out of your account to new payees because there is 2FA on payments? Even setting up an SO to an existing account goes through 2FA.

I grant you that it would be easier for a fraudster to get to staring at your balance than it was before. That is, it would be easier for them to do so if you were more negligent than you have probably been so far with your login data.

These are valid points as were previous ones made.

It is very easy to become used to "accepted practice" and assume that it is there for the intended or assumed reason. I used to change my passwords every month until someone (possibly on a forum) pointed out that this was pointless.

I suspect that the OP like me merely has a gut feeling that it is less secure.

On the other hand I will remain vigilant as IT, banks and big business will never engender feelings of trust.