Is the new SANTANDER Login secure ?

Jim431

Thanks for all the replies.

Seems like some aren't too worried and others like me are a bit more concerned.

Time will tell if accounts are hacked and what the hackers will do. I'm pretty sure they will be trying !

I did notice in the blurb it says...

"In Spring 2020 we'll be making more changes, as new regulation asks us to add an additional check to confirm it's you when logging in to Online Banking... using One Time Passcode (OTP)"

So they could have just waited. It's more secure - but more hassle.

Me - I will be moving my cash just before the May interest rate reduction - so the window is closing !

Jim431

After my previous post - it ocurred to me that I might be able to change my UserID to something more secure. But that system has also changed. My current UserID is alpha numeric. But I can only change to a 10 digit number which has less combinations to crack than my present ID.

masonic

RG2015 wrote: »

I forgot also that the old login had a personal phrase along side the image to ensure that it was not a cloned site. This makes a four element login page in addition to the personal ID.

While the personal phrase and image "to ensure that it was not a cloned site" may give feelings of comfort, it does not in fact ensure that it is not a cloned site. All the cloned site needs to do is pull the personal phrase and image from the real site when you enter your user id. This is something it is more than likely to do, because at the next stage, if it wants to look genuine, it will ask for digits from the password/PIN rather than the full information, so it will need to be logging in using your credentials in the background so as to ask for the correct digits (that it can then use to complete the login on the genuine site). For less sophisticated cloned sites, you'll still be able to spot them as they'll have to ask for your full password and PIN.

The best way to confirm you are visiting the genuine login page is by checking the website's security certificate, which will work as long as your device has not been compromised.

RG2015

masonic wrote: »

While the personal phrase and image "to ensure that it was not a cloned site" may give feelings of comfort, it does not in fact ensure that it is not a cloned site. All the cloned site needs to do is pull the personal phrase and image from the real site when you enter your user id. This is something it is more than likely to do, because at the next stage, if it wants to look genuine, it will ask for digits from the password/PIN rather than the full information, so it will need to be logging in using your credentials in the background so as to ask for the correct digits (that it can then use to complete the login on the genuine site). For less sophisticated cloned sites, you'll still be able to spot them as they'll have to ask for your full password and PIN.

The best way to confirm you are visiting the genuine login page is by checking the website's security certificate, which will work as long as your device has not been compromised.

Thanks for this. I do have a question though.

If the cloned site pulls the personal phrase and image from the real site this means my device has been compromised. Therefore, will the security certificate appear to be valid or will there just be no security certificate?

I have always wondered if this could be cloned hence I have not understood how it could give such confidence in a website.

masonic

RG2015 wrote: »

Thanks for this. I do have a question though.

If the cloned site pulls the personal phrase and image from the real site this means my device has been compromised.

The cloned site will first of all ask you for your user id, just like the real site. When you submit this, it will, in the background, start a login to the real site and submit the user id you entered. The real site will respond with the challenge containing the personal phrase and image, which the cloned site will capture and forward on to you.

If you have selected the option to "Remember my ID", then your normal login process will not involve that first step. Therefore if you are asked for your user id, either you have cleared your cookies, your Santander login cookie has expired, or you're at a cloned site. So having the browser remember some login information can be helpful to avoiding this kind of attack.

If you have not selected the "Remember my ID" option, for an attacker to directly present you with the personal phrase and image, they would either already need to know your user id, or have gained access to your device (and copied your Santander login cookie).

Therefore, will the security certificate appear to be valid or will there just be no security certificate?

Security certificates do offer some protection, even on compromised devices. The thinking behind Trusteer Rapport and other such "security enhancing" add-ons is they do some certificate checking for you in order to afford you protection even if your device is compromised. Rapport does this by having a list of known good certificates, which it maintains. That's perhaps overkill. A valid certificate issued to the organisation who owns the website and signed by a known and reputable Certificate Authority is sufficient to know you are in the right place.

I have always wondered if this could be cloned hence I have not understood how it could give such confidence in a website.

Certificates can't be "cloned". They are bound to the website address for which the certificate is issued, and they consist of a public/private key pair, the latter is securely stored on the webserver of the genuine site. The only way for a cloned site to obtain a valid certificate for their copycat website is either to trick the Certificate Authority (reputable CAs won't issue certificates without evidence the recipient controls the website), or compromise the genuine website AND your device (specifically its DNS).

If you want to be absolutely sure, server testing sites like ssllabs.com will lookup information including certificate details independently and can be used as a valuable cross-referencing tool.

born_again

RG2015 wrote: »

If the cloned site pulls the personal phrase and image from the real site this means my device has been compromised. Therefore, will the security certificate appear to be valid or will there just be no security certificate?

I have always wondered if this could be cloned hence I have not understood how it could give such confidence in a website.

Anyone can buy a security cert....

All you need to remember is only go by a booked marked link or physically type a known one in.

masonic

born_again wrote: »

Anyone can buy a security cert....

You may find you have trouble buying a security cert issued to "Santander UK plc". Simple domain validation certs don't offer any assurance you are at a particular company's website however, and you can get those for free nowadays.

All you need to remember is only go by a booked marked link or physically type a known one in.

That's fine providing neither your device nor your internet connection are compromised. If they are then it's trivial to edit the device's hosts file, or intercept and alter its DNS queries to direct "retail.santander.co.uk" to the IP address of the attacker's choice.

But yes using a bookmark or known URL is definitely recommended.

hoc

I'm still seeing the same old login with image and two pins after clicking the logon link on the main page. Is the new logon page being rolled out in phases only to certain customers?

Fingerbobs

When I log in using the new system, I find the site will randomly throw me out while I'm in the middle of using it, and take me through the old-fashined login procedure again. It's happened three times now, once immediately after setting up a payment to a new payee, which worried me slightly.

tacpot12

The 2FA that Santander use (OTP) is only secure if your phone provider does not allow fraudsters to pull a sim switch on you.  It is not as secure as the system most other banks use which needs your debit card AND the pin for the debit card.