Is the new SANTANDER Login secure ?

tempus_fugit

Robin9 said:

Jim431 wrote: »

SANTANDER have changed the login on desktop so that you only have to enter your User ID and a 5 digit password to get into your 1-2-3 Current Account.

They say it is secure but I am not convinced.

I don't think this is new - my account has the UserID / 5 digit since I opened it - 10+ years ago.

It is new. For the past 5 years I have had to enter my user ID, three characters from my password and three digits from my pass code. This new system only started, for me anyway and obviously for others too, this week or so. I have contacted Santander about it and they say that if you log in from a new browser or device you will have to authenticate by an extra means, but I am not convinced that I have had to do this. I don't think it is secure as obviously a code made up only of digits and only five digits long is not as secure as a 16-digit password made up of upper and lower case letters, numbers and special characters.

tempus_fugit

colsten said:

RG2015 wrote: »

There is now only one security input, a five digit PIN.

Previously there were four, a personal image, a personal phrase, a ten character alpha numeric password and a five digit PIN.

In my opinion going down from 4 security elements to 1 limited (numeric only) PIN does appear to be less secure.

What would be the point of all those multiple codes when money cannot be syphoned out of your account to new payees because there is 2FA on payments? Even setting up an SO to an existing account goes through 2FA.

I grant you that it would be easier for a fraudster to get to staring at your balance than it was before. That is, it would be easier for them to do so if you were more negligent than you have probably been so far with your login data.

That's true but the more barriers there are to fraudsters the better. Once they are in your account that is one fewer hurdle for them to jump, and I don't really want anyone looking at my accounts anyway, whether they can take any money or not.

Tyrosian

It surely goes without saying that the previous log in which had 36 to the power of 9 times 100,000, combinations is far more reassuring and obviously safer than a mere by comparison 100,000  numbers between  a criminal gaining access to my account and not. Santander obviously want to drive me away as this is clearly not safer as IP addresses can be spoofed so this, in making it supposedly more user friendly they have also made it easier for criminals to access our accounts too. Shame on you Santander, I thought banks were supposed to be making it harder not easier for the criminals

Notepad_Phil

I don't think ip spoofing is as easy to use on a banking system as you seem to think it is - if a criminal does somehow find out your ip address which they then use in an ip spoof attempt, then how do they insert themselves into where the reply is sent?

And even if they do have the non-trivial technology needed to get these replies, then so what? I'm away from my main computer but I'm fairly sure that Santander are likely using a cookie on the device to decide whether to use the new logon procedure so spoofing would have no affect. But even if they are making the decision based on the ip address, then there is only a limited number of chances to log in for which they have to know your user id and guess the PIN, and if the criminal is very lucky and does get in, then they cannot create new payees without access to your phone.

Tyrosian

Gaining access to phones has already been done several times and how can I ring them to warn them if my phone suddenly stops working? It surely is common sense to keep the far higher number of combinations to gain access to account as this clearly makes it harder for criminals to gain access and not easier by reducing the number as this recent reduction has done, simple maths tells you this. I do not believe any bank including Santander, has come up with a cast iron 100% safe system yet and until they do for me and most sensible people the more protection you have the better, it's my money they are supposed to be looking after, after all and they should not be making it easier at any point for someone to gain access to any of our funds as they have done here with this ludicrous move.

robatwork

Tyrosian said:

It surely goes without saying that the previous log in which had 36 to the power of 9 times 100,000, combinations is far more reassuring and obviously safer than a mere by comparison 100,000  numbers between  a criminal gaining access to my account and not. Santander obviously want to drive me away as this is clearly not safer as IP addresses can be spoofed so this

This isn't how bank crime works - people accessing your account on a PC by brute forcing the code, and then not being able to do much apart from publish your account details. You don't see many account details published online do you?

In any case, Santander's IT team who know about banking security think it's adequate. Let us know your background in banking or IT security or are you in fact a tin foil hat salesman?

Tyrosian

There is no need to be so rude robatwork. I am worried about my money being safe. I am a retired accountant and hence my accurate knowledge of the numbers risk. My son has a first in computer science and works in web based security and so i feel confident in approaching him and seeking answers so I am not without some knowledge of this area. By all means defend Santander if you wish but please do not insult me, that is no way to reassure a worried account holder that their money is secure when without doubt the visible security has been reduced considerably as I hope you are not telling me that 100,000 is as good 36 to the power of 9 times 100,000, and I feel justified to be concerned about mine and every other Santander account holder's money. So please do enlighten me and others as to how reducing considerably the combinations of accessing one's account makes it safer rather than as I fear, at greater risk,  I am open to persuasion and polite responses