Which banks do NOT use a card reader for online banking?

SebH

It also might be worth mentioning accounts which require an app to use them, while we are on the topic of how various accounts are accessed.

Licensed Banks requiring an app:
Monzo
Starling
Chase

Not banks, but app-only accounts:
Revolut
Dozens

penners324

Monzo & Statling now have website access as well, though not the full suite of functionality you get on their apps

SebH

Indeed, but you can’t sign up to their accounts in the first place without the apps - so you do need a smartphone.

Also, in the case of Starling, you can’t login to the online banking without authorising the login via the app.

Daliah

SebH said:

Indeed, but you can’t sign up to their accounts in the first place without the apps - so you do need a smartphone.

..... or a tablet capable of running apps. E.g. iPad.

zagfles

400ixl said:

I wouldn't use any bank that is still relying on text messages for their method of authenticating access or payments. It is a very insecure way of doing it.

Most banks now do this through the mobile apps which require authentication (bio-metrics, PIN, Password) to in order to then authenticate the access / purchase.

The text message is just the second or sometimes third factor authentication. ISTM to be more secure than having a phone which you unlock with your fingerprint and then an app which you authenticate with the exact same method, ie your fingerprint. It's single factor. Say you got drunk, were drugged, or attacked, and while you were incapacitated a thief just puts your finger on your phone to unlock it, then scrolls through your apps for the banking one(s), and uses your finger again to authenticate them.

400ixl

And that wouldn't let them read your SMS messages as well?

SIM transfer or cloning is a more likely scenario than what you suggest.

zagfles

400ixl said:

And that wouldn't let them read your SMS messages as well?

SIM transfer or cloning is a more likely scenario than what you suggest.

Well obviously, but as I said "it's just the second or sometimes third factor authentication". Before getting to that stage, you'd need to log in usually using something you know, eg password, passnumber.

I won't use any app which only relies on the same method I use to unlock my phone ie my fingerprint (and I don't want to change my phone unlock method as it's convenient for the other 99% of things I do with my phone).

It's security basics to authenticate important things using both something you have (eg a card, finger etc) plus something you know (eg PIN, password, passnumber). If you can get in with just something you have, or just something you know, it's insecure.

400ixl

Who said that I was using bio-metrics to log into the phone? I could well be using a PIN for the phone, Bio-metrics for the app, or visa versa. So can easily be more secure than SMS which typically doesn't require more than the 1 factor to open the phone (which as you say is biometric). Even worse SMS texts often display on the screen when the phone is locked.

SMS is a proven bad method for authenticating identity or payments. It is a very well held view by pretty much every security expert on the planet. Better than no security, but thats about it.

Take the point that there is slightly more risk if you only use 1 authentication method for both the phone and the banking app. That is down to the individuals risk appetite.

zagfles

400ixl said:

Who said that I was using bio-metrics to log into the phone? I could well be using a PIN for the phone, Bio-metrics for the app, or visa versa.

You could. But it seems a lot of people don't and just use a single factor for both, eg finger, and think that's more secure than 2 factors for which you'd need both the passcode/password plus the phone.

400ixl said:

So can easily be more secure than SMS which typically doesn't require more than the 1 factor to open the phone (which as you say is biometric). Even worse SMS texts often display on the screen when the phone is locked.

Indeed but you'd still need possession of the phone. To get to the text message stage you'd need knowledge of login credentials. I don't think any banks will send the text until you've passed the first stage of security, ie proved you've got the "something you know" part.

SMS is a proven bad method for authenticating identity or payments. It is a very well held view by pretty much every security expert on the planet. Better than no security, but thats about it.

Take the point that there is slightly more risk if you only use 1 authentication method for both the phone and the banking app. That is down to the individuals risk appetite.

That's the point. If you unlock the phone using your fingerprint, then using a fingerprint to login to a banking app and authenticate payments etc is one factor, therefore not very secure. Two factors where one is based on knowledge and the other on possession are almost always better than one even if the two factors individually are less secure than the one.

Obviously some people will be stupid enough to have a file on their phone with their banking passwords, but then that's turned it into one factor. Someone I know thought having a phonebook entry of something like "Nathan West 0161 820 6591" was a good way to disguise the fact the PIN for his Nat West card was 6591, and this was in the days before phones were generally locked, so any security is susceptible to stupidity

namford

sheramber said:

You don’t need one with RBSApp

@sheramber - with RBS have they given you a card reader at all? I heard you needed one when setting up new payees?