Card reader vs mobile app

PCashew74

Nationwide states the following if moving to app not card reader authentication i.e. not Face ID although I don't understand why as they allow it for login to the app:

Secure your account by taking a photo of your face to create a digital map. This means we can trust your passnumber or device biometrics to do more in the app without a card reader.

AmityNeon

There have been cases (including previous posts on this forum) involving coercion to bypass anything involving just your phone. I doubt many keep a card reader on them; for this reason alone, the reader is better for typical operational security.

In terms of technical security, there have been previous reports of biometric authentication being fooled, but the chances are very small and even less likely to be successful to fraudulently authorise mobile transactions. Card reader verification isn't a scenario that involves a third-party (e.g. such as making a purchase using an unknown terminal/reader), the encryption isn't going to be broken in any practical sense, and even if an EMV card could be cloned, the correct PIN would still be required — and if a fraudster also knew that, they would more likely make a cash withdrawal than try to authorise a digital transaction.

Nasqueron

AmityNeon said:

There have been cases (including previous posts on this forum) involving coercion to bypass anything involving just your phone. I doubt many keep a card reader on them; for this reason alone, the reader is better for typical operational security.

In terms of technical security, there have been previous reports of biometric authentication being fooled, but the chances are very small and even less likely to be successful to fraudulently authorise mobile transactions. Card reader verification isn't a scenario that involves a third-party (e.g. such as making a purchase using an unknown terminal/reader), the encryption isn't going to be broken in any practical sense, and even if an EMV card could be cloned, the correct PIN would still be required — and if a fraudster also knew that, they would more likely make a cash withdrawal than try to authorise a digital transaction.

Or to flip it round, the fraudsters are well versed on how to coax people to use card readers as needed. 

Exodi

tacpot12 said:

Your phone can be stolen, and theives can steal them from your hand while you are using them, which means that all the biometric security to unlock the phone is bypassed. They can then use photos of you on your phone to unlock apps that use your face.

OTPs sent to your phone are also insecure if the thieves have grabbed the phone from your hand.

To my mind, the card reader and card are more secure than an app unless the app requires a PIN and biometric data that you are unlikely to keep on your phone. 

I'm not sure any of that is valid?

Most account-based apps require separate biometric verification to log in on an unlocked phone. The thief would need to have the great fortune to swipe the phone while the banking app had been unlocked, and even then they could only send money to existing contacts, as otherwise they'd need to go through another verification check adding a new contact.

Likewise most mainstream phones can't be tricked with a photo and use depth mapping, I encourage you to try it yourself (if you have a mobile, which it sounds like you do not).

HillStreetBlues said:

Harry227 said:

I've been using Nationwide's card reader for several years now via my laptop, for online banking, and all seems well (so far!).  However, I keep getting hints from the bank to use their mobile app.  Reading about the app, I can see the relative greater convenience, but for me it's not convenience per se but security that is most valued.  But I've wondered whether the mobile app with biometrics is more, or at least equivalent, in its security compared to the car reader. 

I've tried online searching for the answer 'card reader vs banking apps, which is best?" but the results aren't helpful.  Does anyone have any technical knowledge in this area to provide advice? 

Thanks in advance for all helpful feedback. 

My very simple view is banks wouldn't be pushing to use apps if they are inherently unsafer than the card reader.

Honestly this simple view is all that is needed in my opinion. It's in the banks interests that their customers accounts are safe.

Rob5342

Apps are better at balancing security against convenience. I have my Monzo app set up so that if my phone is away from my home address then payments over £500 have to also be authorised by my wife on her app.

AmityNeon

Nasqueron said:

AmityNeon said:

There have been cases (including previous posts on this forum) involving coercion to bypass anything involving just your phone. I doubt many keep a card reader on them; for this reason alone, the reader is better for typical operational security.

In terms of technical security, there have been previous reports of biometric authentication being fooled, but the chances are very small and even less likely to be successful to fraudulently authorise mobile transactions. Card reader verification isn't a scenario that involves a third-party (e.g. such as making a purchase using an unknown terminal/reader), the encryption isn't going to be broken in any practical sense, and even if an EMV card could be cloned, the correct PIN would still be required — and if a fraudster also knew that, they would more likely make a cash withdrawal than try to authorise a digital transaction.

Or to flip it round, the fraudsters are well versed on how to coax people to use card readers as needed.

In such a scenario where potential victims are susceptible to being coaxed, biometric authentication is no better; in fact, there's far less friction involved due to its convenience.

Card readers may be less secure in trusted environments and more vulnerable to those close to you (if they betray your trust), but again, anyone who possesses both your card and knowledge of your PIN has a far easier alternative than attempting to authorise a digital transaction (which would require bypassing previous authentication like logging in just to even reach that final stage of the process).

username

In terms of physical security the card reader device is isolated from any network, and so is less suceptible to being hacked. Theoretically being internet connected device and having other software be loaded onto it, a phone can be hacked, not by your average Joe in the street mind you - and you will need specific technical skill/equipment in order to carry it out. 

You'll also have the pain of having to keep replacing your phone every time they drop support for the OS your device, which can vary depending on the type of phone you have. The card reader can live in your draw for many years, as you have seen, and provide a good service, and I'm not sure if Nationwide allow the two to co-exist.

Everyone's different so do what works best for your banking situation. I personally have no scenario where I'd need to break out the card reader outside of home to generate authentication codes, so it lives in my draw in my home office.

HillStreetBlues

Can a card reader lock the card if the PIN is entered incorrectly too many times?

username

Yes there is the standard 3 tries lock-out, which can be reset in the cash machine.

gt94sss2

lr1277 said:

Technically First Direct’s ‘gizmo’ is a number generator and not a card reader. No card is required but a PIN is required, but I can’t remember if it is the same PIN as your debit card.

The PIN for a physical HSBC/First Direct SecureKey is separate from your card PIN.

It is a much more secure system then using the generic card reader most other banks use