Card reader vs mobile app

HillStreetBlues

username said:

Yes there is the standard 3 tries lock-out, which can be reset in the cash machine.

I thought there must be as you could just keep guessing the pin, but didn't know it was the standard 3.

Nasqueron

AmityNeon said:

Nasqueron said:

AmityNeon said:

There have been cases (including previous posts on this forum) involving coercion to bypass anything involving just your phone. I doubt many keep a card reader on them; for this reason alone, the reader is better for typical operational security.

In terms of technical security, there have been previous reports of biometric authentication being fooled, but the chances are very small and even less likely to be successful to fraudulently authorise mobile transactions. Card reader verification isn't a scenario that involves a third-party (e.g. such as making a purchase using an unknown terminal/reader), the encryption isn't going to be broken in any practical sense, and even if an EMV card could be cloned, the correct PIN would still be required — and if a fraudster also knew that, they would more likely make a cash withdrawal than try to authorise a digital transaction.

Or to flip it round, the fraudsters are well versed on how to coax people to use card readers as needed.

In such a scenario where potential victims are susceptible to being coaxed, biometric authentication is no better; in fact, there's far less friction involved due to its convenience.

Card readers may be less secure in trusted environments and more vulnerable to those close to you (if they betray your trust), but again, anyone who possesses both your card and knowledge of your PIN has a far easier alternative than attempting to authorise a digital transaction (which would require bypassing previous authentication like logging in just to even reach that final stage of the process).

I get that you don't like the app approach but again, this is simply wrong - a thief coaxing a mark, if anything, has the added "security" to back up their story by telling the person that they are guaranteeing security of the transfer by using the card, keeping it separate from the phone adds a layer of protection to the transaction in the mind of the victim, far more than telling someone to log into an app and pressing a thumb on a sensor with several warnings on screen. They can "trust" the reader is secure as it's offline so can be more willing to follow the steps

flaneurs_lobster

HillStreetBlues said:

username said:

Yes there is the standard 3 tries lock-out, which can be reset in the cash machine.

I thought there must be as you could just keep guessing the pin, but didn't know it was the standard 3.

Unfortunately I can confirm this - locked a Nationwide card yesterday while trying to use card reader to set up biometrics on app to reduce use of card reader! 

UKX69

Nasqueron said:

AmityNeon said:

Nasqueron said:

AmityNeon said:

There have been cases (including previous posts on this forum) involving coercion to bypass anything involving just your phone. I doubt many keep a card reader on them; for this reason alone, the reader is better for typical operational security.

In terms of technical security, there have been previous reports of biometric authentication being fooled, but the chances are very small and even less likely to be successful to fraudulently authorise mobile transactions. Card reader verification isn't a scenario that involves a third-party (e.g. such as making a purchase using an unknown terminal/reader), the encryption isn't going to be broken in any practical sense, and even if an EMV card could be cloned, the correct PIN would still be required — and if a fraudster also knew that, they would more likely make a cash withdrawal than try to authorise a digital transaction.

Or to flip it round, the fraudsters are well versed on how to coax people to use card readers as needed.

In such a scenario where potential victims are susceptible to being coaxed, biometric authentication is no better; in fact, there's far less friction involved due to its convenience.

Card readers may be less secure in trusted environments and more vulnerable to those close to you (if they betray your trust), but again, anyone who possesses both your card and knowledge of your PIN has a far easier alternative than attempting to authorise a digital transaction (which would require bypassing previous authentication like logging in just to even reach that final stage of the process).

I get that you don't like the app approach but again, this is simply wrong - a thief coaxing a mark, if anything, has the added "security" to back up their story by telling the person that they are guaranteeing security of the transfer by using the card, keeping it separate from the phone adds a layer of protection to the transaction in the mind of the victim, far more than telling someone to log into an app and pressing a thumb on a sensor with several warnings on screen. They can "trust" the reader is secure as it's offline so can be more willing to follow the steps

I suppose it all comes down to what you are comfortable with. I prefer using a card reader when I need to while logged into online banking and of course you’ve got the convenience of apps on phones and pads for quick transactions. But there again, I’m a wrinkly who’s banking history goes back to 1970 and still prefer to walk into my bank branch and talk to a human! 😁

kempiejon

I have changed from card reader to app for my Barclays account. A month back I was locked out of the app as it needed updating. I tried to get the app to do anything but kept getting the upgrade to newest version message and couldn't progress.

That's fine as I was able get the newer app. It did however remind me of the time years back when my virgin CC app - and virgin don't offer a PC alternative way of servicing - needed updating to continue. The app needed the newer version of the ipad operating system. My ipad was too old to get that iOS so could update the app. I was effectively shut out of my account. I did have a back up and could service my virgin card using SOs iphone. I did get a newer ipad in the end. 

UKX69

I bank with NatWest and have used the app for a number of years on my phone and iPad. I did have my wife’s old iPad at one time and the app would remind me now and again to update, but couldn’t because the iPad OS was out of date. I could still do what I wanted to so that was ok. Had a new iPad last year, so upgraded the app. 👍

AmityNeon

Nasqueron said:

AmityNeon said:

Nasqueron said:

AmityNeon said:

There have been cases (including previous posts on this forum) involving coercion to bypass anything involving just your phone. I doubt many keep a card reader on them; for this reason alone, the reader is better for typical operational security.

In terms of technical security, there have been previous reports of biometric authentication being fooled, but the chances are very small and even less likely to be successful to fraudulently authorise mobile transactions. Card reader verification isn't a scenario that involves a third-party (e.g. such as making a purchase using an unknown terminal/reader), the encryption isn't going to be broken in any practical sense, and even if an EMV card could be cloned, the correct PIN would still be required — and if a fraudster also knew that, they would more likely make a cash withdrawal than try to authorise a digital transaction.

Or to flip it round, the fraudsters are well versed on how to coax people to use card readers as needed.

In such a scenario where potential victims are susceptible to being coaxed, biometric authentication is no better; in fact, there's far less friction involved due to its convenience.

Card readers may be less secure in trusted environments and more vulnerable to those close to you (if they betray your trust), but again, anyone who possesses both your card and knowledge of your PIN has a far easier alternative than attempting to authorise a digital transaction (which would require bypassing previous authentication like logging in just to even reach that final stage of the process).

I get that you don't like the app approach but again, this is simply wrong - a thief coaxing a mark, if anything, has the added "security" to back up their story by telling the person that they are guaranteeing security of the transfer by using the card, keeping it separate from the phone adds a layer of protection to the transaction in the mind of the victim, far more than telling someone to log into an app and pressing a thumb on a sensor with several warnings on screen. They can "trust" the reader is secure as it's offline so can be more willing to follow the steps

You get that I don't like the app approach? What do you mean? I haven't mentioned my personal like or dislike for either approach. Using card readers still requires logging in to the payment platform, creating payees, initiating payments and going through warnings just the same.

I haven't been involved in scams, whether as perpetrator or victim, so I can't empathise with the psychology of trusting a card reader over biometric authentication as "guaranteeing security of the transfer"; either claim is as ridiculous as the other. Would it not be just as easy to coax a mark to believe their own biometrics are more of a guarantee compared to cards/PINs? Any vague and generic waffle of cloned cards, hacked readers or fraudulent withdrawals could do, but this is just my own speculation.

The nature of this thread was centred around security, not scam awareness. I stated the facts: a card reader offers stronger operational security in cases where your physical safety could be typically compromised as it's usually kept in a separate location to the device initiating the transfer attempt. It also requires the account's corresponding debit card and knowledge of the card's PIN, whereas biometric authentication not only has been previously technically circumvented, it's also more easily susceptible to deceptive manoeuvres (convincing someone to briefly look at their phone screen) or physical force (literally grabbing someone's thumb/finger).

The convenience of biometrics and apps reduces the number of factors to two: a person and their phone. The more inconvenient and cumbersome nature of card readers involves four or five: card reader, debit card, platform access (phone or computer), PIN knowledge, and arguably the person themself to facilitate access into the banking provider's platform (which may involve biometrics anyway). For the sake of convenience though, many apps allows PIN access after biometric authentication.

What's suitable is dependent on an individual's risk profile (which could be different on a per account basis), but what's preferable is likely down to convenience, especially if one is fortunate enough to have never been a victim of crime. In response to organically-evolving social developments, Apple and Google are only just finally catching up with sorely needed technology features, such as hiding/locking individual apps (iOS), and devices automatically locking based on detection of rapid change in motion (e.g. phones being quickly snatched by speeding thieves). Someone recently lost £20,000 due to a series of unfortunate circumstances — a culmination of rapid modern innovations and lagging industry response resulting in inadequate default security practices.

Marksfish

Barclays had PIN Sentry integrated into their app for years, rather disappointing to find when moving our joint account over to Nationwide it isn't available with Nationwide as I don't carry the card reader any more. Nationwide app seems to lack a lot of basic functions offered by other institutions.