We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Natwest Card Reader?
Comments
-
ShelfStacker, no sign of a different button in the NatWest version. There's no fundamental reason why the NatWest site couldn't also use a shared secret to help you to verify that you were at a genuine site and defeat that sort of phishing attack. All sorts of possible cost and implementation detail reasons why they might not want to do it.
I've no reason to expect a bank to react better to such a phishing-based account compromise than the way they do for uses of credit card PINs.0 -
ShelfStacker, no sign of a different button in the NatWest version. There's no fundamental reason why the NatWest site couldn't also use a shared secret to help you to verify that you were at a genuine site and defeat that sort of phishing attack. All sorts of possible cost and implementation detail reasons why they might not want to do it.
I've no reason to expect a bank to react better to such a phishing-based account compromise than the way they do for uses of credit card PINs.
There are three buttons on NatWest's (and Barclays' - they use the same standard) reader - Identify, Respond and Sign. Identify is for logging on, sign is for verifying your identity against a transaction and respond is currently unused, but takes a code which it then uses to produce another one. You would use Sign for making a new payee.
Like I say, I agree, you should use shared secrets with the readers for the maximum security, but readers alone are already more secure than the shared secrets and passwords alone.
And - be fair - it is hardly the banks' fault if a person is stupid enough to think NatWest will expect them to verify personal information via email out of the blue. No matter what they do, there'll always be someone thick enough to get caught out by phishing, and the readers are their best shot at minimising that issue (you can never make it go away)...0 -
The card reader could never stop phishing because the card reader uses post security (after lgging in) when really it should be pre security during the logging in process.
It's an ill thought out process and had they put enough thought in to it you would have this kind of security during the logging in process to stop anyone even logging into your account in the first place
Proudly Banking & Saving With:
█ The Co-operative Bank.
█ Castle & Minster Credit Union.
█ Yorkshire Building Society.0 -
I've just received a card reader this morning from Natwest and I'm disappointed that it would still allow somebody to still log into my account if they somehow got hold of my details.
I would have no problems what so ever to having to generate an extra security code to login in.
The card reader seems really easy to use and any extra security is always welcome in my eyes.
I just wish EVERY online store would need to take part in MasterCard®SecureCode scheme.0 -
I see no facts and or figures to justify such a system that requires the extra effort.
The banks have been reticent in the past about rolling out the extra security provided by the card readers. They are only introducing them now, due to the upcoming roll out of the Fast Payments system. When you can make instantaneous payments to other people's bank accounts, the likelihood that money could be skimmed before someone realised is increased.0 -
newfoundglory wrote: »I dont think Lloyds TSB are going down the card-reader route.... i think they opted for the far better RSA SecureID token approach, which would not require a bank card. I'm sure i've seen some of these for hsbc too.
However, the strenght of the two factor authentication is reduced if you enter the PIN into the PC, rather than into a separate unconnected card reader.0 -
newfoundglory wrote: »I dont think Lloyds TSB are going down the card-reader route.... i think they opted for the far better RSA SecureID token approach, which would not require a bank card. I'm sure i've seen some of these for hsbc too. See below for more info:
http://en.wikipedia.org/wiki/SecurID
Actually - the card readers provide two major benefits over the tokens.
1) As was pointed out by the previous poster - they mean that your pin is held on a local, unconnected, device - meaning no matter what - it isn't entered onto your computer.
2) They provide a challenge/response mechanism. It means that in order to perform a man in the middle attack - the phisher has to connect to natwest, get the page up containing the details, relay it to you, get you to enter the details and then immediately login. A further request would change the challenge - hence they have to respond to it.
However, the secureID can be utilised within 30 or 60 seconds. Ergo - they can build a site which takes the details into a simple db and then have a backend process doing the stealing.
It would even be possible to set the payment up to the new person - e.g. I create a page which says "your security info has expired - please enter username/password and current secureid token value" ... I immediately login through a backend process using the username/password - go straight to the payment screen and put the code in - easy peasy. That can easily be programmatically done in under the 30 seconds the code will be valid for.
Much easier to implement for the phisher and much easier to crack.
I'd be happy they've gone with card readers if I were you. They've actually gone for the more secure option - albeit not the most convenient one.
M.0 -
-
At least Natwest require you to enter an on screen authorisation number into the card reader. This prevents you from writing down numbers as with the Barclays PIN Sentry.2) They provide a challenge/response mechanism. It means that in order to perform a man in the middle attack - the phisher has to connect to natwest, get the page up containing the details, relay it to you, get you to enter the details and then immediately login. A further request would change the challenge - hence they have to respond to it.
.
The problem is that some of the banks have utilised the system in a stupid way. i.e. not requiring you to enter details from their webpage into the card reader, but only requiring a few digits from your card plus the PIN.
The main problem with the Mastercard CAP, is that if the PIN is the same for the online banking reader as for your normal card use, then any dodgy shop based card reader could get the codes for your online banking, whilst you are paying for your shopping.0 -
But does this mean you can't buy stuff with your card from a friends computer? Also you can't check your account when staying with family etc unless you lug the reader about with you.
Do the readers only work with the assigned card? So any1 else with a reader could generate a number with my card and pay with it?I'm getting older, and lifes getting harder!:mad:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.4K Banking & Borrowing
- 252.9K Reduce Debt & Boost Income
- 453.3K Spending & Discounts
- 243.4K Work, Benefits & Business
- 598K Mortgages, Homes & Bills
- 176.6K Life & Family
- 256.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards