Internet banking security: which bank has keyring or token devices for authentication?

All my overseas accounts with HSBC use a device small enough to be attached to a key ring. I'm surprised the don't issue them in the UK. Perhaps they will some time soon.

The security token is the chip in the chip and pin card. The pinsentry is just a terminal to access that. I believe all the UK banks use the same authentication protocol.

I imagine a third party could make an alternative terminal, but it still has to be big enough to reliably connect to the chip in the card and there may be trust issues as to whether a third party device really is just a pure terminal, or is actually a trojan horse.

My point is that the Pinsnetry device, and the similar device rolled out by Natwest, are to bulky to carry around., whereas a small token, with a number which changes every 30 seconds or so, like the one HSBC uses in Hong Kong (see link in Chris Blunt's reply) wuld be much much more convenient, imho.

HSBC do use them for UK business accounts.

The brand name for such devices is typically secureid. Traditionally they are used for logging into secure computer systems, especially remotely.

The problem with using them would be that you could use the account without actually having the card.

As far as I know, the chip and pin chip also changes the code, but every access, rather than every few seconds. I suspect, if you did enough id requests without submitting them to your bank, the allowable window might be exceeded and the authentication refused.

With the pinsentry, I don't think it contains anything secret, so the only risk you would really have is that someone might tamper with it, to e.g. allow it to be controlled by radio.

In principle, I think, you could have a pinsentry kept with every computer that you used. The banks might not be happy giving more than one away free, though, although they are probably very cheap.

Also note that the pinsentry has various data signing functions, and, for example, my bank doesn't use the pure identify function, but rather uses the signing functions to verify high risk operations. That requires that you enter some transaction details into the device, so it needs to be large enough to have a keyboard. It also needs to work for as many people as possible, including the elderly, so it cannot have very small keys or a very small display.

It looks like Lloyds experimented with these in 2005, but presumably rejected them . At least one problem is that the codes can be re-used within a short time period.

Except that you need a separate token for each bank. Whereas, with pinsentry etc you only need the card and any pinsentry device will do. Once they become ubiquitous you won't need to carry it with you.

My partner and I each have one via Barclays, which means that either of us can access our accounts at either house. I've not had a Natwest one yet (although my account is a one account which might make a different, the card works in the pinsentry) but once I get that I'll leave that one at work.

I believe, but haven't tested, that if you write down the codes from the device and use them in order then you don't need either the card or the pinsentry. So a short term solution would be to record a few of the numbers on your mobile. If you lose the mobile you can disable the lost codes by using the pinsentry to logon - all the older codes will then be invalid. But beware if you accidentally use the numbers out of order - I suspect this will automatically flag your account as being attacked and might mean you can't do anything until you've contacted the bank again to unlock it.

Tim.

I contacted Lloys about this: they said they tested it, but decided not to go along because of negative customer feedback. I find it shocking that customers prefer the supposed "convenience" of not using a token to the extra security it brings...

Well, my Nationwide gadget only works with Nationwide cards, so at the least they can be programmed not to work with cards from other financial institution. Furthermore, it is another opportunity for the bank or building society to display its logo. (My Nationwide card reader was delivered with a nearly flat battery, it will certainly make the devices popular if you have to go out and by a new battery before you can make any financial transactions.)

Possibly because the customers are judging them on the banks' previous record of using new "security" facilities as an exercise in transferring liability away from themselves and onto customers and retailers.

Mark

SantaClaus wrote in uk.finance

Why would you need to carry the Pinsentry device around with you? Just put it in a drawer close to your computer.

If you need to carry it because you're on the move and using a laptop, it's small enough that it can fit into a laptop case (in which case you probably already have some kind of rucksack or briefcase for carrying the laptop and 'other stuff' in, anyway).

Are you sure that the other cards were pinsentry compatible? As I understand it, the pinsentry validation is independent of the main chip and pin validation. Nationwide's instructions say that you can use their cards with other banks' pinsentry devices.

Nationwide issued new cards early in order to get the code onto the cards.

Royal Bank of Scotland, Natwest and Nationwide have the same Pinsentry thing as Barclays.

That won't work because it is a challenge response system. You are given a number to type into the device, and it gives you a number to type into the website.

It works with Natwest cards. Lloyds and HSBC cards are not pinsentry compatible, so that's why it doesn't work with them.

Not for Barclays it doesn't. You just put your pin in and it gives you an 8 digit number.

Tim.

I have the tokens from Lloyds TSB and HSBC. They work fine. I don't carry them around with me because I work from home although I have taken the Lloyds TSB token with me when I went abroad.