Online Banking - Are card readers legal?

In message , R. Mark Clayton writes

How does a disabled person with speech problems have equivalent access to service then under the terms of the Disability Discrimination Act? The speech problems mean you can't use the phone, yet the able bodied have 24 access via the phone and internet. Your only alternative would seem to be to drive to a branch, which is hardly 24 hour access.

Reply to
Craig Cockburn
Loading thread data ...

In message , Colonel Colt writes

In the absence of having, or wanting to use a card reader then you just call the contact centre and they do it for you instead.

Clearly in the mad paranoia of internet security RBS/Natwest hasn't considered the following analogy:

  1. Customer wishes to transact business online, needs customer ID (public info as it incorporates your date of birth) with 1-4 digit ID as part of it (somewhat private info but please be aware when using webforms to contact said bank that the ask for this via non-SSL forms. So, the customer ID is effectively public.
  2. Next to do business online you need a secure internet password and a
4 digit security code. You are asked for 3 characters in a random order from each to log in. Chances of getting this correct (26+10+26)^3 * 10^3 = 1 in 238,328,000 The secure password has to contain digits as well as letters in mixed case Plus all of this is encrypted via RC4 128 bit SSL security. Chances are probably less than this as not all customer numbers will be valid. In addition, your IP is tracked.

Pretty secure really. This is before you even get into the obsessive paranoia of needing the card reader which I have so far refused to use, they actually had to issue me with a special card to use the card reader as previously I didn't have any cards on the account (it is a business account with no need for a cheque guarantee card)

Compare this to the telephone alternative:

  1. Enter customer number (not secure, it's just over a phone line - if you are calling from a business then the call may be recorded together with the tones entered)

  1. Only have to enter two characters from the online PIN.

No password required.

Chances of getting right by guesswork approx 1 in 100.

Then of course you have to speak to an operator to set anything up and have to confirm your name (and presumably your voice has to match the account holder's gender). However, then you need to recite 2 characters from your online password which of course is spoken in plain text and anyone within earshot can hear, not really very secure.

So if you know your colleagues name, probably also their date of birth given the last major birthday card they got (or their social network profile) you have about a 1 in 10000 chance of getting their customer number right a 1 in 100 chance of guessing the 2 numbers of their PIN and a 1 in 36^2 chance of getting their online password right for telephone banking (doesn't look like case is significant when using the phone).

Approx odds 1 in 10,000*100*36*36 = 1269 billion, about 5 times more secure than the internet.

However if you eliminate the stuff which is sent plain text over the web (customer ID for queries) and stuff that can be recorded if your conversation is taped or someone steals your phone together with the call history then well it suddenly becomes very obvious that the phone is by far the most insecure way of accessing your account.

So if that is the case, why the constant emphasis on Internet security and not phone security?

Personally I would prefer a system that sent me an email notification to confirm changes on my account (ie like Godaddy) or a bank that was actually 21st century enough to have a secure messaging facility (RBS dont) or an online banking system that actually had decent functionality (such as the financial planner which was withdrawn) or indeed being able to order a cheque book in the requisite language correctly (RBS/Natwest issue cheque books in English, Scottish Gaelic and Welsh).

Reply to
Craig Cockburn

Not a few financial institution don't provide online banking to anyone.

Anyway the DDA doesn't mean that those customers who are able can't have a card reader 'imposed' as a condition of access, although inability to use one might be grounds for an exception.

Reply to
R. Mark Clayton

Windows users give their's to M$

Reply to
Mike

At 22:09:42 on 08/01/2008, Craig Cockburn delighted uk.legal by announcing:

It's much harder to install a trojan on a phone line. It's much easier to tell if anyone's in earshot (as opposed to running Ethereal for instance) It's much harder to siphon through the history and cache on a phone Etc.

However, irrespective of any of the above - and irrespective of how secure either method actually is - the public perception is that the Internet is not secure.

Reply to
Alex

If it's like the SecureId cards we used to have at BT (well, I didn't but others did) then it just has a clock that keeps it synchronised with the rest of the world and generates a key (as in a string of characters) using the current time as a seed. The computer you're connecting to does the same thing, you enter the key and the login process checks that both are the same. The key is regenerated every minute (or less).

Reply to
tinnews

LOLZ!!!!111 IC WAT U DID THER!!!111

Reply to
Aidy

Yes, if those things can connect to your online banking service.

It will run on anything that is capable of doing online banking, including a telephone, because its only function is to generate and display an authorising code for the bank to check. It is a completely self-contained device that does not need to be connected to any other equipment.

Reply to
Cynic

So it doesn't actually run on anything ?

Reply to
Stuart B

Stuart B wrote: || On Wed, 09 Jan 2008 10:23:21 +0000, Cynic || wrote: || ||| On Tue, 08 Jan 2008 19:49:06 +0000, Jonathan Bryce ||| wrote: ||| |||||| More to the point, does it run under linux, MacOS, Freebsd...... ||| ||||| Who cares? The type of people that use those are the type that ||||| keep their money in their matress. ||| |||| I'm posting this message using linux, and I can assure you, I |||| don't keep my money under the mattress. ||| |||| Would it run under my Windows Mobile powered phone? Or a |||| Blackberry or iPhone? ||| ||| Yes, if those things can connect to your online banking service. ||| ||| It will run on anything that is capable of doing online banking, ||| including a telephone, because its only function is to generate and ||| display an authorising code for the bank to check. It is a ||| completely self-contained device that does not need to be connected ||| to any other equipment. || || So it doesn't actually run on anything ?

Yes, batteries.

Reply to
Rob

I was wondering how it works. I assumed that it would generate a number based on info held on the 'chip'.

If I take the batteries out of the handheld device for an hour or so, does this mean that it will permanently cease to work?

Reply to
Tommo

Incorrect. It runs on any device that can be used to do online banking (including devices not yet invented), because it uses a self-programing and extremely versatile hardware interface to translate data from its optical output port into whatever form the communications device requires it to be input.

Reply to
Cynic

I have not seen such a device, but assume that it requires to be initialised with the correct time and date to within a certain level of accuracy. It is quite possible that a normal battery change will not affect the real-time clock.

Reply to
Cynic

This device could be doing something else.

AFAICT, two "runs" always give different results.

One possibility is that it's using a clock down to the second (I've not tried to see how long the number stays valid)

Another is that it's using a more course grained real time clock (minute/whatever) together with a salt value or even that it's using no clock at all.

(I'd suspect that it is using a clock but I can't easily tell what resolution)

Just a warning - if people start testing this by waiting before using the code, it's possible that the "online" system will start detecting clock skew. So if you test the first result after 30 secs, the second result after 60, the third after 90 etc you could find that you'll have trouble getting it back to working as soon as the number is displayed. At the very least I'd recommend using a result without any delay between each delayed test to try and avoid the system adapting to your testing.

Tim.

Reply to
google

Interesting, I have a Barclays account and because I have had no need to to set up a payment to a new destination I have not been sent a device as yet. What I didn't realise was that once your account has been flagged as having a device, it was needed for logon.

Reply to
Steve Pearce

AFAIUI it is standard on many corporate networks... and it is just a memory with a rolling code. So it will need to be 'sychronised'. It seems so simple I wish I'd thought of it and made a patent...

See, e.g.

formatting link
-> RSA secure ID. They look much smaller than the ones I've seen from banks. And they must have a certain cost attached (I wonder what banks would do if people kept losing them..?)

Reply to
whitely525

I've just found this:

formatting link
Stephen POLAND

One further comment, the pinsentry is not date or time sensitive, so you can print out in advance several codes and carry this with you to allow flexible mobile banking and leave the pinsentry at home. Barclays encourage customers to reduce their level of security !

So it is probably something along the lines of:

generate random number R

Hash R to get H

Display R:H (or H:R)

It's also possible that R(n) is some function of R(n-1) so only R is required (and the card remembers the last R) This is then hashed and just the hash displayed. The bank then iterates through the next N numbers to see if it can find one that works.

This second one is probably more likely as there are only 8 digits so either there is going to be a small range of values or the probability of guessing a valid code is going to have a significant risk.

Tim.

Reply to
google

Have a look here:

formatting link
A couple of points about it are:

- it won't work with certain cards, including older chip and pin ones;

- any machine can be used for any customer (I could use yours; and you mine etc)

- it never connects to the computer

Perhaps unsurprisingly, Barclays don't say how it works.

Reply to
Tommo

In message , " snipped-for-privacy@woodall.me.uk" writes

I guess it's only a matter of time before someone figures out the algorithm and allows you to generate codes online, thus saving me from carting the unnecessary card and reader around with me.

Reply to
Craig Cockburn

OK I just tried it with NatWest (NWOLB) which is what the OP was asking about.

You enable the card-reader thingie by inserting your service card and entering your pin. On the NatWest website when you're in one of the very few actions that needs card-reader verification (eg adding a new payee), it displays a numeric code which you type into the keypad then press a key to verify. This generates a numeric code on the card-reader display that you type into the website form.

No time synchronisation involved at all, so no problem changing the battery or clock-drift etc.

Reply to
LSR

BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.