[OT] Major WTF?!? (NatWest card reader)

Bryan wrote:
>
> My bank recently (ish) sent me a little magic keyring that generates a
> 6 digit hash value that I now need to type in when I'm doing anything.
> That's a decent idea and solves this problem fairly well.

....until you don't have it on you. Which may not be an issue now, but
when everyone jumps on the token bandwagon, you're going to get sick of
carrying them all around.

--
ogden
sv650 - surprisingly quick for a girl's bike

Bryan wrote:
>
> On 6 Jul, 12:53, ogden <o...@pre.org> wrote:
> > Krusty wrote:
> >
> > > NatWest are sending out card readers to all online banking users - I
> > > got mine today. According to the blurb, certain online activities
> > > required you to insert your cash card in the reader. Fair enough.
> >
> > Does rather hamper the convenience of Internet banking if you have to
> > have a bit of hardware with you any time you want to do something useful
> > with it though.
> >
> > I think LTSB are looking at introducing something similar. Yet another
> > token to add to the collection of RSA fobs and mobile phones begging to
> > be lugged around.
>
> I've got one as I was a trial user (joy). It's worked fine and does
> appear to be an RSA[1] fob.

I've already got two to carry, and multiple ID cards. If only I could
provide the seed file and serial number for one of my existing tokens
and use that (there's nothing to stop the same token being imported to
multiple authentication systems, at least with RSA SecurID).

What we need is some kind of centrally managed authentication system
that's backed by the security services, that all third parties can then
accept as an approved form of identity management.

Oh jesus, I think I just came out in favour of a national identity
scheme.

--
ogden
sv650 - surprisingly quick for a girl's bike

Pete Fisher wrote:

> > > Don't get me started about French banks...
> >
> > Heh, one of my banks is very good (Caisse d'Ep) whereas LCL are just
> > clueless and DGAF. COuld be the agencies though, more than the
> > actual banks.
> >
>
> It is strange to have to pay regular charges just to have the
> account, but at least Credit Agricole's 'Britline' call centre seem
> reasonably efficient when I have had to deal with them over a lost
> card etc. Unlike my 'local' branch who CBA to change a travellers
> cheque (so dealt with quite easily at La Poste).

To be fair, with both of my banks, I pay for the "extras"[1] such as
Carte Bleue, internet access, etc. Otherwise, as long as I stay in
credit, I don't pay any other fees.

[1] Not that I agree with it, but at least they're consistent. They all
want to screw the customers over.

--
Cab :^) - I'm dyslex-spic apparently
GSX 1400 - Speedy Zimmerframe.
UKRMMA#10 (KOTL), IbW#015, BoB#4, POTM#3, SKA#1
email addy : ukrm_dot_cab_at_rosbif_dot_org
UKRM Firefox Extension: http://www.rosbif.org/ukrm/ukrm.xpi
The gingeometer: http://www.rosbif.org/ukrm/gingeometer/

In message <1184106088.692662.197900@n2g2000hse.googlegroups. com>, Bryan
<Bryan.Williams@dsl.pipex.com> writes
>On 10 Jul, 16:36, "gomez" <adams_go...@hotmail.com> wrote:
>> "Switters" <m...@privacy.net> wrote in message
>>
>> news:Xns99699D3BD1F46swittersnospam@85.214.50.93.. .
>>
>> > Actually we're catching up with ourselves. As I recall, Barclays had
>> > some
>> > form of two tier authentication when it first rolled out online
>> > banking.
>> > That then withdrew to a scheme of typing in your password. Now nearly
>> > all
>> > banks have gone to selecting characters of your password using your
>> > mouse
>> > to prevent keystroke loggers getting the details.
>>
>> So instead of having to guess all the characters in your password the
>> baddies now only have to guess two .. I have never understood why the
>> banks think this is more secure.
>
>It's more secure in some ways because, as mentioned earlier, a
>keystroke logger is not enough to give you the information. It's just
>a matter of raising the bar a little. The odds against correctly
>guessing two characters from an end-user environment are long because
>you tend to get 3 or so goes before it locks you out.
>

Barclays has a 5 digit code and a password of which you have to select
two characters from a drop down menu

I use the on-screen keyboard for the code, which I presume is keystroke
logger proof

--
geoff

raden wrote:
>
> Barclays has a 5 digit code and a password of which you have to select
> two characters from a drop down menu
>
> I use the on-screen keyboard for the code, which I presume is keystroke
> logger proof

Pretty much yeah. ING take the additional step of randomising the
on-screen keypad used to enter numeric codes on their web site. It's all
a variation on a theme.

The difference between this and a token based authentication is that the
former relies merely on "something you know", whereas a token implies
"something you have" as well. It ain't called two-factor authentication
for nothing.

--
ogden
sv650 - surprisingly quick for a girl's bike

	#51
ogden	Re: Major WTF?!? (NatWest card reader) Bryan wrote: > > My bank recently (ish) sent me a little magic keyring that generates a > 6 digit hash value that I now need to type in when I'm doing anything. > That's a decent idea and solves this problem fairly well. ....until you don't have it on you. Which may not be an issue now, but when everyone jumps on the token bandwagon, you're going to get sick of carrying them all around. -- ogden sv650 - surprisingly quick for a girl's bike

	#53
Cab	Re: [OT] Major WTF?!? (NatWest card reader) Pete Fisher wrote: > > > Don't get me started about French banks... > > > > Heh, one of my banks is very good (Caisse d'Ep) whereas LCL are just > > clueless and DGAF. COuld be the agencies though, more than the > > actual banks. > > > > It is strange to have to pay regular charges just to have the > account, but at least Credit Agricole's 'Britline' call centre seem > reasonably efficient when I have had to deal with them over a lost > card etc. Unlike my 'local' branch who CBA to change a travellers > cheque (so dealt with quite easily at La Poste). To be fair, with both of my banks, I pay for the "extras"[1] such as Carte Bleue, internet access, etc. Otherwise, as long as I stay in credit, I don't pay any other fees. [1] Not that I agree with it, but at least they're consistent. They all want to screw the customers over. -- Cab :^) - I'm dyslex-spic apparently GSX 1400 - Speedy Zimmerframe. UKRMMA#10 (KOTL), IbW#015, BoB#4, POTM#3, SKA#1 email addy : ukrm_dot_cab_at_rosbif_dot_org UKRM Firefox Extension: http://www.rosbif.org/ukrm/ukrm.xpi The gingeometer: http://www.rosbif.org/ukrm/gingeometer/

	#54
raden	Re: Major WTF?!? (NatWest card reader) In message <1184106088.692662.197900@n2g2000hse.googlegroups. com>, Bryan <Bryan.Williams@dsl.pipex.com> writes >On 10 Jul, 16:36, "gomez" <adams_go...@hotmail.com> wrote: >> "Switters" <m...@privacy.net> wrote in message >> >> news:Xns99699D3BD1F46swittersnospam@85.214.50.93.. . >> >> > Actually we're catching up with ourselves. As I recall, Barclays had >> > some >> > form of two tier authentication when it first rolled out online >> > banking. >> > That then withdrew to a scheme of typing in your password. Now nearly >> > all >> > banks have gone to selecting characters of your password using your >> > mouse >> > to prevent keystroke loggers getting the details. >> >> So instead of having to guess all the characters in your password the >> baddies now only have to guess two .. I have never understood why the >> banks think this is more secure. > >It's more secure in some ways because, as mentioned earlier, a >keystroke logger is not enough to give you the information. It's just >a matter of raising the bar a little. The odds against correctly >guessing two characters from an end-user environment are long because >you tend to get 3 or so goes before it locks you out. > Barclays has a 5 digit code and a password of which you have to select two characters from a drop down menu I use the on-screen keyboard for the code, which I presume is keystroke logger proof -- geoff