D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Linux to the rescue part2

 

On Sun, 28 Mar 2010, Simon Waters wrote:

NatWest have gone with making your end point a card reader they send
you. So that the secure channel is between the bank and the card reader.

I now have 2 of these. They're only currently used to setup new payment destination, not to login, although I don't see and problems with using them to login, etc. unless I was out and about and wasn't carrying it. It needs a bank card and PIN to activate - and while they did send me a new card to use with it, it can use any old bank card with a chip & pin mechanism.

It might be a damn sight easier than the current system they have - which really irritates me - enter your 10-digit customer ID, which the first 6 digits is your DOB then a 4-digit random number. Then pick 3 digits of a 4-digit pin, and 3 characters from a password (which is 16 characters long in my case).

However, to get that information to the bank in the first place, I had to enter all 4 characters of the PIN and all 16 characters of my password - on the same form... After entering my sort-code and account number and DOB - that appeared to be the only thing validating myself to them in the first instance.

It means that if you get someones soft-code and account number and know their DOB, you can setup online banking for them. Still can't transfer money as you then need the card reader thingy, but might still be able to gain other information for nefarious purposes...

Probably the "cheapest" solution would be to authenticate all online
transactions via SMS, so someone has to steal your mobile phone and
compromise your PC. Although that doesn't work well for banking done
using your mobile phones browser if the phone has been owned.

Oddly enough the last time I was in the nat west bank bus, they asked me for my mobile phone number... However it appears to be for the bus's own use to let me know if they won't be present on their usual day...

Gordon

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html