OT on line banking

Yes, but do you need a working card reader to enter the code so you can order a card reader? ;-)

Because if you were using it in response to a page on the banks website it would give you a number and tell you to type it into the reader.

Yours sounds like our Smile ones.

You type in the number given on the webpage into the reader. It gives you another number which you then type in on the webpage for the transaction to continue.

Nope! Because they aren't a security issue in themselves, as they're all alike. My wife lost hers and borrowed mine...

If you have to actually use it, you get on-screen instructions on the computer.

It's a generic device, and uses very generic terminology.

Oooh. They sent me one of those to my US address a couple of years ago. I've never had to use it, and don't really know what purpose it serves either (there was some vague guff about using it for online transactions

- as I've never been asked for it, I assumed that they'd quietly ditched any need for it)

I'd forgotten about it, but found it in a drawer just last week - and promptly stole the batteries out of it for more useful things :-)

cheers

Jules

Quite simply:

If you use online banking, then most of the routine stuff ( bill payments etc ) do not require this device.

Only when you try transfer cash to less-trusted accounts will this kick in. By less-trusted, I mean accounts not pre-defined by the bank like utilities, credit cards etc.

So if you want to trasfer cash to your sister-in-law using the sort-code and accout number, then you need to use additional security.

This card reader provides the additional security the bank requires.

When you attempt to perform these certain tasks using the bank's website, like setting up a payment to your cousin, it may tell you you need the card reader. You will be instructed to insert your card in the reader, and enter your PIN. You will then be instructed to enter a number on the keypad. The reader will then generate a response, and you will be required to type that response back into the web page.

If you never do any 'fancy' transactions like this, you may never need the thing.

Not with barclays. I cant get to my online banking without it whatsoever

You CAN get a "view only" session without the card reader if you set a separate password ...

There are several different schemes, but fewer than there are different banks. Barclays and Nationwide use the same scheme, so although their readers look different and they're used for different things, they are interchangable.

Having used various of the banks online schemes, I would say Barclays is by far the best I've come across, but they were also one of the earliest.

Golden rules for online banking - never over WiFi, never from Microsoft Windows, and never from a browser instance that's ever used for anything else or remembers anything about the session afterwards.

They usually support three modes of operation:

Identify: which simply validates the PIN entered against the card and produces a token, Sign: which requires account number and a transaction value to be entered, and then generates a token, and Respond: which accepts a code challenge and produces a response token

Note that not all banks use these devices in the same way though. Barclays for example use Identify to login[1], and sign to set up a new payee (you can pay existing payees without it). I don't think they use Respond at all. Natwest however only use Respond IIUC.

[1] you can revert to login via secret code etc as before - but then can't setup new payees in that session.

Quelle surprise. RatWest is Royal Bank of Stupid.

And does the OP bank with Barclays?

Hint: No.

and just 2 hours later, here's the reason why...

and never from a browser instance

Barclays

"Best" as in security or "best" as in ease of use? Personally I detest the Barclays online website, it relies far to much on client side scripting which on my machine and prefered OS is slow. Entry boxes appear then move about the screen, when in one tabing doesn't take you to the next one but to somewhere else on the page (a common fault mind), sometimes after the page is rendered the action buttons are not visible 'cause the containers have fixed sizes that assume a given font size, if the font is larger... Combine those with the requirement to have that horrible huge calculator thing and your cash card to gain access and it becomes a PITA. I also wonder about wear patterns on the keypad eventually giving away the 4 digits of my pin.

Much prefer the HSBC Business small, single button, dongle.

quite possibly responding to phishing emails (the artical only mentions malware). Of course if Windows was better at security and didn't wander off to the 'net downloading all manner of crap at the drop of the hat it would be better.

HSBC now require you to authorise third party payment setup over the phone before you can use them. Santander have a mobile phone text messaging system and require you to register your phone to authorise some payments.

I suspect the cases of hacking or people just getting it wrong is increasing.

So which is better.. a system that you run third party security on with constantly update malware detection..

or

a system where nobody runs malware detection because there isn't any malware detection software and where the users think they and the system are invulnerable even though there have been multiple security holes in that system, some for years at a time.

Take linux for instance.. there has been a bug in the 64 bit kernel for the last two years, it allows user code to get root access. Over the last two years there have been multiple instances of bugs that let unapproved user code run in the browsers, flash, etc.

Now apparently the kernel bug is safe because it is only local and can't be invoked by sending network packets. All the others are safe because they only let user code run with no root access.

I have yet to find a linux user that understands what happens when you combine the two. They prefer to believe that nothing could have happened in the last two years and they have patched their systems so anything that could have happened has been stopped. Like root kits?!!! I wonder how you check a linux install for *unknown* stuff that could have been installed without the user knowing? AFAIK there aren't any security companies doing scanners for linux (as they don't need one, linux is invulnerable!).

If I were so paranoid as to not run windows because of security issues I would have to wipe linux and reinstall it to be sure those bugs had not left anything unwanted, like most people I don't know enough to manually check all the permissions, file contents, etc. on an OS.

Blame the user as usual. On the other hand I have no "malware/virus detection" on this machine and am unlikely ever to need it.

You aren't as safe as you appear to think.

just one of many holes you might have or have had on your OSX which allows arbitrary code to be run from web sites.

Tesco bank only use Respond, and only when making a payment out of the account (or maybe just setting up the mandate, I don't remember). Everything else is by normal passwords, etc.

MBQ