Did you set it up before the card reader was in use? (may be a silly question) ;-)
To get into my account without - and I still can do - I need the name, membership number, password number and another password (memorable name or whatever). I can set the browser to remember the first two, so only have to enter the last two manually.
This worked perfectly well for years. Only when I came to try and set up an additional payee did I need the pin sentry device.
So, as I said, rules vary between accounts. It's a shame we can't live without banks, really.
IME, they're all as bad as each other, just in diferent ways.
I can and do. Username, 10-digit account number (Not the one on the card), (Or full account number and sort code, or the full 16 digit vard number)then a 5 digit PIN, and two letters (Selected from drop down lists, not typed in) from a "word" of any length that you have given them. This could be a random sequence of letters, and doesn't have to be a dictionary word. In my case, none of these are written down anywhere, except the username and card details.
As has been noticed, not all Barclays accounts use the same access methods.
The problem (As I see it) with the PIN sentry type devices is that if a miscreant has the card and the PIN, they can easily log in as you, as all the card readers issued by each bank use the same algorithm to generate the secure login code, and they're not all that hard to get hold of. Security level's about the same as using an ATM.
Those are problems with the users, not the system.
MBQ
OK - with you now - thanks.
True. Perhaps banks should be issuing a separate card to use only with the reader, with its own PIN. At least some Swiss banks do that.
I prefer the Nationwide system to the Santander one. That requires me to give a mobile number so they can send a code by txt to authorise the transaction. Why should I give them a mobile number, a major nuisance if i'm abroad etc. I can pay existing payees without the mobile nonsense, but I can't change the amount on standing orders, so thats another account that will not be used for anything soon.
And while we are on banking rants? Nationwide don't think my account is a main account because I don't pay in 750 quid every month, the fact that I have an irregular self-employed income that amounts to considerably more that that over the course of a year dosn't count apparently.
>
This is what worries me. My password number and memorable word are only known to me (excepting the bank site, of course). And are rather more involved than a pin to 'break'.
Except that you send them over the wire each time, albeit using a secure protocol. A card reader provides a one-time password.
At least this is the concept. I don't know enough about it to know whether one is more secure than the other.
In message , "Dave Plowman (News)" writes
Yes. Both accounts were in existence before Barclays introduced their PIN Sentry. I was the only one who was sent one. My wife is PIN Sentry-less.
Indeed. The PIN Sentry does away with the memorable word.
To be honest, I don't think I've actually tried to log into my account without the PIN Sentry (not since I've had it).
Yes, I need use the PIN Sentry 'sign' function to do certain transactions. However, I recently did a transfer out of one of wife's savings accounts into our joint current account, and no PIN Sentry was asked for (which was just as well!).
As you log in using the https protocol, which uses a one-time encryption key, the rest is more or less icing on the cake. On the Barclays site, keyloggers won't help much either, as you click on a letter to select it, and their preferred (Windows only) security program offers an on-screen virtual keyboard which presumably bypasses the Windows character handling, too.
Just make sure that the padlock hasp in the browser is closed. The only time I would worry about Barclays bank account security would be if I were to use a public computer or an unsecured network such as Fon or one of the free wi-fi services, which go through someone else's router.
Having said that, someone did apparently manage to clone my debit card details recently and tried to draw some cash (in Barbados of all places). Just after I'd set up new Amazon and Paypal accounts using that card. Coincidence, according to them.....
Most banks forbid 0000, 1234, and the four corners as PINs. And those that don't, should.
Do you have a reference to that?
Obviously, everyone using the same model of Xiring reader will be the same. Is anyone not using a Xiring reader? And if not, are they really functionally identical?
As the bank use what I have been told is a normal home unit in branch to verify my PIN when I talk to the personal bankers, I would think they are, though I've not seen documented proof, no. If they're not, though, think of the Fun when Mrs. Bank Customer borrows Mr. Bank Customer's reader by mistake...
I would expect HSBC to use a different system to Barclays, and to NatWest, though.
May do, but that could be hacked too.
Quite right too. I don't want to have to carry around a seperate access device for every smartcard I have.
The sole purpose of PIN sentry card access devices is to faciliate two factor authentication i.e. prove your authenticity through something you have (the card) and something you know (the PIN). The device is merely the mechanism by which these two aspects can be proven; possession of the device does not factor into it.
Any cryptography that relies on keeping the algorithm secret isn't really worthy of the name. It is the keys that must be protected.
Mathew
Well indeed. And if you go into Barclays and ask something that requires them to verify you, they give your *their* PinSentry and get you to enter the PIN. That way they can check you have the card and know the PION, without themselves needing to be told your PIN.
OK, ta. I suspect that if Bank A's readers work with Bank B, it's coincidence. AFAIK, there is no requirement for compatibility between the banks.
They do. They don't use readers at all.
For some values of "hacked", anyway.
I have used a BNP Paribas (Belgium) card reader successfully to read my Nationwide card and login to Nationwide. It also works the other way around for *some* but not all transactions. The BNP Paribas card reader simply has more options than the Nationwide one, I don't think there are any different security algorithms in it.
I have several bank/building soc accounts and Barclays is the only one that uses a card reader. By hassle I mean that to log-on I have to find the reader, get the card out my wallet, press the 'identify' key, type the pin into it, press enter, read the 8-diit key and retype into the banks 2nd login page. All in addition to havnig filled out the 1st page with 2 fields of info. I have to use it again to validate new payments even for low amounts, and have to do it all over again when the 10 minute timeout catches me out. It realistically limits me to accessing my account from home where I keep the reader, and its another thing to remember to pack when travelling.
However, last night I read on their new site they have a mobile app that can somehow be ued in lieu of the pin sentry, I'm not sure for what though, I have to look at it again. In addition they allow read-only access without pin sentry but I think you have to register for that first. Plus another mobile app called 'pingit' that 'allows you to send money to someone else. I tried it and it said 'sorry that person doesn't have a barclays accout' duh!!
I feel the pin sentry security is OTT, annd now a bit worried from whats been said here that it might actually be less secure if my card is lost/stolen.
Phil
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.