blogs.conchango.com

welcome to the conchango blogging site
Welcome to blogs.conchango.com Sign in | Join | Help
in Search
Blogs

Imrans' Blog

Nationwide have introduced Card Reader Security will other banks follow the trend?

A few days ago I received a brand new Nationwide Debit card. This was to replace my old card which was working fine.

Nationwide

Being a bore I realised that they must be introducing Card Readers, as this would be the only reason for them reissuing people cards, and a couple of days ago my assumptions were validated, when I received a new Nationwide Card Reader through the post.

As with Barclays and NatWest the Nationwide Card reader is in essence the same under the covers, as all these Card Readers follow the same APACs 2FA (2 Factor Authentication) standard, therefore a Barclays Debit Card can be used in a Nationwide Card Reader for Barclays Online Banking. However whereas the Barclays card reader labelled PINSentry is specifically built for Barclays around Accessibility (with rubber pads to stop it moving on a desk), the Nationwide Card reader is a pretty generic device, and in my opinion not as well built as the Barclays, but lets be honest they all do exactly the same thing.

The 2FA Devices rely upon the User using their card in the device performing one of the 3 security features and then being generated a 1 time only passcode they can then enter into the corresponding Online Banking site. There are currently 3 Security Features of the APACs 2FA Standard, and each device regardless of the manufacturer can perform all 3 features:

Identify - The simplest verification method, using Bank Card and PIN to provide a 1 time passcode to the Customer.

Capture and Responce - This is slightly more complicated, asking the customer to enter then PIN and then answer a number of questions before receiving a 1 Time passcode.

Sign - The user enters their PIN, and the account they are paying followed by the amount and are generated a 1 time only passcode to sign that particular payment transfer.

How Nationwide are using 2FA

The interesting thing to note, is how Nationwide are planning to use 2FA Card Reader. They are NOT planning to use the device for logging in to the Online Banking site (Barclays currently do this)

Instead they are planning to use the Capture and Response feature to validate a user when the user is doing the following:

  • Viewing a Statement PDF
  • Changing their Memorable Data or Passnumber
  • Changing an individual 3rd Party payment.

They are also using the Sign Feature similar to Barclays to Sign every 3rd Party payment, or when changing details of a regular 3rd party payment, e.g. an external Standing Order.

Only time will tell as to which Card Reader process will prove most favourable, but it is good to see all the Banks jumping on the 2FA bandwagon. I am also aware HSBC is currently performing a closed trial of 2FA Card Reader authentication, so I think its only time before HBOS and LloydsTSB follow suit.

What will be interesting is if firstdirect implement 2FA card reader security for their online banking.

Links:

http://www.nationwide.co.uk/security

http://www.barclays.co.uk/pinsentry/

http://www.natwest.co.uk

http://www.halifax.co.uk

http://www.hsbc.co.uk

Published 16 April 2008 14:04 by Imran.Zaffar

Comments

 

Mark.Mann said:

So another leading retail bank is announcing a card reader for its customers!

Let see if this produces a raft of different devices, one for each bank account under the pretence that if you don't use the "authorised" device, your bank transactions in that session will not be protected.

mark

April 16, 2008 15:32
 

Imran.Zaffar said:

Thats the whole point Mark! You dont need a different device!

They ALL follow the APACs standard and are interoperable!!! I could use a Natwest card reader with my Barclays account, and vice versa! This means that if I have  Barclays, Natwest and Nationwide accounts I may get sent 3 devices but only ever have to use the one, as they all do the same thing!!!

April 16, 2008 16:57
 

PINsentryFlaw said:

So I wonder if it has the same dumb security flaw as the Barclays PINsentry?

Astonishingly, having gone to so much trouble to implement two factor authentication, someone made a slip-up in the development of the PINsentry that makes it completely ineffective in preventing the m-i-t-m type attacks that it is supposed to be designed to stop.

The flaw is in the design of PINsentry and not any fundamental problem with the APACS standard or anything.  Sad thing is that Barclays will have to recall all the PINsentry devices and issue new ones when the cat gets out of the bag.

April 16, 2008 19:29
 

Mark.Mann said:

But.. even though they all follow the same standard, will I get the cold shoulder when I call up the Natwest helpdesk and state that I got problems when I was trying to use the Barclays or Nationwide device?

I had been desperately trying to avoid getting one of these devices... it's another thing to carry about when on holiday/business trip and need to check my account online (yes... you can guess which one I got!).

April 16, 2008 21:30
 

Imran.Zaffar said:

1. Mr PinSentryFlaw - YOU ARE TALKING RUBBISH!!!

Considering all Barclays card readers are identical to all other APACs readers apart from the casing, the flaw you are talking about would be across all APACs 2FA devices. The Man in the middle attacks you so interestingly talk about, wuld have to do with Barclays online banking, not the card reader, therefore you are incorrect MR PinSentry flaw. And I know for a fact that the Barclays online banking PINSentry is very secure, and their use of Pinsentry has reduced online fraud significantly - thereby keeping money safe!

2. Mark - I agree I think using 2FA to log in is overkill, and I think most Banks will eventually adopt a model whereby you only use 2FA when transferring money. The Barclays model, was probably adopted to ensure people get into the habit of using a card reader so they always have one on them at all times. I also think the use of Keyfob cardreaders wil become more prevalent, resulting in the user always having the reader on them, with their keys etc...

April 17, 2008 12:45
 

Nationwide have introduced Card Reader Security will other banks … at Uk Banks on The Finance World For News and Information Around The World On Finance said:

PingBack from http://ukbanks.thefinanceworld.co.uk/2008/04/16/nationwide-have-introduced-card-reader-security-will-other-banks/

May 3, 2008 13:14
Anonymous comments are disabled

This Blog

Syndication
© 2008 - Any comments or statements made herein do not necessarily reflect those of Conchango.
Powered by Community Server (Personal Edition), by Telligent Systems