blogs.conchango.com

welcome to the conchango blogging site
Welcome to blogs.conchango.com Sign in | Join | Help
in Search
Blogs

Imrans' Blog

  • Nationwide have introduced Card Reader Security will other banks follow the trend?

    A few days ago I received a brand new Nationwide Debit card. This was to replace my old card which was working fine.

    Nationwide

    Being a bore I realised that they must be introducing Card Readers, as this would be the only reason for them reissuing people cards, and a couple of days ago my assumptions were validated, when I received a new Nationwide Card Reader through the post.

    As with Barclays and NatWest the Nationwide Card reader is in essence the same under the covers, as all these Card Readers follow the same APACs 2FA (2 Factor Authentication) standard, therefore a Barclays Debit Card can be used in a Nationwide Card Reader for Barclays Online Banking. However whereas the Barclays card reader labelled PINSentry is specifically built for Barclays around Accessibility (with rubber pads to stop it moving on a desk), the Nationwide Card reader is a pretty generic device, and in my opinion not as well built as the Barclays, but lets be honest they all do exactly the same thing.

    The 2FA Devices rely upon the User using their card in the device performing one of the 3 security features and then being generated a 1 time only passcode they can then enter into the corresponding Online Banking site. There are currently 3 Security Features of the APACs 2FA Standard, and each device regardless of the manufacturer can perform all 3 features:

    Identify - The simplest verification method, using Bank Card and PIN to provide a 1 time passcode to the Customer.

    Capture and Responce - This is slightly more complicated, asking the customer to enter then PIN and then answer a number of questions before receiving a 1 Time passcode.

    Sign - The user enters their PIN, and the account they are paying followed by the amount and are generated a 1 time only passcode to sign that particular payment transfer.

    How Nationwide are using 2FA

    The interesting thing to note, is how Nationwide are planning to use 2FA Card Reader. They are NOT planning to use the device for logging in to the Online Banking site (Barclays currently do this)

    Instead they are planning to use the Capture and Response feature to validate a user when the user is doing the following:

    • Viewing a Statement PDF
    • Changing their Memorable Data or Passnumber
    • Changing an individual 3rd Party payment.

    They are also using the Sign Feature similar to Barclays to Sign every 3rd Party payment, or when changing details of a regular 3rd party payment, e.g. an external Standing Order.

    Only time will tell as to which Card Reader process will prove most favourable, but it is good to see all the Banks jumping on the 2FA bandwagon. I am also aware HSBC is currently performing a closed trial of 2FA Card Reader authentication, so I think its only time before HBOS and LloydsTSB follow suit.

    What will be interesting is if firstdirect implement 2FA card reader security for their online banking.

    Links:

    http://www.nationwide.co.uk/security

    http://www.barclays.co.uk/pinsentry/

    http://www.natwest.co.uk

    http://www.halifax.co.uk

    http://www.hsbc.co.uk

    Posted 16 April 2008 14:04 by Imran.Zaffar | 6 Comments

  • The HD-DVD/Blu-Ray war is over, will Digital Downloads be the real winner?

    As most people know Blu-Ray won the HD disc war, effectively when Warner Bros. jumped ship from the Toshiba led HD-DVD format to the Sony-Matsushita led Blu_Ray format. A few weeks later (Jan 2008) Toshiba effectively bowed out of the battle, by releasing a statement effectively ending HD-DVD media and hardware production.

    New Blu-Ray Standard: I cunningly used this snippet of information to convince one of my mates a former CGO employee to purchase a Playstation 3. What a lot of people aren't aware of is that Blu-Ray recently updated its format, and older generation Blu-Ray players are not compatible with the new features available in the revised Blu-Ray format (effectively Blu-Ray v2).

    However the new Blu-ray players and the PS3 are network updateable (is that even a word) are therefore able to cope with the new BR v2 format. This in my opinion makes the PS3 the best Blu-Ray player on the market, as it is future proof with the software updates and is also pretty good value for money at £300. It also has a pretty good side feature in that it is able to play games! Anyway this resulted in Sony releasing an updated firmware earlier in the week which in effect gave all PS3 owners with the latest update BR v2 (aka Blu-Ray-LIVE) support. This new support allows the users to do various things such as: Download Additional content, access Blu-Ray disc specific websites etc etc...

    This is all well and good, but what will Microsoft do about this? The XBox 360 and the PS3 have been competing for the runners up prize in the next-gen gaming crown for a year or so now (the Wii has beaten both consoles by a square mile to be the most popular next gen gaming console), Microsoft XBox backed the HD-DVD addon drive to support HD Discs however with Blu-Ray winning the HD disc war, Sony have in effect played there trump card! What will Microsoft do next:

    1. Will they licence Blu-Ray technology? Will Sony let them (Sony being a founding partner in Blu-Ray)?

    2. Will they go back Digital Downloads?

    I think the latter; With the Xbox there is one major benefit over every other console and that is the superb XBox Live! I look in awe at some of my mates who have this fantastic portal for downloading game demos, videos etc... and lets be honest the PSN network doesnt square up! I think Microsoft will try to use this portal advantage to push Digital Downloads as the next big-thing to completely replace HD-purchased media. I am not the only one of this opinion many others also believe MS will go this route. Here are a couple of the  advantages / disadvantages of Digital Downloads to HD-Media:

    1. Blu-Ray provide a physical item you can purchase and can easily share swap borrow etc.. With Digital Downloads and the inevitable DRM which will accompany it can you do this sharing?

    2. With a Blu-Ray disc if you scratch it, it could mean you have to repurchase the title. With Dig. Downloads you could in essence re-download the video (possibly for free).

    But the real winner in this will in essence be the price in my opinion. If the studios release digital downloading at a reasonable price say £7 for a new release, and £5 for an older one, than surely the battle will be won by once pricing the other out of the market. But hey only time will tell.

    Posted 28 March 2008 14:40 by Imran.Zaffar | 1 Comments

  • Colour me Secure

    Hi All,

     

    My third blog post, I am on a roll.

     

    I was at a cleint recently where a "Creative" was having a debate about what colour signifies Security to them. He wanted to colour the header and footer of the secure shopping cart part of the site green to signal security, however I pitched my oar in and mentioned I thinking in terms of online retailing the colour yellow signifies secure, as it is used in Mozilla and various other browsers to show a secure site, and I think customers are used to this fact. He disagreed, so I would like to know off you guys out there:

     

    What colour do you think best signifies Security or being in a Secure Area within a site?


    Cheers

    Im
     

     

     

    Posted 20 March 2008 15:27 by Imran.Zaffar | 4 Comments

  • Card Readers - Good, Bad, Ugly? (or all three)

    As mentioned in the press recently, credit card fraud has soared, with APACs reporting an increase in card fraud for the first time since 2004!

    What is interesting is that domestic card fraud has also increased, despite the introduction of CHIP & PIN! This was mainly due to the fact that fraudsters were still able to use stolen credit card details to purchase goods online or by mail order over the phone.

    Most people are now well aware of phishing and ensuring their machines are protected from trojans and viruses (through Firewalls and Virus Scanners), however how does this stop someone from hacking a retailers systems and stealing the purchase information from its database. One of the recent advancements has been Verified by Visa and MasterCard SecureCode, both systems which require a secondary level of authentication for purchases. This is pretty good, but again this doesn’t stop a key logger on your PC picking up your password as you type it!

    So I got thinking, what about these 2 Factor Authentication (2FA) devices (see image below from BBC website) currently being used by the banks: NatWest and Barclays have both rolled out 2 Factor Authentication devices which are used to securely manage your account online.

    The 2FA device is basically a card reader which reads the information of the chip in the card (thereby verifying you have the card in your possession) and after you insert your bank card into the 2FA device (aka Card Reader), and after entering some information into the device, the device generates a "One time only pass code". This pass code is then entered into the site to verify you and therefore the transaction. 

    I know there is a lot of negative press about these devices, because let’s be honest they aren’t exactly small (the size of a small calculator), and from a usability perspective are appalling, but they do perform a useful function - keeping my online banking account secure.

    Natwest Card Reader - BBC Website

    So why can’t we use these devices for our online shopping? Surely similar to when Verified by Visa you could be taken to a secure area of the site, or perhaps to a secure Visa server and instead of asking you for a password it could ask you to insert your card in the device, and enter a onetime only pass code? I think this would be a great advancement in technology and would mean that we could once again try and stay one step ahead of the fraudsters. However there are a number of reasons why this won’t happen:

    1. Not everyone is like me and thinks these devices are a good thing... for example: http://www.stopthecardreaders.org/
    2. These devices are currently only being used by a couple of the big banks, to my knowledge HBOS, HSBC and LTSBR are yet to introduce these (I may be wrong).
    3. People will argue why should I have to carry this device around when I am doing my online shopping - People won’t like them
    4. People will argue why should they have to carry their card with them? Most online retailers allow you to save your card details for further use.
    5. It will require a big retailer such as Amazon and Play.com to sign up to this for it to be even the slightest success...
    6. It will cost a considerable amount of money, and who will pay for all these card readers??? (Estimate £2-5 per device)
    7. What do we do about payments to international websites e.g. http://www.amazon.co.jp/ or http://www.amazon.com/.

    I think for this to work and be implementable we would need it to be driven by the two major card providers (Visa and MasterCard) and for them to mandate or offer protection or insurance against fraud which takes place with these devices. It would also require more widespread uptake of these devices, with all the major banks implementing the 2FA devices.

     Here is an interesting snippet from the Visa website:

    "The future of card-not-present security

    Chip and PIN cards have introduced a higher level of security to our face-to-face transactions. The industry is now looking at ways of using chip's security features in the card-not-present environment.

    Dynamic pass code authentication is Visa's solution that uses the added security of chip cards to offer better protection against online fraud. It validates the cardholder's identity and physical presence of their card via a pocket-sized card reader provided by their bank.

    This is a new solution, and from the end of 2006 various banks across Europe will start running pilot schemes." http://www.visaeurope.com/merchant/handlingvisapayments/cardnotpresent/security.jsp

    I could not find anything on two factor authentication from the MasterCard website (maybe I didn’t look close enough)

    Anyway enough of the blurb, what are peoples thoughts on using Card Readers for online shopping as well as banking?

    -------------------------

    Links to Additional Information

    Natwest Card Reader: http://www.natwest.com/microsites/general/card-reader-user-guide/index.asp?cmp=reader

    Barclays Card Reader: http://www.barclays.co.uk/pinsentry/

    E-Consultancy Paper on Card Readers and 2FA: http://www.e-consultancy.com/news-blog/362677/banks-to-give-out-card-readers-to-combat-online-fraud.html

    BBC Article: http://news.bbc.co.uk/1/business/7023743.stm

    Visa: http://www.visaeurope.com

    Mastercard: http://www.mastercard.com/uk/gateway.html

    Stop the Card Readers: http://www.stopthecardreaders.org/

    -------------------------

    We have an active Finance team within CGO, if you would like an interesting conversation about our thoughts on the Finance Market or would like to hear more about what we do and how to be a part of our team please visit us on:

    http://www.conchango.com/join-us/ 

    Posted 17 March 2008 16:23 by Imran.Zaffar | 7 Comments

  • My First Ever Blog Post

    Hi All,

    This will hopefully be the first of many blog posts regarding anything and everything. Here's a bit about me:

    I have been working in the Financial Services division of Conchango as a Business Consultant for the past 18 months. I have worked for a number of roles, performing Business Analysis and Project and Test Management for clients as varied as the Lloyds Insurance Market, a major sub-prime mortgage lender and currently a 'super/major' oil and energy giant based in Califormia.

    Prior to this I worked for HBOS in Retail Bank IT, working in various roles including, Customer Relationships, Secured and Unsecured Lending, ATM Channel (both the IT division and the Business Division) and E-Commerce, as well as exposure to various other parts of the business including Banking and Savings, Retail Programmes and various others.

    Most of my blog will be probably be my take on the Financial Services Industry and innovation and news in Banking and Self Service (both on and offline).

    Anyway that's enough about me for now, and my second blog will hopefully be a little more interesting!

    Cheers

     

     

     

    Posted 27 January 2007 13:03 by Imran.Zaffar | 3 Comments

This Blog

Syndication
© 2008 - Any comments or statements made herein do not necessarily reflect those of Conchango.
Powered by Community Server (Personal Edition), by Telligent Systems