General Chat

I was looking for this, from BBC Click

http://www.bbc.co.uk/news/technology-16812064

https://www.youtube.com/watch?v=14TZOjG97EM

Rollo you have been asked not to scaremonger twice on this thread & here you are doing it again.

Technology has moved on a lot since the 1990's.

The best online banking systems offer multi-layered security – providing many levels of protection that act as a deterrent to fraudsters and a cover for customers.

Apparently Barclays want their system to become a "standard" and thus it will work with other devices. This hardly improves security though. My OH banks with Barclays tho' she does not ( and will not ) use these devices.


Trusting in black boxes for security has caused unending trouble in the banking, IT and computer industry. Hope springs eternal ...

I thought that the thread may find the following document of interest, I regret not being able to supply source. I am sorry about the somewhat impenetrable English but I am NOT the author and I did not want to edit.

> To: ukcrypto@...
> Subject: Re: Barclays' chip&PIN widget technique combatting
> man-in-the-middle attack
>
>
> * C
>
> > Surely it is widely known by now that challenge-response systems are
> > the standard technique for defeating man-in-the-middle attacks.
>
> Except that they don't work against transaction-rewriting
> man-in-the-middle attacks. The new APACS standard apparently ties
> part of the challenge to the transaction. Other systems require that
> users enter the the beneficiary's full account number on their own.
>
> Neither approach is completely fool-proof, but if you are a bit
> careful, you can actually detect attacks when your preventive measures
> have failed.
>

Well said. Challenge and response methods of authentication are not
fool-proof. To my personal knowledge, there are examples of them being
defeated professionally (mitm attack) at least as for back as the '60s and,
I'd expect to find evidence that they were being sometimes defeated by mitm
much earlier than that.

More latterly, about 1993, I found a badly flawed example of such a 'secure'
system in a book aimed at uni students. Here the flaw was not the classic
vulnerability of mitm but a failure of the author to understand that if one
extracts the even digits from random number, the sum of the remaining odd
digits remaining is anything but a random number itself. This is slightly
counter-intuitive but is easily tested by running a few thousand trials, the
bias appearing in the results of which is quite unequivocal. The article in
which my use of this example (among others) to promote a 'caveat emptor'
approach to cryptography by commercial users was reviewed in 'Cryptologia'.

Clearly, the general argument I expounded in that series of articles fell
onto stony ground :-)

The procurement of secure systems by commercial user organisations does seem sometimes to be still as much a matter of unreasoned trust riding on the back of insufficient budget allocation.

his basic point has been made time and again by sundry persons and always with the same result. This may distress security professionals but it may, in fact, best serve a commercial interest. Such an interest is possibly best served not by
assuring that secure systems it adopts are entirely safe and are regularly reviewed and updated to ensure that they remain so.

Rather, the calculation that is required is whether the cost of assuring the quality of a prospective procurement and maintaining that assurance throughout the
systems life is greater that that part of any loss caused through the introduction of a weak system that cannot be passed, directly or indirectly on to customers of the commercial entity. I.e. the company is in the business of risk management and not risk elimination.

This is an unpalatable lesson that those of us who are or aspire to become security professionals have to learn to swallow.

Even government service is not immune from application of similar logic. The
cost of the introduction and maintenance of a secure systems should never be
allowed to exceed some notion of value of what is to be protected by it.

Government service has, probably always, used a variety of methods to devise
secure systems that are adequate to the general task of a sufficient maintenance of security and not t assure an absolute security over information.

[ ends ]

BEEN ONLINE BANKING FOR A FEW YEARS
WITH NO PROBLEMS ON THAT SIDE

PP moving money is easy on line.

With Nat West I can access my account, check my statements etc and transfer money to accounts already recognised. The only time I have used my card reader is either when setting up new accounts or when using my debiot card on line.


Rollo I get really fed up with your scare mongering. OK things happen, cards are accessed etc but we all have to exist with using these things, so sometimes what you perceive as risks have to be taken. You must go through life using your very extrememe knowledge about these things to make life difficult for yourself. And, no doubt, if money is lost and a card reader (easy to use by the way) has been used, the bank will accept responsibility.

I would agree with +++DetEcTive+++

Why not give it a try - very easy really and you still have the option of using the phone if you get stuck :-) :-)
Good luck
Von

Do register and try the system out. If you can't get on with it, then fine, revert to telephone banking. Honestly, it's quite easy really!

Ignore those who are trying to frighten you with security issues - everything holds a level of risk now-a-days.

Whilst I am now more aware of how one of these 'thingys' works (thanks Von) I am now thinking I shall not bother, but just continue with telephone banking.

I just wanted to be able to move my money about myself, I have major problems if I get through to India and not the UK call centre will Barclays, mainly because although I have no problems understanding them they do not seem to be able to understand me!!

Thanks Joy.

I'm the same as jax. I've had no problems for years but it did take a while to learn the 9 digit ID number. I can now do money transactions using my mobile phone.
No cards to play around with this system.

GP

"Does anyone know if a card reader issued by a different Bank work with Barclays?"

I cannot answer specifically; however, a card-reader issued by a different bank worked with a Nationwide account.

My online banking account does not have one of these reader things

I have a 9 number I.D followed by a password then I have to put 3 letter/numbers from a memorable bit of infomation

It has been ok for the last 7 years I have used it

:-S

It will not, out-of-the-box anyway.

Nationwide have used this method for a while, is simple to use as you are given instructions each time.


'you'll get nowhere with any problems once one is registered to your account' ?
Rollo you are scaremongering, unless you have personally had problems, a lot of what you have stated is hearsay.

Other than not using Debit cards on insecure sites, that is.

Does anyone know if a card reader issued by a different Bank work with Barclays?

Oyster cards? Aren't you being a little alarmist? Paranoid even?

Hate to rain on the parade but ...

(1) These devices create a false sense of security as they are vulnerable to "man in the middle attacks". As Barclays and others insist they are infallible (not) you'll get nowhere with any problems once one is registered to your account.

(2) India is a different planet to the UK. Vast amounts of UK banking data are now accessible in India (NHS records, DVLC to come). It is then unsurprising that India is the WalMart of bulk bank credentials etc. Crashes such as RBS ( again ) are not surprising either.

These devices are not new - I was using such a system for access back in the 1980s. That was within an already tightly secured perimeter. Out in the wild is another thing altogether.

Nobody should use a debit card linked to their bank account on line, ever. That especially applies to recurring payments and subs. Either use a credit card - which gives some protection - or one of those pre-charged VISA cards which are used for holiday cash etc.

I shudder to think of the consequences of people on the street with proximity cards ( no pin ) good for £ 20, Oyster cards, smartphones with apps such as ping-it and on line banking. Low hanging fruit from some points of view.

If you have JAVA installed on your computer remove it. Now.
http://www.npr.org/blogs/thetwo-way/2013/01/14/169338707/java-security-flaw-is-repaired-experts-still-recommend-disabling-it

PP - you may feel that it's a pain in the neck at first, but keep the instructions close to hand and stick with it, practise makes perfect.
After a short while you'll see that its additional security is a bonus, where, in this day and age it so often lacks, and you hear about this, that and the next thing being hacked into.
Once you've got used to using it, you will see the advantages.
NatWest and HSBC have them too.
You will get used to it, honestly ;-) that goes for the online banking and the Pin sentry (card reader).