General Chat

Thanks Joy.

Whilst I am now more aware of how one of these 'thingys' works (thanks Von) I am now thinking I shall not bother, but just continue with telephone banking.

I just wanted to be able to move my money about myself, I have major problems if I get through to India and not the UK call centre will Barclays, mainly because although I have no problems understanding them they do not seem to be able to understand me!!

Do register and try the system out. If you can't get on with it, then fine, revert to telephone banking. Honestly, it's quite easy really!

Ignore those who are trying to frighten you with security issues - everything holds a level of risk now-a-days.

I would agree with +++DetEcTive+++

Why not give it a try - very easy really and you still have the option of using the phone if you get stuck :-) :-)
Good luck
Von

With Nat West I can access my account, check my statements etc and transfer money to accounts already recognised. The only time I have used my card reader is either when setting up new accounts or when using my debiot card on line.


Rollo I get really fed up with your scare mongering. OK things happen, cards are accessed etc but we all have to exist with using these things, so sometimes what you perceive as risks have to be taken. You must go through life using your very extrememe knowledge about these things to make life difficult for yourself. And, no doubt, if money is lost and a card reader (easy to use by the way) has been used, the bank will accept responsibility.

PP moving money is easy on line.

BEEN ONLINE BANKING FOR A FEW YEARS
WITH NO PROBLEMS ON THAT SIDE

Apparently Barclays want their system to become a "standard" and thus it will work with other devices. This hardly improves security though. My OH banks with Barclays tho' she does not ( and will not ) use these devices.


Trusting in black boxes for security has caused unending trouble in the banking, IT and computer industry. Hope springs eternal ...

I thought that the thread may find the following document of interest, I regret not being able to supply source. I am sorry about the somewhat impenetrable English but I am NOT the author and I did not want to edit.

> To: ukcrypto@...
> Subject: Re: Barclays' chip&PIN widget technique combatting
> man-in-the-middle attack
>
>
> * C
>
> > Surely it is widely known by now that challenge-response systems are
> > the standard technique for defeating man-in-the-middle attacks.
>
> Except that they don't work against transaction-rewriting
> man-in-the-middle attacks. The new APACS standard apparently ties
> part of the challenge to the transaction. Other systems require that
> users enter the the beneficiary's full account number on their own.
>
> Neither approach is completely fool-proof, but if you are a bit
> careful, you can actually detect attacks when your preventive measures
> have failed.
>

Well said. Challenge and response methods of authentication are not
fool-proof. To my personal knowledge, there are examples of them being
defeated professionally (mitm attack) at least as for back as the '60s and,
I'd expect to find evidence that they were being sometimes defeated by mitm
much earlier than that.

More latterly, about 1993, I found a badly flawed example of such a 'secure'
system in a book aimed at uni students. Here the flaw was not the classic
vulnerability of mitm but a failure of the author to understand that if one
extracts the even digits from random number, the sum of the remaining odd
digits remaining is anything but a random number itself. This is slightly
counter-intuitive but is easily tested by running a few thousand trials, the
bias appearing in the results of which is quite unequivocal. The article in
which my use of this example (among others) to promote a 'caveat emptor'
approach to cryptography by commercial users was reviewed in 'Cryptologia'.

Clearly, the general argument I expounded in that series of articles fell
onto stony ground :-)

The procurement of secure systems by commercial user organisations does seem sometimes to be still as much a matter of unreasoned trust riding on the back of insufficient budget allocation.

his basic point has been made time and again by sundry persons and always with the same result. This may distress security professionals but it may, in fact, best serve a commercial interest. Such an interest is possibly best served not by
assuring that secure systems it adopts are entirely safe and are regularly reviewed and updated to ensure that they remain so.

Rather, the calculation that is required is whether the cost of assuring the quality of a prospective procurement and maintaining that assurance throughout the
systems life is greater that that part of any loss caused through the introduction of a weak system that cannot be passed, directly or indirectly on to customers of the commercial entity. I.e. the company is in the business of risk management and not risk elimination.

This is an unpalatable lesson that those of us who are or aspire to become security professionals have to learn to swallow.

Even government service is not immune from application of similar logic. The
cost of the introduction and maintenance of a secure systems should never be
allowed to exceed some notion of value of what is to be protected by it.

Government service has, probably always, used a variety of methods to devise
secure systems that are adequate to the general task of a sufficient maintenance of security and not t assure an absolute security over information.

[ ends ]

Rollo you have been asked not to scaremonger twice on this thread & here you are doing it again.

Technology has moved on a lot since the 1990's.

The best online banking systems offer multi-layered security – providing many levels of protection that act as a deterrent to fraudsters and a cover for customers.

I was looking for this, from BBC Click

http://www.bbc.co.uk/news/technology-16812064

https://www.youtube.com/watch?v=14TZOjG97EM