If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
My Royal Bank of Scotland Internet Banking card reader arrived today. It a Xiring unit, a numeric keypad with a small LCD at the top and a slot for my bank card. More information about the Xiring products can be found here: http://www.xiring.com/o2s/en-GB/index.php
Using this kind of unit has the advantage of being totally independent of any operating system – listeners to my recent podcast with Barry may recall that we lamented about the fact banks often send out equipment that will only work with Microsoft Windows XP. These units have no physical connection to the PC, so will even work with the operating system used by Apple Macintosh computers.
Authentication before the card reader
Previously, I used a 4-digit PIN and an 8-character password. Authentication consisted of providing 3 selected digits from the PIN and 3 characters from the password. I was occasionally asked for additional characters if I wanted to do something that wasn’t a run-of-the-mill transaction (e.g. add a standing order). Essentially, this form of authentication relied on something I know. The trouble with this approach is simple: the bank also know this information. Which does leave it open to abuse, either via employees “taking it with them when they leave”, or the material simply appearing in the trash. I’m not saying that this has happened at the RBS, however it has happened to other banks, as is widely reported.
So what’s the authentication process now?
Well, nothing has really changed for day-to-day transactions. However, the following items require the use of the card reader: Add a new Payee, Amend a Payee, Create New Standing Order, Change Security Number and Change Password. I authenticate and login as I did before, however using any of the aforementioned features, I have to use my card reader. I insert my card, push the Respond button and enter my card’s PIN. I then have to enter a number into the card reader – it’s provided by the RBS Internet Banking web-site. Once I enter that number into the card reader and press OK, it then displays a number that I must enter into the web-site. There’s a better explanation over here.
So now, whilst the basic authentication remains the same, for certain features, the authentication is relying on something I have, in this case the card reader, the card and my card’s PIN. This makes it a little harder for those people who have discovered my on-line banking PIN and password to transfer money to a new payee.
–
I can only assume that the types of fraud that have been affecting the major Internet banking operations revolve around the creation of new payees, direct debits and standing orders. Certainly in the few cases I’ve been close to, the creation of a new payee followed by a single transaction, or more likely two transactions, this would ring true. This card reader will help alleviate those kind of fraudulent transactions. The need for a perpetrator to have my bank card and the PIN for it do add an extra layer of security. I won’t need the card reader that often, most of my payees are already set up, however it will mean that when I do need to add a new payee, I will need the card reader present.
What’s next? Bio-metrics: the third tenet of authentication, something you are, e.g. fingerprint, voice-print, retina scans.
More information
http://www.rbs.co.uk/reader
http://www.secureidnews.com/news/2006/05/03/mastercard-allinone-includes-xiring-authentication-solution-to-enhance-security-for-us-online-banking/
Further reading
http://blog.jazzle.co.uk/why-i-might-leave-my-bank-the-natwest-card-reader/
Technorati Tags: authentication, card reader, rbs, royal bank of scotland, xiring, security, internet banking, something you have, something you know, something you are, security tenets
RSS 2.0
2:15 pm on August 6th, 2007 1
Not making you use the card reader for a normal transaction is VERY clever. It stops some “real-time man in the middle” attacks, as a phishing site will find it a lot harder to get you to type in the result from the card reader, if you are just doing a normal transaction. Therefore the phishing site will have to get you to do one of the special transactions.
It would be even better if they send the “number to enter into the reader” by a SMS text message, that way a phishing site has had it if they don’t know your mobile phone number.
11:12 am on August 7th, 2007 2
I think that this is a pain in the arse, it reduces the ability to do all transactions on line ‘anywhere’ what a stupid device, and what a waste of money energy etc. am seriously considering moving to another bank that doesn’t see the need for these things.
10:58 pm on August 9th, 2007 3
I initially thought the same as comment 2, “what a farce, having to carry this thing around with me everywhere, just in case i need to do an online transaction away from home” (as the Royal didnt see fit to include any kind of in depth info about the device), but now that I see that it’s only for certain transactions, I think it’s genius.
4:27 pm on August 14th, 2007 4
It would still be a pain in the arse for me. I often need to set up ad-hoc payments away from home – if I’m at a friend’s house and need to pay them for something, but don’t have the cash on me, borrowing their computer and doing a transfer is a common solution. This device breaks that.
10:30 am on September 19th, 2007 5
I agree, total pain in the arse – I’ll almost certainly lose it, I’ll almost certainly need it sometime when I’m using online banking remotely and the fact that it’s not used very often just means the batteries will probably be flat when I do need it, if it hasn’t got so full of dust that it work.
I rang RBS this morning and asked to opt out but of course, that’s not an option. They said all banks will be rolling it out eventually so I’ll give it a year, and if that is the case then – well, better the devil you know I suppose. Otherwise, I’m off. Why should the customer carry the burden of the bank’s security problems?
4:36 pm on October 18th, 2007 6
I’ve just been issued one by the Ulster Bank. It’s okay for me at the moment for my current uses, but I can see the additional headaches it may cause: Like how long would it take for the bank to send out a replacement if it breaks?
Also, if all the banks jump on the bandwagon, I’m going to have a drawer full of them!
6:53 pm on October 26th, 2007 7
What PIA.
Even the normal login is stupid asking for different characters, which you often have to write down and number. Why not a pass phrase ?
My pc is on the second floor used only by me. House occupied 24/7 any entering of passwords is just a waste of time and a PIA
Got to be something better. Why cant i just swipe my bank card in the keyboard and enter my pin like all other transactions. Simple.
12:08 pm on October 29th, 2007 8
The reason the bank wont let you enter your pin on your keyboard is because with the state the internet is in nowadays, you never know if you have a trojan etc that is sitting dormant and recordng all your keypresses and sending them back to a “source” that infected your computer. I think its a good idea but, like the above comments i will lose it within the first week lol
2:25 pm on October 30th, 2007 9
got to be a better way
11:06 am on November 13th, 2007 10
I rang 0845 300 6433 and could not understand what the lady was saying. Please be more critical on accents when you employ people for the telephone.
12:39 pm on November 30th, 2007 11
You have sent me a digital banking card No 0100 0023 2650
Ref 1056235464 830425 dated 26.11.07 and offered a pin in a few days.
I have closed my accounts with RBS
Please ensure this is all cancelled
Thank you
3:23 pm on December 5th, 2007 12
You really have to give it a go first any thing is better than the con men winning Alan Mclaughlin
8:45 pm on December 7th, 2007 13
My card arrived with my name spelt incorrectly ie Rogers spelt with a D. I rang to get it changed but have not received another one–can I use the original one?Will it be the same number?
4:13 pm on December 20th, 2007 14
Good idea.I have received the device ,but no card inside.Is it a subject of separate correspondance and if so could you tell me when I will receive it.If meantime I need the e – banking shall I be able to operate or not?
Best regards
Todor Adamov
8:35 pm on January 24th, 2008 15
I phoned to try and opt-out of this service and the staff member who I spoke with said (amongst other things obviously)that they “agree completely, you should be able to opt out” and “I can see how it could be impractical” and suggested I eMail to complain.
I complained, in writing, to RBS about being forced to use the card-reader and the lack of an opt-out option… after a week I got a letter from RBS that will be posted on my own website shortly, but in the meantime here are a few choice quotations showing the general grasp of the English language (or poor stock letter templates) that the RBS seem to have, adding insult to injury considering they didn’t answer any of the points raised in my eMail.
“…we at Royal Bank of Scotland are the first Banks within the UK to introduce…”
“…This is when you wish to create or amend and payment details….”
And last but not least
“I hope this resolves your query, however if you have any further questions please contact our Royal Bank of Scotland on Royal Bank of Scotland* and we will be happy to help”
Believe it or not the letter actually seemed to carry a real signature, so Richard Csizmazia obviously didnt read either my original eMail, or his own reply!!
10:44 pm on January 24th, 2008 16
I have been Business Banking with the Royal Bank of Scotland since May 2002 and found that their Internet Banking has been excellent until around the 7th December 2007 , when I tried to make a payment to an existing Payee ( I always add a ref e.g. Invoice number against my existing payees , which means I always amend Payee’s on every transaction )
It asked for extra security using a Card Reader and Card ?
What is a Card Reader ? How can they implement this procedure without first notifying the Customer in advance and also ensuring that Card Readers had been received by the Customer .
Upon complaining to RBS Direct Banking they stated that I had to request a Card Reader and Card . This I did , and to date 24th January 2008 I have not received a Card Reader or Card .
They claim to have sent out several Card Readers and upon checking the address: they left out the Name of the Company I work for ( fo Security Reasons ) .
They tell me that they are unable to send out Card Readers to a Company ? It has to be to an Individual named Person i.e.
Kevin Belsham
Hanson Park
Manchester
How absolutely STUPID !!!
Upon discussions with my Relationship Manager , he agreed with the Customer Complaints Dept to add th Company Unit No.
i.e. Unit E1 ( which identifies the Building ) instead of the Company Name .
Consequently today my PIN number was delivered to the Company opposite Unit F1 .
Still no sign of any of the 4 Card Readers which they have sent out ?
I think I will shortly be closing my Account with RBS as Customer loyalty no longer means anything to them .
2:31 pm on January 25th, 2008 17
My original complaint, and their reply is at
http://www.iross.net/blog/royal-bank-of-scotland-card-reader-complaint/
The “Enhance Security Helpdesk” really are dismal – can’t even get the name of their department right – missing a D i think (for Dunce perhaps?)
If this is an example of the standard of communication from RBS … I think I might take my personal, and a number of company accounts’, business elsewhere.
4:03 pm on January 30th, 2008 18
We have a small business account with NatWest bank, and had the exact experience as Kevin Belsham. Why on earth does one have to use this extra hassle card reader system just to amend a payee’s invoice number for this month’s payment rather than leaving the number from last month? It’s crazy! We are just two directors in our small company and we both travel most of the time, meaning online banking is absolutely critical. Sending cheques through the post is not practical nor does it result in timely payments when one is abroad. However carrying around a card reader, a card and having now 4 levels of PIN numbers, plus several personal questions the answers of which only I know, and all the other hassle, is a huge burden that cannot possibly be the way to go. I was also told there is no opt out and that all the banks will be going to this system. But I cannot imagine that this complicated and burdenson system is banking for the future (not to mention the environmental damage it does).
4:08 pm on January 30th, 2008 19
Here’s what APACS has to say about it
http://www.apacs.org.uk/payments_industry/new_technology_1_4.html
7:27 am on February 4th, 2008 20
1. I have never heard of this Digital Banking System.
2. I have not used this account for internet banking, AND WILL NEVER USE IT FOR SUCH.
3. What would you like me to do with your card?
4. Is the old ATM card still usable in the ATM’s in the high street?
5. Not that that really matters as I have not used that facility since the current card was issued.
6. All my funds are held in a deposit account and not in a current account.
7. Which account is this Digital card applicable to?
8. If it is a necessity for me to use this new card, instead of the old ATM card, then you will need to send a PIN reminder, as the PIN you sent has been destroyed. As I have never heard of the system you are referring to with this Digital card, I destroyed it as an unnecessary security risk.
9. I like this page/site. Totally uncluttered. Refreshing to use, thanks. Shame about the card though.
6:38 pm on February 13th, 2008 21
Like a lot of others i to have had problems.
number 1,only found out when i had to phone them for one,my new card would follow three weeks no card,it had been lying in bank so they cancelled it.Upon phoning was told to go in to verefie address
they had old one no explenasion as to why, finally got card but no info on numbers to put in or if they are on the way.
3:43 pm on March 14th, 2008 22
Hello
I have recieved my digital card ect,
my question is, I live in canada and my account is in dundee, scotland I have an atm card which I use to withdraw from my savings, on reading the instructions on what the card does I noticed that if I go digital I wont be able to withdraw cash from my account therefore its no use to me or have I missed something
thanks
john
9:41 am on May 10th, 2008 23
Enhanced Security Support Letter signed David Head from Head of internet Services a bit of Commedy here
4:21 pm on June 15th, 2008 24
My Digital Banking is seriously crippled just now, I have to call up for everything except paying to existing payees. I’ve called RBS, who have told me to be patient, I will have a card reader within a few months(!). Thing is, I actually already have a card reader, for my business account. My current account card seems to work with it, so why do I have to wait for them to send out a new and completely unnecessary card reader?
5:11 pm on June 27th, 2008 25
I have two different accounts but have been able to use both cards (from different banks) in both readers with the same results. They must all work on the same system, maybe therefore only having one will not be a problem
2:10 pm on July 31st, 2008 26
I’ve found the card reader from RBS ok to use. It can be a little frustrating if i want to do some transfers etc from work and the only card reader i have is at home, but otherwise it’s been fine for me.
RBS even let you have more than one, so i could have one at work, if need be.
I was sent a card reader before the system came into operation and have had no problems with it at all!
the only issues i have had with digital banking was when i entered the wrong login details twice in a row and i was blocked out and had to phone direct banking, who i then had to register with, they then confirmed some details and ‘activated my online banking again, except that for the first 2 weeks i only had the options to look at statements and transfer between my own accounts… very frustrating!
also, i have recently opened a join account and it has not appeared on my list of accounts at the top of the digital banking page… i therefore can’t get access to it, even though it’s appeared on my wife’s digital banking so she has access to it! not so good.
oh, their level of service at branch level seems to have dropped siginificantly recently, but this is accross the board with banks i think!
11:31 am on October 21st, 2008 27
RBS were great until a year ago when everything seems to have gone downhill.
I signed up for digital banking, never really used it but saw the benefits after about 6 months. 3 weeks ago I tried to transfer money between my accounts only to be told that this is not possible without a card reader. Supposedly I was told about this months ago – I received no information about this whatsoever. They had also taken it upon themselves to cancel my telephone banking without asking as I now had digital banking, I was using the phone banking up until this point, when I was told that I should have been deactivated months ago. This left me with no option but to go the branch on a Saturday to transfer money between my accounts.
The card reader arrived a rather annoying machine as I now have to take it with me everywhere (I work and live in multiple locations), travelling with it in my handbag along with my cards is not exactly secure. I attempted to use it only to be told that they still couldn’t activate the system and I still was not able to transfer any money either by phone or internet – again only the bank was the option.
2 months later I still have no phone banking, they can’t seem to get it set up. I eventually gave up on digital banking, it just seemed useless as all I could do was look at the screen and nothing else. The eventual decision to stop it came after my computer had a spyware virus that stole passwords. Needless to say I called RBS to freeze any internet access to digital banking, 45 minutes later I was still explaining to the women on the phone why I could not go online to deactivate it myself as that would involve giving my password online which would have been hacked.
Pretty poor service in comparison to what they used to be like.
8:03 pm on May 20th, 2009 28
i was ordering somw things online and paid with my card i put it the wrong number of my card now it is blocked how do i unblock it
6:57 pm on June 19th, 2009 29
[...] RBS Internet Banking the card reader has arrived Posted by root 3 days ago (http://www.craigmurphy.com) I won 39 t need the card reader that often most of my payees are already set up i initially thought the same as comment 2 what a farce any money either by phone or internet again only the bank was the option the social programmer is proudly powered by wor Discuss | Bury | News | RBS Internet Banking the card reader has arrived [...]
12:28 pm on July 9th, 2009 30
Smile.co.uk have just introduced the device. I’ve not been sent on and I now have no access to my money!!!!! What a waste of time and money. It won’t stop online fraud from people buying things. its only for use with the online bank account.
LloysTSB are not introducing this according to Customer Services so I’m moving all my money there.
6:34 pm on July 21st, 2009 31
Its worse than you think. You know that when you use these you have to type your pin in and it says OK or not?
Well since smile/rbs/barckays etc readers are all compatible muggers can use them to verfiy whether you’ve told them the right PIN number from the comfort of a dark ally. Before they had to go to a nice public cash point to do that. Your saftey not banks problem evidently.
Oh and my bank says I can use other banks card readers, great. That’s a criminals charter, don’t slot your card into other peoples card readers and type your PIN in, unless your sure the card reader’s not been tampererd with. Great way of scamming card details.
10:02 pm on August 14th, 2009 32
Friends there is hope. This stupid system is impossible for a mobile worker. When the coop forced it on me I moved all my banking to Lloyds. Lloyds now tell me that they are introducing…..a phone call. If I try to set up a payment they will phone me to confirm it, instead of a ffing stupid card reader.
So joint lloyds. (I dont have any shares in Lloyds (except as a UK citizen)
John Orrett
12:50 pm on January 8th, 2010 33
Total pain in the butt. I’ve just tried to do an online payment to find when using the card reader that my pin is locked for some reason. Rang the bank to get them to unlock it, which they did immediately, but to get the physical card unlocked I have to take it to the cash dispenser. So to do my online payment I now have to trudge through the snow to a cash machine. Crap, crap, crap!
10:28 am on March 31st, 2010 34
This site seems to have attracted some of the most stupid people in Britain.
For your reference: THIS SITE IS NOT AFFILIATED WITH RBS, YOU WILL NOT GET ASSISTANCE WITH THE CARD READER, YOU NEED TO PHONE THEM UP AND POSSIBLY GET OFF THE INTERNET SINCE YOU’RE TOO STUPID TO KNOW THE DIFFERENCE BETWEEN A GENUINE RBS SITE AND SOME SCOTTISH BLOKE’S BLOG.
9:33 am on May 22nd, 2010 35
Blogs are always a main source of getting accurate information and provide you the handy results; you can get instant and reliable information which surely helps you in any field of your concern. I am post graduate in IT and HR. These days I am doing preparation of different online certifications and I found mcdba practice testis the best helping source which is providing 100% authentic material. I also spend my extra time in surfing internet, listening music and playing games. After my exams I would like to join your group
11:23 am on July 13th, 2010 36
To
The Manager
RBS, Canaught Place, New Delhi
Subject: Transaction dispute with RBS Credit Card account
Respected Sir
I Mukesh Kumar Verma am a credit card holder. My card No. is 5239504004308337 .
I faced some problem with my credit card couple of month back. Already i have been submitted and written 2 application
regarding this neverthless you people did not take any action on that even i am getting threaten call from the bank to pay the money immediately.
So now i am thinking to go for police complaint.If you help me for the above poblem i will be greatfull to you.
Now i need to know what i am suppose to do. even i lodged a police coplaint regarding this issue.
I m attaching the copy of Fraud Transaction detail, please find attached it.
Please do let me know what sort of action should i do therefor might be able to solve this issue as earlier as possible.
Thanking you
Mukesh Kumar Verma
6:10 pm on August 18th, 2010 37
[...] 4.RBS Internet Banking – the card reader has arrived! I then have to enter a number into the card reader – it’s provided by the RBS Internet Banking web-site. Once I enter that number into the card reader and press OK, it then displays a number that I must enter into the web-site. [...]