My Royal Bank of Scotland Internet Banking card reader arrived today. It a Xiring unit, a numeric keypad with a small LCD at the top and a slot for my bank card. More information about the Xiring products can be found here: http://www.xiring.com/o2s/en-GB/index.php
Using this kind of unit has the advantage of being totally independent of any operating system – listeners to my recent podcast with Barry may recall that we lamented about the fact banks often send out equipment that will only work with Microsoft Windows XP. These units have no physical connection to the PC, so will even work with the operating system used by Apple Macintosh computers.
Authentication before the card reader
Previously, I used a 4-digit PIN and an 8-character password. Authentication consisted of providing 3 selected digits from the PIN and 3 characters from the password. I was occasionally asked for additional characters if I wanted to do something that wasn’t a run-of-the-mill transaction (e.g. add a standing order). Essentially, this form of authentication relied on something I know. The trouble with this approach is simple: the bank also know this information. Which does leave it open to abuse, either via employees “taking it with them when they leave”, or the material simply appearing in the trash. I’m not saying that this has happened at the RBS, however it has happened to other banks, as is widely reported.
So what’s the authentication process now?
Well, nothing has really changed for day-to-day transactions. However, the following items require the use of the card reader: Add a new Payee, Amend a Payee, Create New Standing Order, Change Security Number and Change Password. I authenticate and login as I did before, however using any of the aforementioned features, I have to use my card reader. I insert my card, push the Respond button and enter my card’s PIN. I then have to enter a number into the card reader – it’s provided by the RBS Internet Banking web-site. Once I enter that number into the card reader and press OK, it then displays a number that I must enter into the web-site. There’s a better explanation over here.
So now, whilst the basic authentication remains the same, for certain features, the authentication is relying on something I have, in this case the card reader, the card and my card’s PIN. This makes it a little harder for those people who have discovered my on-line banking PIN and password to transfer money to a new payee.
I can only assume that the types of fraud that have been affecting the major Internet banking operations revolve around the creation of new payees, direct debits and standing orders. Certainly in the few cases I’ve been close to, the creation of a new payee followed by a single transaction, or more likely two transactions, this would ring true. This card reader will help alleviate those kind of fraudulent transactions. The need for a perpetrator to have my bank card and the PIN for it do add an extra layer of security. I won’t need the card reader that often, most of my payees are already set up, however it will mean that when I do need to add a new payee, I will need the card reader present.
What’s next? Bio-metrics: the third tenet of authentication, something you are, e.g. fingerprint, voice-print, retina scans.