My Royal Bank of Scotland Internet Banking card reader arrived today. It a Xiring unit, a numeric keypad with a small LCD at the top and a slot for my bank card. More information about the Xiring products can be found here: http://www.xiring.com/o2s/en-GB/index.php
Using this kind of unit has the advantage of being totally independent of any operating system – listeners to my recent podcast with Barry may recall that we lamented about the fact banks often send out equipment that will only work with Microsoft Windows XP. These units have no physical connection to the PC, so will even work with the operating system used by Apple Macintosh computers.
Authentication before the card reader
Previously, I used a 4-digit PIN and an 8-character password. Authentication consisted of providing 3 selected digits from the PIN and 3 characters from the password. I was occasionally asked for additional characters if I wanted to do something that wasn’t a run-of-the-mill transaction (e.g. add a standing order). Essentially, this form of authentication relied on something I know. The trouble with this approach is simple: the bank also know this information. Which does leave it open to abuse, either via employees “taking it with them when they leave”, or the material simply appearing in the trash. I’m not saying that this has happened at the RBS, however it has happened to other banks, as is widely reported.
So what’s the authentication process now?
Well, nothing has really changed for day-to-day transactions. However, the following items require the use of the card reader: Add a new Payee, Amend a Payee, Create New Standing Order, Change Security Number and Change Password. I authenticate and login as I did before, however using any of the aforementioned features, I have to use my card reader. I insert my card, push the Respond button and enter my card’s PIN. I then have to enter a number into the card reader – it’s provided by the RBS Internet Banking web-site. Once I enter that number into the card reader and press OK, it then displays a number that I must enter into the web-site. There’s a better explanation over here.
So now, whilst the basic authentication remains the same, for certain features, the authentication is relying on something I have, in this case the card reader, the card and my card’s PIN. This makes it a little harder for those people who have discovered my on-line banking PIN and password to transfer money to a new payee.
—
I can only assume that the types of fraud that have been affecting the major Internet banking operations revolve around the creation of new payees, direct debits and standing orders. Certainly in the few cases I’ve been close to, the creation of a new payee followed by a single transaction, or more likely two transactions, this would ring true. This card reader will help alleviate those kind of fraudulent transactions. The need for a perpetrator to have my bank card and the PIN for it do add an extra layer of security. I won’t need the card reader that often, most of my payees are already set up, however it will mean that when I do need to add a new payee, I will need the card reader present.
What’s next? Bio-metrics: the third tenet of authentication, something you are, e.g. fingerprint, voice-print, retina scans.
More information
http://www.rbs.co.uk/reader
http://www.secureidnews.com/news/2006/05/03/mastercard-allinone-includes-xiring-authentication-solution-to-enhance-security-for-us-online-banking/
Further reading
http://blog.jazzle.co.uk/why-i-might-leave-my-bank-the-natwest-card-reader/
Technorati Tags: authentication, card reader, rbs, royal bank of scotland, xiring, security, internet banking, something you have, something you know, something you are, security tenets
Not making you use the card reader for a normal transaction is VERY clever. It stops some “real-time man in the middle” attacks, as a phishing site will find it a lot harder to get you to type in the result from the card reader, if you are just doing a normal transaction. Therefore the phishing site will have to get you to do one of the special transactions.
It would be even better if they send the “number to enter into the reader” by a SMS text message, that way a phishing site has had it if they don’t know your mobile phone number.
I think that this is a pain in the arse, it reduces the ability to do all transactions on line ‘anywhere’ what a stupid device, and what a waste of money energy etc. am seriously considering moving to another bank that doesn’t see the need for these things.
I initially thought the same as comment 2, “what a farce, having to carry this thing around with me everywhere, just in case i need to do an online transaction away from home” (as the Royal didnt see fit to include any kind of in depth info about the device), but now that I see that it’s only for certain transactions, I think it’s genius.
It would still be a pain in the arse for me. I often need to set up ad-hoc payments away from home – if I’m at a friend’s house and need to pay them for something, but don’t have the cash on me, borrowing their computer and doing a transfer is a common solution. This device breaks that.
I agree, total pain in the arse – I’ll almost certainly lose it, I’ll almost certainly need it sometime when I’m using online banking remotely and the fact that it’s not used very often just means the batteries will probably be flat when I do need it, if it hasn’t got so full of dust that it work.
I rang RBS this morning and asked to opt out but of course, that’s not an option. They said all banks will be rolling it out eventually so I’ll give it a year, and if that is the case then – well, better the devil you know I suppose. Otherwise, I’m off. Why should the customer carry the burden of the bank’s security problems?
I’ve just been issued one by the Ulster Bank. It’s okay for me at the moment for my current uses, but I can see the additional headaches it may cause: Like how long would it take for the bank to send out a replacement if it breaks?
Also, if all the banks jump on the bandwagon, I’m going to have a drawer full of them!
What PIA.
Even the normal login is stupid asking for different characters, which you often have to write down and number. Why not a pass phrase ?
My pc is on the second floor used only by me. House occupied 24/7 any entering of passwords is just a waste of time and a PIA
Got to be something better. Why cant i just swipe my bank card in the keyboard and enter my pin like all other transactions. Simple.
The reason the bank wont let you enter your pin on your keyboard is because with the state the internet is in nowadays, you never know if you have a trojan etc that is sitting dormant and recordng all your keypresses and sending them back to a “source” that infected your computer. I think its a good idea but, like the above comments i will lose it within the first week lol
got to be a better way
I rang 0845 300 6433 and could not understand what the lady was saying. Please be more critical on accents when you employ people for the telephone.
You have sent me a digital banking card No 0100 0023 2650
Ref 1056235464 830425 dated 26.11.07 and offered a pin in a few days.
I have closed my accounts with RBS
Please ensure this is all cancelled
Thank you
You really have to give it a go first any thing is better than the con men winning Alan Mclaughlin
My card arrived with my name spelt incorrectly ie Rogers spelt with a D. I rang to get it changed but have not received another one–can I use the original one?Will it be the same number?
Good idea.I have received the device ,but no card inside.Is it a subject of separate correspondance and if so could you tell me when I will receive it.If meantime I need the e – banking shall I be able to operate or not?
Best regards
Todor Adamov
I phoned to try and opt-out of this service and the staff member who I spoke with said (amongst other things obviously)that they “agree completely, you should be able to opt out” and “I can see how it could be impractical” and suggested I eMail to complain.
I complained, in writing, to RBS about being forced to use the card-reader and the lack of an opt-out option… after a week I got a letter from RBS that will be posted on my own website shortly, but in the meantime here are a few choice quotations showing the general grasp of the English language (or poor stock letter templates) that the RBS seem to have, adding insult to injury considering they didn’t answer any of the points raised in my eMail.
“…we at Royal Bank of Scotland are the first Banks within the UK to introduce…”
“…This is when you wish to create or amend and payment details….”
And last but not least
“I hope this resolves your query, however if you have any further questions please contact our Royal Bank of Scotland on Royal Bank of Scotland* and we will be happy to help”
Believe it or not the letter actually seemed to carry a real signature, so Richard Csizmazia obviously didnt read either my original eMail, or his own reply!!
I have been Business Banking with the Royal Bank of Scotland since May 2002 and found that their Internet Banking has been excellent until around the 7th December 2007 , when I tried to make a payment to an existing Payee ( I always add a ref e.g. Invoice number against my existing payees , which means I always amend Payee’s on every transaction )
It asked for extra security using a Card Reader and Card ?
What is a Card Reader ? How can they implement this procedure without first notifying the Customer in advance and also ensuring that Card Readers had been received by the Customer .
Upon complaining to RBS Direct Banking they stated that I had to request a Card Reader and Card . This I did , and to date 24th January 2008 I have not received a Card Reader or Card .
They claim to have sent out several Card Readers and upon checking the address: they left out the Name of the Company I work for ( fo Security Reasons ) .
They tell me that they are unable to send out Card Readers to a Company ? It has to be to an Individual named Person i.e.
Kevin Belsham
Hanson Park
Manchester
How absolutely STUPID !!!
Upon discussions with my Relationship Manager , he agreed with the Customer Complaints Dept to add th Company Unit No.
i.e. Unit E1 ( which identifies the Building ) instead of the Company Name .
Consequently today my PIN number was delivered to the Company opposite Unit F1 .
Still no sign of any of the 4 Card Readers which they have sent out ?
I think I will shortly be closing my Account with RBS as Customer loyalty no longer means anything to them .
My original complaint, and their reply is at
http://www.iross.net/blog/royal-bank-of-scotland-card-reader-complaint/
The “Enhance Security Helpdesk” really are dismal – can’t even get the name of their department right – missing a D i think (for Dunce perhaps?)
If this is an example of the standard of communication from RBS … I think I might take my personal, and a number of company accounts’, business elsewhere.
We have a small business account with NatWest bank, and had the exact experience as Kevin Belsham. Why on earth does one have to use this extra hassle card reader system just to amend a payee’s invoice number for this month’s payment rather than leaving the number from last month? It’s crazy! We are just two directors in our small company and we both travel most of the time, meaning online banking is absolutely critical. Sending cheques through the post is not practical nor does it result in timely payments when one is abroad. However carrying around a card reader, a card and having now 4 levels of PIN numbers, plus several personal questions the answers of which only I know, and all the other hassle, is a huge burden that cannot possibly be the way to go. I was also told there is no opt out and that all the banks will be going to this system. But I cannot imagine that this complicated and burdenson system is banking for the future (not to mention the environmental damage it does).
Here’s what APACS has to say about it
http://www.apacs.org.uk/payments_industry/new_technology_1_4.html
1. I have never heard of this Digital Banking System.
2. I have not used this account for internet banking, AND WILL NEVER USE IT FOR SUCH.
3. What would you like me to do with your card?
4. Is the old ATM card still usable in the ATM’s in the high street?
5. Not that that really matters as I have not used that facility since the current card was issued.
6. All my funds are held in a deposit account and not in a current account.
7. Which account is this Digital card applicable to?
8. If it is a necessity for me to use this new card, instead of the old ATM card, then you will need to send a PIN reminder, as the PIN you sent has been destroyed. As I have never heard of the system you are referring to with this Digital card, I destroyed it as an unnecessary security risk.
9. I like this page/site. Totally uncluttered. Refreshing to use, thanks. Shame about the card though.
Like a lot of others i to have had problems.
number 1,only found out when i had to phone them for one,my new card would follow three weeks no card,it had been lying in bank so they cancelled it.Upon phoning was told to go in to verefie address
they had old one no explenasion as to why, finally got card but no info on numbers to put in or if they are on the way.
Hello
I have recieved my digital card ect,
my question is, I live in canada and my account is in dundee, scotland I have an atm card which I use to withdraw from my savings, on reading the instructions on what the card does I noticed that if I go digital I wont be able to withdraw cash from my account therefore its no use to me or have I missed something
thanks
john
Enhanced Security Support Letter signed David Head from Head of internet Services a bit of Commedy here
My Digital Banking is seriously crippled just now, I have to call up for everything except paying to existing payees. I’ve called RBS, who have told me to be patient, I will have a card reader within a few months(!). Thing is, I actually already have a card reader, for my business account. My current account card seems to work with it, so why do I have to wait for them to send out a new and completely unnecessary card reader?
I have two different accounts but have been able to use both cards (from different banks) in both readers with the same results. They must all work on the same system, maybe therefore only having one will not be a problem
I’ve found the card reader from RBS ok to use. It can be a little frustrating if i want to do some transfers etc from work and the only card reader i have is at home, but otherwise it’s been fine for me.
RBS even let you have more than one, so i could have one at work, if need be.
I was sent a card reader before the system came into operation and have had no problems with it at all!
the only issues i have had with digital banking was when i entered the wrong login details twice in a row and i was blocked out and had to phone direct banking, who i then had to register with, they then confirmed some details and ‘activated my online banking again, except that for the first 2 weeks i only had the options to look at statements and transfer between my own accounts… very frustrating!
also, i have recently opened a join account and it has not appeared on my list of accounts at the top of the digital banking page… i therefore can’t get access to it, even though it’s appeared on my wife’s digital banking so she has access to it! not so good.
oh, their level of service at branch level seems to have dropped siginificantly recently, but this is accross the board with banks i think!
RBS were great until a year ago when everything seems to have gone downhill.
I signed up for digital banking, never really used it but saw the benefits after about 6 months. 3 weeks ago I tried to transfer money between my accounts only to be told that this is not possible without a card reader. Supposedly I was told about this months ago – I received no information about this whatsoever. They had also taken it upon themselves to cancel my telephone banking without asking as I now had digital banking, I was using the phone banking up until this point, when I was told that I should have been deactivated months ago. This left me with no option but to go the branch on a Saturday to transfer money between my accounts.
The card reader arrived a rather annoying machine as I now have to take it with me everywhere (I work and live in multiple locations), travelling with it in my handbag along with my cards is not exactly secure. I attempted to use it only to be told that they still couldn’t activate the system and I still was not able to transfer any money either by phone or internet – again only the bank was the option.
2 months later I still have no phone banking, they can’t seem to get it set up. I eventually gave up on digital banking, it just seemed useless as all I could do was look at the screen and nothing else. The eventual decision to stop it came after my computer had a spyware virus that stole passwords. Needless to say I called RBS to freeze any internet access to digital banking, 45 minutes later I was still explaining to the women on the phone why I could not go online to deactivate it myself as that would involve giving my password online which would have been hacked.
Pretty poor service in comparison to what they used to be like.
i was ordering somw things online and paid with my card i put it the wrong number of my card now it is blocked how do i unblock it
[…] RBS Internet Banking the card reader has arrived Posted by root 3 days ago (http://www.craigmurphy.com) I won 39 t need the card reader that often most of my payees are already set up i initially thought the same as comment 2 what a farce any money either by phone or internet again only the bank was the option the social programmer is proudly powered by wor Discuss | Bury | News | RBS Internet Banking the card reader has arrived […]
Smile.co.uk have just introduced the device. I’ve not been sent on and I now have no access to my money!!!!! What a waste of time and money. It won’t stop online fraud from people buying things. its only for use with the online bank account.
LloysTSB are not introducing this according to Customer Services so I’m moving all my money there.
Its worse than you think. You know that when you use these you have to type your pin in and it says OK or not?
Well since smile/rbs/barckays etc readers are all compatible muggers can use them to verfiy whether you’ve told them the right PIN number from the comfort of a dark ally. Before they had to go to a nice public cash point to do that. Your saftey not banks problem evidently.
Oh and my bank says I can use other banks card readers, great. That’s a criminals charter, don’t slot your card into other peoples card readers and type your PIN in, unless your sure the card reader’s not been tampererd with. Great way of scamming card details.
Friends there is hope. This stupid system is impossible for a mobile worker. When the coop forced it on me I moved all my banking to Lloyds. Lloyds now tell me that they are introducing…..a phone call. If I try to set up a payment they will phone me to confirm it, instead of a ffing stupid card reader.
So joint lloyds. (I dont have any shares in Lloyds (except as a UK citizen)
John Orrett
Total pain in the butt. I’ve just tried to do an online payment to find when using the card reader that my pin is locked for some reason. Rang the bank to get them to unlock it, which they did immediately, but to get the physical card unlocked I have to take it to the cash dispenser. So to do my online payment I now have to trudge through the snow to a cash machine. Crap, crap, crap!
This site seems to have attracted some of the most stupid people in Britain.
For your reference: THIS SITE IS NOT AFFILIATED WITH RBS, YOU WILL NOT GET ASSISTANCE WITH THE CARD READER, YOU NEED TO PHONE THEM UP AND POSSIBLY GET OFF THE INTERNET SINCE YOU’RE TOO STUPID TO KNOW THE DIFFERENCE BETWEEN A GENUINE RBS SITE AND SOME SCOTTISH BLOKE’S BLOG.
Blogs are always a main source of getting accurate information and provide you the handy results; you can get instant and reliable information which surely helps you in any field of your concern. I am post graduate in IT and HR. These days I am doing preparation of different online certifications and I found mcdba practice testis the best helping source which is providing 100% authentic material. I also spend my extra time in surfing internet, listening music and playing games. After my exams I would like to join your group
To
The Manager
RBS, Canaught Place, New Delhi
Subject: Transaction dispute with RBS Credit Card account
Respected Sir
I Mukesh Kumar Verma am a credit card holder. My card No. is 5239504004308337 .
I faced some problem with my credit card couple of month back. Already i have been submitted and written 2 application
regarding this neverthless you people did not take any action on that even i am getting threaten call from the bank to pay the money immediately.
So now i am thinking to go for police complaint.If you help me for the above poblem i will be greatfull to you.
Now i need to know what i am suppose to do. even i lodged a police coplaint regarding this issue.
I m attaching the copy of Fraud Transaction detail, please find attached it.
Please do let me know what sort of action should i do therefor might be able to solve this issue as earlier as possible.
Thanking you
Mukesh Kumar Verma
[…] RBS Internet Banking – the card reader has arrived! 5 Aug 2007. My Royal Bank of Scotland Internet Banking card reader arrived today…. i was ordering somw things online and paid with my card i put it.www.craigmurphy.com/blog/?p=634 – RBS Internet Banking – the card reader has arrived! […]
Subject: Internet banking & Card Readers
Who do the banks think they are? First they pilot the ship HMS UK PLC into financial ruin then they expect us to take more responsibility for Internet fraud. Personally I have never had money stolen from my several accounts and if I did I would expect the bank to return my money since it would most likely be their fault. Why should I suffer this extra level of security to protect my money when I employ and pay my bank to do this for me? I have several accounts (don’t leave all your eggs in one basket) so do I have to have a card reader for each bank? The answer is yes if I want to continue to use internet banking effectively. WELL I REFUSE. I LOVE THE SPEED OF 24 HOUR INTERNET BANKING BUT I WILL GIVE IT UP AND EITHER USE TELEPHONE BANKING OR VISIT THE BRANCH!
Look out HSBC, NatWest, Barclays, Lloyds TSB, NBS and many more you are going to NEED TO EMPLOY MORE STAFF TO COPE WITH THE DEMAND AT YOUR BRANCHES. We don’t like to wait in line since you have trained us to expect instant access & money transfers.
Disgusted from Uttoxeter
So now i am thinking to go for police complaint.If you help me for the above poblem i will be greatfull to you.
When will the banks in the UK lean that the customer is always right.
It is ridiculous as others have said to have to use a card reader to change the payment description, as this takes ages when paying multiple invoices to the same payee.
On the continent you have been able to do this, and make international transfers for the last twenty years!
It’s like in the 80’s needing a ‘green card’ for travelling to the continent, we’re miles behind.
Akin to Islanders living in the stone age with the banks hoodwinking us into thinking that the UK is miles ahead.
Welcome to rip off Britain.
Appalled and unimpressed from the SE of the small Island of GB.
Recently opened a RBS account and today received a card reader. I thought that this was some world leading state of the art device, using world class technology …. silly me!
Tend to agree with Fred 27/5/11.