Domain: nationwide.co.uk
Stories and comments across the archive that link to nationwide.co.uk.
Comments · 13
-
Re:Blame the bank, not the user
Why? Because I have a card reader that provides an encrypted string after I provide it with my chipped card, PIN and a string from the website. I need to do this for every new transaction. I still believe that only the greedy get scammed.
Unfortunately you might need to re-sync it to gain the full security benefits.
Seriously there is one thing that is terribly wrong with these card readers. They are a gift to muggers. They can be used to verify the pin for a credit or debit card - even ones from other issuers. They don't even have to risk marching you to a cashpoint and forcing you to withdraw money, they can do it all from the comfort of their own crack-house. I complained to the bank and they pointed out that a card would be locked out after three wrong attempts. After two broken fingers I think most people would think twice before using this feature. -
Re:Really now?
What I have for my British Nationwide account (a building society rather than a bank, but that's mainly semantics) is a small, calculator-lookalike card-reader that takes my ATM card and PIN and is used to sign any transactions or other significant operations involving money.
Say I want to transfer money to a non-Nationwide account, I have to:
Login by entering my customer number, passphrase and three randomly selected digits of a secret six-digit code,
Set up the transfer, put my ATM card (with chip) into the card-reader and enter my PIN.
Press 'Sign', enter the reference (typically the account number), press OK, enter the amount of money being transferred, press OK and then type the eight-digit code it gives me into the online banking service to authorise the transfer.It's still vulnerable to man-in-the-middle attacks, but someone would have to be a bit thick to wonder why what appears to be their online banking service suddenly wants them to transfer lots of money somewhere.
Also, yes, it takes forever to do anything.
-
Re:Well...
We've got something like this in the UK, and I'm sure there are plenty of other places that have them. You can't make a transaction without getting the correct cryptographic response from the card using the card reader. Here's a picture: http://www.nationwide.co.uk/rca/How-does-it-work/find.htm
I don't like the sound of a USB type device, because it seems that there is some possibility it could be interfered with in the same way as the recently discovered chip+pin break. In fact I'm quite surprised they came up with what seems to be a pretty well implemented system, given that they seem to have tried pretty hard to make design mistakes with c+p
-
Re:Username/password combo for banks flawed.
Better would be an ATM card reader with builtin PIN keypad (so the pin doesn't even reach the possibly compromised computer).
One of my banks uses just that. The device does not connect to the PC, so there is no chance of compromise through the network. It uses the smartcard in the ATM card to sign transactions - consisting of a transaction token that the bank gives me and the value of the transaction - outputting a number which I have to enter to authorize that specific transaction.
My other bank sends me an alphanumeric session token via SMS whenever I want to do more than just look at my statements in my online banking, and asks for random digits from that and a second alphanumeric code that is printed on a card they gave me when I signed up for internet banking.
-
Re:Pointless
Hmmn, idea forming. If i were to go to http://slashdot/ i should get all the sites registered at slashdot.tld appear as a list, perhaps with a small preview thumbnail/description. That way i could plainly see that http://www.ati.co.uk/ isn't the site i want whereas http://www.ati.com/ must contain a UK section (under
/uk).
I am starting to get to a stage where i'm not sure which TLD i need. With two banks i have online banking facilities. However one has http://www.nationwide.co.uk/ whereas the .com is a US site. The other uses/advertises/redirects to http://www.natwest.com/ (although in this case .co.uk works too). -
TFA
TFA does not say that the laptop had infomation on "their entire customer base" (not saying the submitter is wrong, but the BBC article certainly doesn't say this). It seems that it included names and account numbers but not pins, balances or passwords.
More infomation
http://www.nationwide.co.uk/security/news_and_aler ts/
This was a domestic burglary, there's a chance that the theif has no idea this laptop was special, and has already sold it cash in hand down the pub. It's probably being used right now by someone browsing for porn or doing 'ebay' unaware of what sits of that disk.
Not to say they should not presume the worse and react accordingly of course. -
Re:why Captcha is a bad idea
Its a good enough idea. Even with a captcha defeating library, a fairly skilled person would have to write a script or something to parse the webform (optionally over SSL which is a little more difficult) and programatically decode the captcha and then fill in the form and submit it.
It's fairly easy to work with the HTML dom over SSL or not using java, .net, perl and php (or even a firefox plugin)
Usernames and passwords are a bad idea, but we use them.
Agreed, only because of the human factor and the fact that it's impossible for most people to remember a different password and login for every site you need to register on, making you password only as secure as the weekest site.
If you go to somewhere like www.nationwide.co.uk and register they will send you a set of 8 random numbers and ask you to type in three of them every login making it impossible for some to steal you 'passcode' in one attempt.
Using cookies or special URLs like slashdot has (or had, not sure) to automatically login is a bad idea.
Well if you using a random number generator with a good entropy then a link with a 20 or so 7bit characters it would take 2^27 attempts to brute force and I guess that would take more time than the human race has left on earth so there fairly secure. -
Re:EBanking in UKNationwide works just fine with Firefox and Opera.
Now Powergen won't let you in to view your bill using Mozilla. Only browsers supported are IE, Opera... and Netscape 7. Spot the complete lack of clue there...
-
I don't understand thisNationwide Building Society in the UK tried iris scanning for ATMs a few years ago, and it was 100% successful. The technology wasn't rolled out further because of (a) cost and (b) it was fairly useless as a fraud prevention measure unless all other banks did it too - you could just use a non-iris ATM if you only had a card and PIN.
Rather gruesomely, the system checked for a pulse in the iris to ensure that you hadn't got a life-size photograph...or cut off the account owner's head.
-
Accessible does not NEED to be ugly
I have read several comments about how making a site accessible is not a difficult thing to do, but making an accessible site halfway interesting looking appears to be something else. It is possible though - the company I work for full time is committed to achieveing both these aims (Nationwide). Also, I have started a site called Accessify which as well as promoting the whole accessibility thing, it is doing so to developers and very much with the view that ugliness isn't necessarily automatic - I've had a number of really nice comments about how good the site looks. Anyway, perhaps you'd care to take a look and see for yourself? Accessify - accessibility information, tips, tools and articles
-
Nationwide
Kudos to Nationwide (UK Building Society), whose online banking site I've successfully used with Mozilla and Konqueror (3.0) as well as IE. Everything seems to work as it should.
-
Banking in the UK
As it stands in the UK, one of the leading Internet providers for OS independant banking is a building society; Nationwide. The sign-up is not always 100% clear but they do have a good demo on their site.
By contrast we have solutions (Or more like problems) such as The Royal Bank of Scotlandwhich have their bank tied to M$Money and a win32 app. I believe that Lloyds is the same, however their site looks just like slashcode! Lloyds have a demo site here -
Re:Not the firstNationwide Building Society have been running trials of Iris scanning for around 18 months. Biggest problem is the cost of the machines, as the cameras are about 15k GBP...
People have been very willing to accept the technology as it's non-intrusive, and secure.
The machine checks for a pulse in the eye...
For more information on this initiative, see the Nationwide's IRIS recognition info page.
Chiark.