I hold my business account with Lloyds TSB [UK] and the process for logging in to their online banking service(s) is as follows:
- Login page
- Enter customer number
- Enter password
- Put debit card into their card reader
- Put in PIN for the debit card and press 'identify'
- Enter 8 digit code generated to complete the login
After three wrong attempts, the account is locked until they send a letter out with unlock information.
Furthermore. This card-reader device is only a cheap, light, calculator-style reader. I don't see how it could possibly connect to the internet for verification, which means it can determine whether or not the inserted card's PIN is correct. Surely the software on the reader could be exploited to obtain a card's PIN?
I understand banks have to be very secure, but surely it would be more secure (and simpler and cost-effective) to have two [long] passwords of which it asks for certain characters?