4

I hold my business account with Lloyds TSB [UK] and the process for logging in to their online banking service(s) is as follows:

  1. Login page
  2. Enter customer number
  3. Enter password
  4. Put debit card into their card reader
  5. Put in PIN for the debit card and press 'identify'
  6. Enter 8 digit code generated to complete the login

After three wrong attempts, the account is locked until they send a letter out with unlock information.

Furthermore. This card-reader device is only a cheap, light, calculator-style reader. I don't see how it could possibly connect to the internet for verification, which means it can determine whether or not the inserted card's PIN is correct. Surely the software on the reader could be exploited to obtain a card's PIN?

I understand banks have to be very secure, but surely it would be more secure (and simpler and cost-effective) to have two [long] passwords of which it asks for certain characters?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Anonymous
  • 209
  • 3
  • 9
  • 2
    "This card-reader device is only a cheap, light, calculator-style reader. I don't see how it could possibly connect to the internet for verification, which means it can determine whether or not the inserted cards PIN is correct. Surely the software on the reader could be exploited to obtain a card's PIN?" **It doesn't connect to the internet there would be no point.** – Ramhound May 30 '12 at 16:13
  • If you can determine a cards pin and you have the card itself, you can withdraw money at cash points, of course there's a point... – Anonymous May 30 '12 at 17:18
  • 3
    Except that isn't the question, and that has always been the case, the reader is no different then the reader on the ATM you use. – Ramhound May 31 '12 at 12:31

4 Answers4

10
  1. Login page
  2. Enter customer number
  3. Enter password

So far, this is what you're used to: username & password.

  1. Put debit card into their card reader
  2. Put in PIN for the debit card and press 'identify'
  3. Enter 8 digit code generated to complete the login

This is a second factor. The algorithm for generating this number is shared by the bank and your card. The secret is stored with the bank and also in your card. The computer uses the current time as a seed (I assume it is connected). From this, even if one does compromise your machine and sniff your password, they can't use it without the hardware card. The hardware device doesn't report the number back to the computer, so it can't be automatically called if you leave the card in the system.

It would be less secure to use two passwords and pick random characters. The bank I reference in talking about what constitutes two factor security used a method something like this -- multiple passwords that weren't all used at the same time. An attacker monitored the customer's computer over a period of time and walked with a lot of money.

From this, losing your card doesn't compromise your account. Somebody has to physically collect your card, so an attack can't be entirely remote. Somebody can't pick your card up off the street and access your account. They still need an account number and the password. Unless you lose your card with your account number and password written on it (to be straight-forward, we consider this the building a better idiot problem), your odds of compromise are much lower than with just a pair of passwords.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • 2
    You forgot they also need the `pin` to the card itself. This is after they collect the card off the street and read your mind for the username and password :-) – Ramhound May 30 '12 at 16:15
  • 3
    The secret sauce with the pin is that it is never input into the computer. So while your DA could sniff or keylog your username and password, and break into your house or mug you for your card, they can't get your PIN without your co-operation (or by compromising your card reader or an ATM, but either of those require another level of skill and determination) – Colin Pickard May 30 '12 at 16:47
  • +1 on Ramhound and Colin's follow-up comments... I did forget to talk about the PIN part of the equation. – Jeff Ferland May 30 '12 at 17:23
  • @JeffFerland - I really wish the banks in the US would stop being lazy and introduce REAL 2-factor authentication. Sadly they feel asking the same secret question is enough. – Ramhound May 31 '12 at 12:32
6

This is called two-factor authentication. By making you authenticate in two very different ways, security is increased, because an attacker now has to break both methods.

The two factors here are "something you know" which is the password and "something you have" which is the debit card.

As a result, if an attacker gets hold of your card somehow, then they can't access your online banking, since they also need your password. Or, if they discover your password, it's not enough, because they need the card too.

I'm not saying that two-factor makes you invulnerable, and in addition there are various complaints about how this specific system - known as Chip Authentication Programme or Dynamic Passcode Authentication - has been implemented, but it makes it harder for the attacker, and that's a good thing.

In answer to your final point, the PIN is not verified against the bank, but against your debit card itself.

Graham Hill
  • 15,474
  • 37
  • 63
  • Thanks for the answer, it makes a lot of sense. To address your last sentence. Is it not fairly easy to decipher a cards PIN number? Given that you can read the magnetic strips on cards easily with a USB reader, couldn't you benchmark with your own cards (that you know the PIN of) until you come up with a solution of decrypting the information? – Anonymous May 30 '12 at 15:25
  • @Anonymous - If it is possible I am not saying it is, you would need to have the exact same type of card card. Of course you would also need access to the card itself or a duplicate of the card which is not easy to do. This is the reason your idea about partial parts of a password ( this means the password is stored in the incorrect way ) is a bad idea. – Ramhound May 30 '12 at 16:17
  • @Ramhound It is assumed that it is not possible to duplicate a card unless you are the issuer of the card. – curiousguy May 30 '12 at 21:48
  • 5
    The PIN is stored, encrypted, in the chip inside the card, not on the mag stripe, and is not directly accessed by the reader: the reader asks the chip "is this PIN correct?" and the chip thinks about it and gives a yes or no back. (Or locks itself after a few nos in a row, to stop an attacker brute-forcing a stolen card.) – Graham Hill May 31 '12 at 01:18
2

So this is actually the first time I have seen a system like this (I am from the states) and this is far superior to what we are offered. We get the something you know (password) + something you know (image verification) + something you know (secret question). Your bank actually provides 2 factor authentication. Because you get the something you know (pin,password, etc) + something you have (debit card). While it is simpler and "cheaper" to implement the one factor authentication the banks I deal with have, it ends up losing something when you can log into someone's account because you know the same things that they know. To the point about cost effectiveness, it depends on how much the card reader system costs versus the average cost of theft/ fraud. My guess is theft / fraud > cost of card reader.

Woot4Moo
  • 889
  • 6
  • 10
  • They claim what they offer is 2-factor authentication it really isn't. I would argue that every bank that does not require you to answer a secret question ( i.e. a random one ) every single time is in violation of the banking policy that requires them to use 2-factor authentication. This policy is about a decade old....Talking about the states. The real reason these card readers will never catch on in the states is because every computer you use would need one. The readers would increase an already very thing margin. Thus banks would have to offset and they alry want to chrg us for dbt use. – Ramhound May 30 '12 at 16:22
  • "_it depends on how much the card reader system costs versus the average cost of theft/ fraud_" Who pays for the card reader? – curiousguy May 31 '12 at 01:05
  • @curiousguy I do not know policy in the UK, I would imagine that the cost is passed to the consumer, as the bank does not care about normal people (only businesses hence the hours imo) – Woot4Moo May 31 '12 at 11:30
  • @Woot4Moo - The customer rights in the UK are different then here in the US. I would say a customer has more rights in the UK, of course they also pay a great deal more for the same product, because of those rights. It would be harder to give people in the US those rights without increasing costs to a point where we simply throw said rights back at said law makers :-) – Ramhound May 31 '12 at 12:37
1

Firstly: passwords can be forgotten, having 2 different passwords with very stringent requirements can cause issues with customers forgetting their passwords. Passwords can also be guessed at through bruteforcing or dictionary attacks, given enough time.

The card reader provides a two factor authentication. By scanning your card and entering the PIN, it will probably generate a one-time password that cannot be easily guessed at without knowing the algorithm behind its generation.

This ensures that your account cannot be bruteforced without you actually losing possession of the physical card.

http://en.wikipedia.org/wiki/One-time_pad

This wikipedia entry provides an explanation on the reasons behind implementing a one time password system.

  • this does not address why the card reader is in place, which seems to be the crux of the question. – Woot4Moo May 30 '12 at 12:46
  • @Woot4Moo I addressed that in my edit. –  May 30 '12 at 12:49
  • @TerryChia - That must be how the card reader works. It must just be a keygen in effect that generates numbers for one-time use. I'm sure it cannot make a connection itself, so there must just be an algorithm in their online backend that verifies the number then marks it as 'used'. What still concerns me is that the software to generate these numbers and verify PIN entry must all be on the card reader itself. Surely that is dangerous? – Anonymous May 30 '12 at 13:01
  • The system is probably using asymmetric encryption to generate the 8 digit key. A key, your PIN and card reader, is used to generate the 8 digits which can be decrypted successfully using the key the bank system knows. The method to generate the 8 digits is on the card reader itself, but it will not be an issue unless you lose the physical card. –  May 30 '12 at 13:04
  • @Anonymous-some of the functionality is on the card, some is in the reader. This is why chip and PIN is catching on everywhere (possibly not the US yet :-) as it makes a second level of security quite simple to implement, along with simple revocation - just cancel the card. – Rory Alsop May 30 '12 at 14:00
  • 1
    "By scanning your card and entering the PIN, it will probably generate a one-time password that cannot be easily guessed at without knowing the algorithm behind its generation." **To be fair the algorithm that generates the code is likely public knowlege** It sounds like the credit card has a simple Smart Card chip on it, which contains a certificate, signed by the bank. While you might be able to guess the pin you wouldn't be able to generate the correct 8 digit code without said certificate. – Ramhound May 30 '12 at 16:19
  • Are you confusing one time password and one time pad? – curiousguy May 30 '12 at 21:50
  • @curiousguy - I am not confusing anything....Anonymous I feel came to the wrong conclusion. I said this earlier I suspect its simply a Smart Card with a cert that generates a key. Ingenious answer is complete nonsense. – Ramhound May 31 '12 at 12:39
  • @Ramhound My last comment ("_Are you confusing _") was not meant for you. – curiousguy May 31 '12 at 20:37