My bank clearly haven't thought this through...

My bank is one of those "online only - we don't have a branch so we can cut costs & serve you better" setups.

It works quite well. Their site is reasonably secure (account number, sort code, seperate pin number and answer to a random question required to login).

So what haven't they thought through? Well, they've just sent me an email with "in order to increase security we're sending you a USB Card Reader, which you'll need to do anything more than basic account management."

Great, more security, easier to use their website, right? Right.

Only they're sending me, a self confessed geek with an unhealthy obsession with security, a device that will read Chip & Pin cards, and connect to my computer...

Hmmm, card cloning anyone?

[timwilky]

So this USB device, does it work with all versions of linux? or are they another outfit that thinks PC=microsoft windoze etc?

Nationwide have a card reader that gives you a code number every time you use it. I don't know why it needs to connect via USB. Hints of idiot, but i guess it must be secure.

Quote:

Originally Posted by timwilky

So this USB device, does it work with all versions of linux? or are they another outfit that thinks PC=microsoft windoze etc?

I've no idea what drivers will be supplied yet, as I've not received it. I'm betting Windows only, but it really won't be hard to mount it somewhere such as /dev/sda1.

Quote:

Originally Posted by Thingus

I don't know why it needs to connect via USB. Hints of idiot, but i guess it must be secure.

No. It's not, really, it's not.

[ethariel]

Probably find that it authenticates to the RSA server at the bank to ensure it is using the correct algorythm (sp) to allow you access to your account.

Luckily you never need to access your bank from work, abroad, any other computer eh?

Quote:

Originally Posted by ethariel

Probably find that it authenticates to the RSA server at the bank to ensure it is using the correct algorythm (sp) to allow you access to your account.

Close, but no cigar. It gives an RSA number that needs to be entered manually into the site. The manual entry is to prevent automatic abuse supposedly.

But it still reads chip & pin, and connects via USB, so they've just given me a device that can be used on any card, to do with as I wish.

Quote:

Originally Posted by simesb

Luckily you never need to access your bank from work, abroad, any other computer eh?

Ah, but it's USB, so I can use it on any other computer. And it's only for "secure" transactions like setting up standing orders etc.

Crazy.
I have a card reading random number generator from my own bank, (not that I like online banking really, and tend to avoid it) but it certainly doesn't connect to the computer.

I was led to believe it was linked specifically to my own card though, I'd certainly hope so or else it contains everyone else's pin numbers and card details (thinking about it, it must be linked to mine specifically mustn't it? ).

You sure the USB connection isn't just to check it (the device) hasn't been tampered with or something? I'm sure it will have its own keypad and won't be able to transfer any secure data via the USB cable. Or maybe I'm giving them undue benefit of my doubt. And even if that is the way it works it would still surely be exploitable by someone with the talent and the time.

With Barclays card reader you can use it for any card, and its notconnected to the PC. I think it checks the pin you enter with the card, then it gives you a number. Its an 8 digit number that steadily goes up, i guess the must be a random number between each number it generates though. I'd hope its random, if not, it wouldn't take a lot to figure it all out..

[ophic]

The pin isn't contained on the card. The data held on the chip needs to be validated with the pin. So you will always need chip + pin number. Without either of these, you can't do anything.