Page 1 of 3
Nationwide to end login with memorable data
Posted: October 25th, 2019, 7:30 am
by wickham
Nationwide sent me an email yesterday saying that logging into my current account using memorable data will cease on 28th November.
I will be able to use either a text code by mobile phone (I don't have a mobile phone) or use the card reader. The card reader is more inconvenient than memorable data but as I usually log in with a desktop pc the card reader is nearby, but wouldn't be available if I wanted to log in with a tablet away from home.
My question is how does the card reader generate a number that is recognised online by the bank's computer? I'm always interested in the way things work. If the card reader (or bank card) and the bank's account have a sequence of numbers built in from the start, then the two should match. However, If I generate a card reader number and don't use it, then the next time I log in the number won't match the number on the bank's server. I like to understand basic computer technology.
I know I used the word bank above when Nationwide isn't a bank, but I think it may be soon!
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 7:57 am
by JohnB
Its annoying they are doing this even though the legislation that requires them has been delayed, as I'd much rather have the convenience of using memorable data. But the way the keypads work is that they produce response codes using some algorithm, but with flexibility in the system that a range of 3-4 responses are acceptable, so you can generate a few codes and not use them without problem.
Some of these devices are always on, and have internal memory, so the codes you enter include data to reset the counters. Securid do this, not sure the cheaper bank card readers do.
I expect many people's response is to have larger balances in their accounts, so they don't log in so often, which will make the banks more money, but will save us time micro-managing our finances.
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 8:02 am
by jackdaww
wickham wrote:Nationwide sent me an email yesterday saying that logging into my current account using memorable data will cease on 28th November.
I will be able to use either a text code by mobile phone (I don't have a mobile phone) or use the card reader. The card reader is more inconvenient than memorable data but as I usually log in with a desktop pc the card reader is nearby, but wouldn't be available if I wanted to log in with a tablet away from home.
My question is how does the card reader generate a number that is recognised online by the bank's computer? I'm always interested in the way things work. If the card reader (or bank card) and the bank's account have a sequence of numbers built in from the start, then the two should match. However, If I generate a card reader number and don't use it, then the next time I log in the number won't match the number on the bank's server. I like to understand basic computer technology.
I know I used the word bank above when Nationwide isn't a bank, but I think it may be soon!
is there any evidence for this please ?
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 8:20 am
by swill453
wickham wrote:I will be able to use either a text code by mobile phone (I don't have a mobile phone) or use the card reader. The card reader is more inconvenient than memorable data but as I usually log in with a desktop pc the card reader is nearby, but wouldn't be available if I wanted to log in with a tablet away from home.
If the tablet has biometric security like a fingerprint reader or face recognition then that can be used to login.
Scott.
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 8:21 am
by mutantpoodle
fao JohnB
qq
I expect many people's response is to have larger balances in their accounts, so they don't log in so often, which will make the banks more money, but will save us time micro-managing our finances.
uq
i thought the opposite!
I have reduced my balance to £100...taken the £2500 and invested somewhere to earn interest (sadly not as much as was here previously)
set up a £13 s/o for Nationwide fee each month and need not log in at all
thereby having travel insurance...phone insurance...UK/europe breakdown insurance for much less than if bought elsewhere
for me....at least this made best sense in view their lack of interest in my custom
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 8:23 am
by swill453
JohnB wrote:I expect many people's response is to have larger balances in their accounts, so they don't log in so often, which will make the banks more money, but will save us time micro-managing our finances.
The OP's situation is the exception rather than the norm, most customers will have mobile phones and will find it easy to log in
more often.
Scott.
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 8:25 am
by swill453
mutantpoodle wrote:I have reduced my balance to £100...taken the £2500 and invested somewhere to earn interest (sadly not as much as was here previously)
set up a £13 s/o for Nationwide fee each month and need not log in at all
thereby having travel insurance...phone insurance...UK/europe breakdown insurance for much less than if bought elsewhere
I'm the the same, though I won't do it till November 1st. Make the most of the "high" interest while it lasts.
Scott.
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 8:34 am
by mutantpoodle
you are right Scott (of course) but my account is a joint acct (specifically so we both covered on each benefit)...so us each losing a share of the monthly £6 interest BEFORE tax...didnt cause me loss of sleep!!
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 8:49 am
by AleisterCrowley
My question is how does the card reader generate a number that is recognised online by the bank's computer? I'm always interested in the way things work. If the card reader (or bank card) and the bank's account have a sequence of numbers built in from the start, then the two should match. However, If I generate a card reader number and don't use it, then the next time I log in the number won't match the number on the bank's server. I like to understand basic computer technology.
Re the OP's question above, I assume the card reader uses a similar system to RSA SecurID
https://en.wikipedia.org/wiki/RSA_SecurIDThis is what I use to access the VPN for work, using a soft token on my iPhone
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 9:02 am
by JohnB
swill453 wrote:The OP's situation is the exception rather than the norm, most customers will have mobile phones and will find it easy to log in more often.
I can't see how adding the barrier of two-factor authentication and removing functionality is going to get people to use the service more. While most people have mobiles, not all have them powered on when at home, or have good reception, or want them linked to their bank account (I'd certainly not want a mobile banking app on a device I could leave on the bus). And while things might work at home, it might not be so smooth on that Caribbean island.
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 9:13 am
by swill453
JohnB wrote:swill453 wrote:The OP's situation is the exception rather than the norm, most customers will have mobile phones and will find it easy to log in more often.
I can't see how adding the barrier of two-factor authentication and removing functionality is going to get people to use the service more. While most people have mobiles, not all have them powered on when at home, or have good reception, or want them linked to their bank account (I'd certainly not want a mobile banking app on a device I could leave on the bus). And while things might work at home, it might not be so smooth on that Caribbean island.
I accept it's not all, but many do. Reception at home isn't a problem for most, as wifi is pretty ubiquitous.
For myself I find that when I'm sitting at my computer reconciling my finances into Quicken, I'm logging into my bank accounts on my phone rather than having multiple windows open on the PC, simply because the apps make it much easier than using two factor authentication web banking.
My opinion is that overall, online bank logins will continue to increase, rather than your position that they will decrease. Time will tell.
Scott.
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 9:20 am
by XFool
wickham wrote:My question is how does the card reader generate a number that is recognised online by the bank's computer?
Chip Authentication Programhttps://en.wikipedia.org/wiki/Chip_Authentication_Program
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 9:38 am
by PinkDalek
wickham wrote:The card reader is more inconvenient than memorable data but as I usually log in with a desktop pc the card reader is nearby, but wouldn't be available if I wanted to log in with a tablet away from home.
If I'm going abroad I take a spare card reader with me, in case it is needed. They are mostly interchangeable, as supported by the link just provided by XFool which includes:
However, card readers issued by most, possibly all, UK banks conform to a CAP subset defined by APACS, meaning that, in most cases, cards issued by a UK bank can be used in a card reader issued by a different bank.
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 9:46 am
by AleisterCrowley
Ah, that looks right. Very secure, allegedly.
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 10:02 am
by wickham
Without requiring any further input, the CAP reader interacts with the smartcard to produce a decimal one-time password, which can be used, for example, to log into a banking website.
I understand that bit, but how does the bank's server recognise the number generated by the card reader? Does the bank and card hold a sequence of numbers that have to match, or a list from which any number can be selected and approved if the card reader has been used out of sequence?
combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, authenticates a user by computing what number the token is supposed to be showing at that moment in time and checking this against what the user entered.
The card reader and cards don't have a clock!
Re: Nationwide to end login with memorable data
Posted: October 25th, 2019, 11:16 am
by XFool
wickham wrote:combinations. The server, which also has a real-time clock and a database of valid cards with the associated seed records, authenticates a user by computing what number the token is supposed to be showing at that moment in time and checking this against what the user entered.
The card reader and cards don't have a clock!
There is nothing about "real-time clock" or "seed records" in the CAP article.
Re: Nationwide to end login with memorable data
Posted: October 27th, 2019, 5:41 am
by UncleEbenezer
It's a cryptographic challenge-response.
Run a transaction through it, and think about it as you go. The bank sends you a number (the challenge), which you type in to the card reader. The card reader then uses it with the cryptographic key on your card to generate a response, which the bank can then verify.
Making you read and enter those numbers manually is IMHO an ergonomic horror. It's the kind of thing that computers are supposed to do for us, and in other circumstances routinely do. To avoid it one could for example use a card reader with USB connection, so you'd never have to type in more than your PIN to authenticate. Though perhaps cards as we know them today (with no builtin connection) might become obsolete first.
Re: Nationwide to end login with memorable data
Posted: October 27th, 2019, 10:10 am
by Alaric
UncleEbenezer wrote:Though perhaps cards as we know them today (with no builtin connection) might become obsolete first.
Mobile phones can scan cards using the built in camera, so laptops and PCs with webcams presumably could as well. You can use your phone as a scanner to pay when remotely ordering in a Wetherspoons although keying in the card number is on balance easier and quicker.
Re: Nationwide to end login with memorable data
Posted: October 27th, 2019, 11:31 am
by mc2fool
UncleEbenezer wrote:It's a cryptographic challenge-response.
Run a transaction through it, and think about it as you go. The bank sends you a number (the challenge), which you type in to the card reader.
Mostly not. The readers have
Identify ,
Respond and
Sign buttons and for the most part you press
Identify and stick in your PIN and it gives you a code which you then enter into the bank's website.
There is no "challenge" from the bank that you have to enter into the reader with the
Identify button. I have two readers, Barclays & LLoyds (aside from the branding they are identical and interchangeable) and the
Identify function is what both use for logging in, and what Lloyds at least uses for setting up new payees (my Barclays account is a legacy savings a/c with £0 in it that I haven't used in a many years and I can't remember if it's the same).
I think I have had to use
Respond, which does require a challenge to be entered, but IIRC it was only once and I can't remember what it was for. I don't remember ever having to use
Sign.
Re: Nationwide to end login with memorable data
Posted: October 27th, 2019, 11:34 am
by swill453
Alaric wrote:UncleEbenezer wrote:Though perhaps cards as we know them today (with no builtin connection) might become obsolete first.
Mobile phones can scan cards using the built in camera, so laptops and PCs with webcams presumably could as well. You can use your phone as a scanner to pay when remotely ordering in a Wetherspoons although keying in the card number is on balance easier and quicker.
Scanning a card won't be as secure, as you're then not using the chip&pin.
Scott.