

Who cares about password security? NatWest (UK Bank) don't - jalada
http://jalada.co.uk/2011/06/26/who-cares-about-password-security-natwest-dont.html

======
sveiss
The cynic in me says, "What are the bank's goals with their approach to
security?"

The 3D Secure stuff (Verified by Visa/MasterCard SecureCode) -- as commonly
implemented, anyway -- seems to be directed towards transferring liability for
fraudulent transactions away from the banks towards the merchants without
actually doing anything to increase security. VbV/MCSC pretty much trains
users to accept man-in-the-middle attacks by asking users to provide a
password to an iframe served from a totally unrelated domain (arcot.com for
HSBC UK currently, and securesuite.co.uk previously if memory serves). If a
merchant -- or an attacker between the user and the merchant -- MITMs the VbV
flow, how will the user be able to tell?

HSBC (in the UK) have recently given me a physical token for my personal
internet banking service, which is used to both log in to their service and to
authenticate specific transactions. This is a bit of an inconvenience -- I
can't log in to my bank account with just the credentials stored in my grey
matter any more -- but a great big step in the right direction. Now, if only
they could apply this to their VbV/MCSC authentication too, or allow me to use
my phone as the physical token instead of having another bit of plastic to
carry in my wallet...

If my email or Facebook account is ever compromised, I'll be very unhappy -- I
have a fair amount of private, personal information in both locations. If my
bank account or credit cards are ever compromised, I'll consider it a more-or-
less inevitable consequence of the way the system is designed and simply
something to be accepted... but I really don't relish convincing the bank of
this!

------
benjiweber
It is probably worth noting that NatWest will lock your account on 3
unsuccessful login attempts with pin + password + customer-number so brute
forcing a password would be tricky.

They also require a card reader and a physical card to confirm any
transactions involving transferring money. - They generate a confirmation code
that you enter into the card reader (along with you card pin that is different
to your online banking pin). The card reader then generates a confirmation
token that authorises the transaction.

As the article points out they ask for 3 characters from the password rather
than the whole password itself, which when combined with a login attempt limit
of 3 helps mitigate the problems of keyloggers on the users' machines. This
would be harder to implement with longer passwords and more confusing for
users "Please enter character 61 of your password".

------
pstoneman
I've seen banks do this before - and I think that some banks in some places
use drop-downs rather than having you type characters. That's one reason I can
see for the restricting the type of character so, so the drop-down is more
sensible...

~~~
jalada
That's a good idea. It's a shame NatWest don't do that...

------
FreeWorld
My bank is even worst, it only let's me use 6 alphanumeric characters...it's
like saying: Come and hack me bro!

~~~
jackvalentine
Have you contacted them about this? I'd really like to see what kind of arse-
covering response you recieve.

