Chip, Pin, Password...

September 04, 2008

This blog post is *ancient*, and preserved only for historical record.

Anyone who uses internet banking these days will find themselves handing over a vast array of numbers and passwords, authentication tokens and browser cookies. You have a card, this has a chip, you have a Challenge/Response card reader, and you have a pin.

There’s at least half a dozen banks in the UK that I can name who use the Challenge/Response type card readers.

To log into my online banking, I need my Passwords, Pins and if i want to do “advanced functionality” I need my card and challenge auth reader.

Now.. this is all very cool, I don’t mind the CR device. No, my beef is with SecureCode.

MasterCard / Natwest have licensed this “extra level of auth” for online transactions.

Dominos pizza.. one of my favourite food retailers on the web have a requirement that I use my SecureCode password to authenticate that I’m not a thief when i want to eat pizza.

This is not helpful. The SecureCode password can’t be any of the ones you already use for phone or netbanking

and has to be >8 chars alphanumeric. no symbols it seems ..

Ok, so you can’t remember it.. no problem, you just enter your DOB, some card details and it lets you through..

How is that any more secure than just plain card details auth? IF anything.. isn’t it less secure because it’s loading a seperate site in an iframe on the retailer’s website?

Why can’t i just use my Challenge/Response card reader and have everything work together?

And secondly, Why can’t I use that to login to online banking?

If you work for natwest, mastercard, or any other monetary establishment, do pop a comment in and explain why the system is so archaic, and to be frank. SUCKS.

Profile picture

Written by Tom O'Connor, an AWS Technical Specialist, with background in DevOps and scalability. You should follow them on Twitter