Convenient Banking Security

I don’t have a bank account, I am a member of a building society – Nationwide. As a member of this for-the-members organisation, I hold Nationwide to a higher standard than their for-the-shareholders bank counterparts. So I need to call them out when they’re missing out on something. In this case, convenient security.


Nationwide Building Society HQ

Online banking and shopping is incredibly useful and convenient. Even more so than usual given the current virus lock-down circumstances. When I use money online I want to be assured of decent security being in place. My personal experience with Nationwide has shown me the decent security they have in place. But it isn’t always convenient.

SMS gateway verification

They use Chip&PIN for real life purchases, requiring a bank card and knowing the correct PIN. Once this has been correctly provided, the card will permit NFC payment for low-cost items a period of time before requiring PIN verification again.

When online, PIN obviously cannot be used. Instead the Verified by VISA gateway system handles online transactions. Recent UK legislation requires to additional checks for expensive transactions in this online gateway system through one-time text passcodes. This is pretty good, but it could be much better. SMS as a 2FA method is horrendous for multiple reasons:

  • It assumes SMS is secure (it is not – SMS is unencrypted)
  • It assumes the communication system delivering the SMS is secure (it is not – CSPs have been tricked before)
  • It assumes SMS will always be available (there could be local mobile and telephone outages that don’t affect the internet connection)

SMS does have the simplicity sorted, it’s just a simple code to type in, but I think the security negatives outweigh this.

Nationwide already have multiple methods available to them which could be a much better replacement for SMS:

Chip&PIN Authentication – You should never enter a PIN in an online transaction, but Nationwide provides free card readers capable of using Chip&PIN to “sign” transactions.

  • + These are already used for logging in to the online bank and completing transactions
  • + They don’t need an internet connection
  • It’s a whole extra device to carry
  • It’s a whole extra battery supply to worry about (not a big worry, as I’ve had mine for years and have yet to replace the battery)
  • You need your card with you, so it’s not useful if you just remember your card details
  • If you’re not familiar with using the device, it is difficult to learn

Regular 2FA passcodes – As used with logging in to websites with an authenticator apps on a mobile phone, this could be used as a way of verifying your transaction without needing to log in

  • + It’s a simple code to be entered, like SMS
  • + The codes are stored and delivered as securely as your device is locked
  • Codes could be phished (you can generate a 2FA code whenever needed, but the old SMS system only sends one when required)
  • It needs an authenticator app to be installed on a phone (and assumes that you would have a phone capable of installing apps)

Push Notifications – Nationwide have an app for mobile banking. The same system for SMS could be used, but with notifications sent via HTTPS push notifications instead of insecure SMS

  • + It’s a simple code to be entered, like SMS
  • + No need to replace the current SMS system
  • + An online connection is already available (given it’s for buying stuff online, the connection is already there)
  • + Codes are delivered as securely as your device and app are locked
  • You need a phone capable of installing the app

My personal preference would be the last option, enabling push notifications for the app. Having SMS as a fallback would be good, but shouldn’t be relied on as a primary method of authentication code delivery.

Suspicious transaction checks

In addition to online gateways, Nationwide also have additional behind-the-scenes checks. If you buy something expensive, or make repeated transactions within too small a period of time, your card is automatically blocked until you can verify it. I quite like this as a security method, but it is very annoying:

  • It’s not clear exactly what triggers a block – though this is probably by design
  • Removing the block requires waiting for, and then answering, a phone call – I hate phone calls, and one where you have to hand over personal details to verify your identity is particularly unpleasant. Phone calls are unencrypted and can be tapped.

For this, I have some suggestions for improvement:

Encrypted calls – Make calls via a trustworthy private messaging app like Signal

  • + Calls are encrypted
  • + You already have an internet connection for online shopping
  • Would require setting up an account on private messaging apps, and a phone capable of installing the app
  • You still have to wait for the call

Online banking messaging – On their website, nationwide have a secure communication feature that lets you ask queries. Flip the roles, and use that to ask members if their transactions were suspicious.

  • + The infrastructure is already in place
  • You need to log in to the online bank, which some people may not have set up
  • Checking these messages is not very easy to do, and would not be synchronous

Lift blocks via the app – The app already allows you to place and lift temporary blocks on debit cards. Extend this to all card types, and allow lifting these suspicious transaction blocks

  • + No need to tell a support agent private information to authenticate
  • + Control is as secure as your device and app are locked
  • + You already have an internet connection for online shopping
  • + Push notifications could be given to let you know a card was blocked, instead of leaving you confused as to why a transaction failed
  • Requires a phone capable of installing the app

My personal preference would be lifting blocks via the app, as I already use the app frequently and that would be most convenient. Having phone calls as a fallback for people who don’t use the app is good, but again it runs into the issue of calls being unencrypted, so having all options available for people would be ideal, then people can pick a secure contact option if it’s convenient for them.

Summary

SMS and Telephone lines can’t be relied on for secure communication and so banks, building societies, and any other security-conscious organisation should offer alternatives to them.

If you have an app capable of communicating securely over HTTPS, as Nationwide and may others do, then use that as a first port of call for people who have it set up.

Join the Conversation

  1. You make ****many valid points**** that I’ve been trying to press for years 🙁 not making any progress.
    I would really like a USB Card Reader for home. Being somewhat disabled and with compromized health getting out in this day and age is difficult. If I could put my bank card’s chip in and connect to the bank then provide a secure password, that *might* do it for me.
    It sounds like you might like Shannon Morse’s YouTube channel on “Identity and Access Management” (https://www.youtube.com/watch?v=JzChxD-zfRw) as she talks about some similar things.
    Keep up the good work !

    1. The great thing about the card reader I have at the moment is it can perform all of it’s functions without even needing USB or any kind of connection.

      1. Sounds like quite the device. Can you post a picture and list of functions you can do?
        I’m getting jealous over here.

        1. It’s the device described at this page: https://nationwide.co.uk/support/security-centre/internet-banking-security/card-reader-and-security-questions#xtab:what-is-a-card-reader and I think all the other UK banks are supposed to use the same system on their readers too.

          You stick your card into the reader and you can do 3 things, all verified by the chip&pin: Get a one-time login code, Use the card chip to “sign” an online transaction, and verify changes to account details.

          Unfortunately the only place that actually uses this is the bank, so you can’t use it to verify or sign things elsewhere, which is a pity

  2. I read this with interest. This seems to be the status quo across the industry. I know other organisations such as the RBS group, do the same sort of thing. I think you’d probably be hard-pressed to find a bank or building-society with a different level of security.

    I’d personally be against the requirement to use something like the app. I don’t use a smartphone and don’t let any Google services run on my Android tab, meaning that I can’t actually get a bank’s app (and if I could, it might fail due to my tab not running Google Play Services). I do my online banking in a web browser.

    There comes a point after requiring installations and set-ups and confirmation messages that online-banking becomes the inconvenient option. It should always be accessible with the minimal available resources (e.g. a simple web browser). With that in mind, how can it be made more secure – using minimal resources most people will be able to have with them anywhere (i.e. not installing special apps etc)?

    For certain transactions, such as adding a new payee, online-banking requires me to use my card reader. They also now enforce 2FA on every login by sending a code to my phone via SMS. I’d prefer to have the option of either card-reader or SMS for the login 2FA, because the card-reader is more secure, and it means that someone who chooses not to use a mobile phone at all can still do online banking. That said, I’m happy with SMS as a second method of authentication, because it’s adequate to get the job done. Most people have a mobile phone, and even if the SMS message were intercepted, a thief would still need to know my login credentials, correlate them with my phone number, and obtain/deploy intercepting equipment (or physically steal my phone). To obtain all of these would require a degree of targeting that I think would probably encourage a criminal to seek an easier target. I think for an ordinary person on the street, the returns wouldn’t be worth the effort, investment and risks. This may change in the future, but considering our typical threat model and actors, I think SMS is still OK for a little while at least.

    1. I guess it’s really all about options and what is easiest for the end user.

Comment

Leave a Reply to greybeard Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.