Saturday, August 04, 2007

Chip'n'Pin at home

Well, as I promised a considerable while ago, my RBS EMV / CAP (Card Authentication Protocol) reader has arrived - I thought it might be coming when they renewed my Highline card out of sequence last month. So I am going to enable it and see what happens.

Now, to enable it, you either need to wait 21 days, when it will happen automagically, or you need to log on and give the system the proverbial boot up the behind. So, onto the account we go, partial PIN, partial password, possibly for the last time, trying not to weep at just how little money there is. Okay, "Change Settings", "Enable Card Reader". Yup. Don't need the online demo.

Okay, select a card. Interesting - I have both a Maestro and a Mastercard on this account but I am only given Hobson's choice - Maestro alone (interestingly, when I put the Mastercard into the reader, it says "Wrong Card" as it does for all of my other bits of plastic. Clearly missing the CAP application). Okay - and it gives me the last 5 of my Highline card so I am not picking the wrong one.

(Correct) card into reader and I am asked to press the "Respond" button, rather than the "Identify" button. I wonder why (according to the online instructions, the "Identify" and "Sign" functions are not being used yet)? Enter my card PIN, then I need a challenge:

Okay, a 4 digit random component (yes, I did check a couple of times - nothing obvious but I'll let somebody else do the detailed statistical analysis) and a 4 digit fixed component - and, I believe, the first, albeit minor, protocol flaw. If this is being MITM'd and they want me to authorise something other than the action I had taken, I could readily make the final characters of the reference number into anything I want. However, the online user guide states
Some banking transactions don't include a familiar account number visible on your computer screen. For example, when you want to set up a payment for your gas bill online or change your Security Number or Password.

So when you use your Card-Reader for these transactions we'll provide a Reference number and an Authorisation number on the same screen. The Reference number will always be 00004444. The last 4 digits of these numbers must match.
I suppose that fraudsters will be in a major fight for bank accounts with the final four digits being 4s. Still, I get my response (7 digits rather than 8, interesting but not necessarily in a bad way) from the reader, punch that into the website and I am active. Wonders will never cease. Now what does that do for me.

Okay - any option to use this for login? Nope.

Make a payment into the main household account. No need for the reader.

Add a new payee, one of my little slush funds - yes - need the reader.

Okay, that works. Bump myself £50 (don't tell Mrs S-E). Nope. Hmmm.

So, seems easy enough to use. The On / Off button on the reader could do with a cover and it ain't going to fit into my wallet. I would really like the option to use it for login (especially if I could have a restricted functionality set, say balance only or balance and intra-account transfer, still available on pp&p). Having said that, it all seems to be a worthwhile improvement in the overall security.


No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.