Starling is my main account but have Nationwide as a seperate bills account (waiting for Starling’s pay from a Space, if it ever arrives!!)
Thought I’d transfer some spare money from Nationwide to Starling and went to set it up. All was going well until the end and I got “you will need your card reader”
I know it is another layer of security but I don’t even know where my card reader currently is, probably in the drawer with the radiator bleed key and various other things you never need until you need them!!!
I think perversely this type of security is reassuring for their traditional customer base. The added friction makes it harder to scam the old and vulnerable in particular - along the lines of “oh, I need my daughter to help me with the card reader, so I can’t do that right now”.
The underlying problem is a one size fits all approach. We need options…
As someone in this area the card reader is by far the safest 2fa system out there in my opinion. It’s not subject to a SIM swap or redirect. Also this helps cover landline only customers or people without access to good mobile coverage for SMS authentication.
However if an app has been registered with the card reader then the app should have the same privileges like setting up payees.
I suspect with Nationwide rebuilding their online banking there are changes coming down the line to the app (hopefully)
The problem I have with the Nationwide app is that I have savings with them so I don’t ever want to have my arm twisted up my back and forced to open it against my will by someone holding the phone to my face. Losing the contents of a current account is one thing but losing all savings is another. I asked them if certain accounts can be left off the app for security but was told they can’t be so it’s all or nothing.
Not really. The card reader can be authorised by any debit card linked to the account holder, and any card reader device will do.
All that has to happen is the debit card is stolen/lost/“borrowed” and the PIN is compromised/known/guessed, and a fraudster has total access to your account.
The HSBC approach is far more secure. You can only have one Secure Key, and it is either your already-secured registered device or a token generator which requires a unique PIN to use (not the card PIN).
Security is a very poor reason to keep the card reader, in my opinion.
I’m not an expert on this, just a normal person with an interest in IT and banking (so I do understand the security principles, but not all the technical details).
The card reader is more secure than an SMS code but not as secure as HSBC and, as you say, there’s no reason why the app can’t include a built-in card reader function, like with Barclays.
This is my area so I’ve had an opportunity to see the pitfalls of all systems. With Nationwide, the debit card and PIN have to both be compromised as well as the customer number (So really a persons DoB/ Postcode)
Thats three independent bits of data. At best a postal intercept or domestic fraud overrides this. In that sense the fraudster already has the card/ PIN so internet banking is a pointless extra step.
The HSBC solution is very much the most locked down except only one item needs to intercepted in the post. The really is no significant difference between card reader and physical security key 2fa
I think the post would need to be intercepted twice: once for an activation code and again for the device itself.
I’m not sure about setting up a Digital Secure Key on a brand new account, but I imagine it takes at least two items of post again: one would be the internet banking IB number and the other the DSK activation code.
The really good thing, security wise, is that you can only activate one device at a time (so once you have legitimately setup your own Secure Key, someone else can’t also set one up as you’ve blocked them by having already used the 1 device slot).
Also, I’d say that if there is almost no difference between card reader and 2FA device as methods for authentication, then 2FA device should win out anyway as the more convenient (given that it can be built in to a smartphone, with the option of a physical device for customers without smartphones).
I couldn’t agree more. It leads me to think Nationwide are limited by their back end. They are very cost conscious yet have a heavy branch network, no cheque imaging (cheque by post is still open) and then the cost of card readers versus digital app versions is a no brainer. A commercially aware person would have these things worked out unless there was some technological road block.
Yeah, a digital solution would clearly be the most cost-effective normally, but maybe not if implementing such a solution would require a substantial technical upgrade of the backend first!
It’s either that or they have done the sums but realised there would be little saving versus the cost of implementation, given the demographic of their customer base. This is just a guess, but I think it’s likely that a larger proportion of their customers would choose to stick with the physical option than at most banks.