The Lemon Fool

Alaric wrote:

UncleEbenezer wrote:Though perhaps cards as we know them today (with no builtin connection) might become obsolete first.

Mobile phones can scan cards using the built in camera, so laptops and PCs with webcams presumably could as well. You can use your phone as a scanner to pay when remotely ordering in a Wetherspoons although keying in the card number is on balance easier and quicker.

Most mobile phones have near-field communications capability and with a suitable app, e.g. Credit Card Reader NFC, will read the public data on a contactless debit/credit card simply by holding the card against the back of the phone.

(If you install any similar app make sure it doesn't require internet or any other communications permissions! The above one doesn't. I use it to check that I have properly nobbled any contactless cards I'm sent. )

Might be of interest to some reading this thread:

https://microblink.com/products/blinkcard

I'm thinking of implementing it into a payments app I have, to avoid the user needing a card reader/PIN entry device gadget (which requires maintenance, charging etc...).

Any thoughts?

As I don't trust Android security, I will never install banking apps on my phone. Also mobiles are far too easy to steal or lose to have access to my finances.

mjbdreamer wrote:Might be of interest to some reading this thread:

https://microblink.com/products/blinkcard

I'm thinking of implementing it into a payments app I have, to avoid the user needing a card reader/PIN entry device gadget (which requires maintenance, charging etc...).

Any thoughts?

Yes. How does that work?

I don't mean how does that work technically to read the card, I mean how does that PROVE anything? If I have a smart phone with that app on it and your stolen card...

"Enhance your user engagement by saving them from the nuisance of typing in their credit card data."

P.S. Card readers don't require "maintenance" or "recharging", just very infrequent, simple battery replacement. Unlike a mobile phone...

XFool wrote:P.S. Card readers don't require "maintenance" or "recharging", just very infrequent, simple battery replacement. Unlike a mobile phone...

I speak with some feeling as somebody who, the other day, spent what felt like ten minutes in the checkout queue at Aldi, immediately behind a customer who chose to pay by the 'convenience' of mobile phone. It wasn't to my convenience.

XFool wrote:


I don't mean how does that work technically to read the card, I mean how does that PROVE anything? If I have a smart phone with that app on it and your stolen card...

"Enhance your user engagement by saving them from the nuisance of typing in their credit card data."

P.S. Card readers don't require "maintenance" or "recharging", just very infrequent, simple battery replacement. Unlike a mobile phone...

Well, it proves nothing significantly other than I have the customer card in my hand and use blink to capture the details. You the customer don't have the blink app, I as the merchant do, so it is relying on the merchants staff. Risk, yes. Convenience, not sure. That leads into card readers....

The environment I use card readers in makes for high impact on maintenance/support I'm afraid, you wouldn't have known that of course. The readers are used on aircraft, might belong to the airline, might belong to the caterer, might be issued to the crew members - that is up to the airline how they manage that, despite advising on best practices they have their preferred ways. So charging,cables, paper for printers, power supplies, spare batteries, storage considerations are all a pain in the. Together with the options for connectivity to the sales device like wifi or bluetooth in the hands of crew.

The Blink app might be a useful alternative - still not 100% certain though.

mjbdreamer wrote:

XFool wrote:I don't mean how does that work technically to read the card, I mean how does that PROVE anything? If I have a smart phone with that app on it and your stolen card...

"Enhance your user engagement by saving them from the nuisance of typing in their credit card data."

P.S. Card readers don't require "maintenance" or "recharging", just very infrequent, simple battery replacement. Unlike a mobile phone...

Well, it proves nothing significantly other than I have the customer card in my hand and use blink to capture the details. You the customer don't have the blink app, I as the merchant do, so it is relying on the merchants staff. Risk, yes. Convenience, not sure.

But I don't see how it can address any of the issues on this thread; about how a bank user logs on securely to their bank account, how the bank system can be sure they are who they claim to be. More generally, about guaranteeing secure transactions over the network via Strong Customer Authentication.

https://en.wikipedia.org/wiki/Strong_cu ... entication

The Blink app appears to simply be a way of reading the details on a card face into a smart phone.

Alaric wrote:You can use your phone as a scanner to pay when remotely ordering in a Wetherspoons although keying in the card number is on balance easier and quicker.

Even quicker and easier to store a credit card in Google Pay and then use that option for payment in the Wetherspoons app. No keying in anything, just a thumbprint needed for them to bring me beer.

And to stay on track, my preference for the authentication methods is First Direct, where the code is generated from their app, and just requires a fingerprint to produce it.

AF62 wrote:Even quicker and easier to store a credit card in Google Pay and then use that option for payment in the Wetherspoons app. No keying in anything, just a thumbprint needed for them to bring me beer.

And to stay on track, my preference for the authentication methods is First Direct, where the code is generated from their app, and just requires a fingerprint to produce it.

So even more 'specialised'. Not just requires a mobile, requires a smartphone! Do they have any alternative methods?

XFool wrote:

AF62 wrote:And to stay on track, my preference for the authentication methods is First Direct, where the code is generated from their app, and just requires a fingerprint to produce it.

So even more 'specialised'. Not just requires a mobile, requires a smartphone! Do they have any alternative methods?

Yes, you can use a card reader.

Scott.

swill453 wrote:

XFool wrote: So even more 'specialised'. Not just requires a mobile, requires a smartphone! Do they have any alternative methods?

Yes, you can use a card reader.

How about a system that doesn't require you to own any second piece of hardware?

If I have accessed this site via the internet on a laptop, then why not send me the code via a method that doesn't assume I have a second piece of kit? Most obviously, just send the code in an email.

Lootman wrote:How about a system that doesn't require you to own any second piece of hardware?

If I have accessed this site via the internet on a laptop, then why not send me the code via a method that doesn't assume I have a second piece of kit? Most obviously, just send the code in an email.

That wouldn't be as secure. The First Direct secure key system requires a PIN, password or fingerprint to generate the code.

Scott.

Lootman wrote:How about a system that doesn't require you to own any second piece of hardware?

If I have accessed this site via the internet on a laptop, then why not send me the code via a method that doesn't assume I have a second piece of kit? Most obviously, just send the code in an email.

Anyone know of any bank or organisation using this method for transactions? (It is used at initial account enrolment/verification in some cases) But, as already mentioned, might not be seen as secure as other methods for secure transactions.

One point on this, email would itself be accessed via the phone or computer which could open it up to hacking via a compromised machine. Somebody mentioned (or on other thread?) the inconvenience (not that great IMO) of having to manually transfer numbers between a card reader and a computer and suggested a USB equipped card reader would solve this. I wonder, but do not know, if a problem with that could be if the pc was compromised. Perhaps there is a security advantage in having a simple stand alone card reader?

XFool wrote:Somebody mentioned (or on other thread?) the inconvenience (not that great IMO) of having to manually transfer numbers between a card reader and a computer and suggested a USB equipped card reader would solve this. I wonder, but do not know, if a problem with that could be if the pc was compromised. Perhaps there is a security advantage in having a simple stand alone card reader?

I think it's more likely that compatibility issues would rule this out, rather than security. It'd have to work with multiple hardware devices and operating systems.

(The human eyeball and finger have an advantage sometimes).

Scott.

The EU regulations require people to have something they know (passwords/pins) and something they own (cards/fingerprints/SIM cards). The annoyance for the users is how this information is passed back to a bank, whether it be carrying card readers on holiday or requiring them to have phones with signal (so the SIM is triggered) or phones with special software to read the fingerprints. It often requires users to have bank software running on 2 devices (browser and phone), and while people are familiar with browser security, phones have special security risks, whether that is being left on the bus or being made by Huawei.

swill453 wrote:

XFool wrote:Somebody mentioned (or on other thread?) the inconvenience (not that great IMO) of having to manually transfer numbers between a card reader and a computer and suggested a USB equipped card reader would solve this. I wonder, but do not know, if a problem with that could be if the pc was compromised. Perhaps there is a security advantage in having a simple stand alone card reader?

I think it's more likely that compatibility issues would rule this out, rather than security. It'd have to work with multiple hardware devices and operating systems.

Yes. That could be another problem.

swill453 wrote:(The human eyeball and finger have an advantage sometimes).

But that would require not just a phone but a smart phone - which is the problem identified in the OP. Also, by themselves, they would not prove the possession of a given Chip & PIN card in transactions - a point that seems to have been missed by some commentators above.

XFool wrote:

swill453 wrote:(The human eyeball and finger have an advantage sometimes).

But that would require not just a phone but a smart phone - which is the problem identified in the OP.

Or a standalone card reader.

XFool wrote:Also, by themselves, they would not prove the possession of a given Chip & PIN card in transactions - a point that seems to have been missed by some commentators above.

A smart phone with PIN or biometric authentication is deemed to be sufficiently secure, and a lot more convenient for me certainly.

Scott.

JohnB wrote:The EU regulations require people to have something they know (passwords/pins) and something they own (cards/fingerprints/SIM cards).

Actually it's two (or more) of: knowledge (something you know, e.g. PIN), possession (something you have, e.g. card/phone) and inherence (something you are, e.g. fingerprint/face).

XFool wrote:

Lootman wrote:How about a system that doesn't require you to own any second piece of hardware?

If I have accessed this site via the internet on a laptop, then why not send me the code via a method that doesn't assume I have a second piece of kit? Most obviously, just send the code in an email.

Anyone know of any bank or organisation using this method for transactions?

My account with JP Morgan gives me a choice of getting the code by phone or email.

My Caxton FX card is currently implementing the same choice.

I don't think any method that uses a phone can be secure given how easy it is to lose or break a phone, because they can be hacked and because a signal isn't always available. I won't use a phone app for any financial business on principle.

And bear in mind that all this rigmarole is being implemented for the benefit of the financial institutions and not for the customers. That's why some institutions don't care how difficult and awkward it is for us to jump through all these hoops. I just think it is overkill.

Lootman wrote:
I don't think any method that uses a phone can be secure given how easy it is to lose or break a phone, because they can be hacked and because a signal isn't always available. I won't use a phone app for any financial business on principle.

And bear in mind that all this rigmarole is being implemented for the benefit of the financial institutions and not for the customers. That's why some institutions don't care how difficult and awkward it is for us to jump through all these hoops. I just think it is overkill.

You really think an encrypted smartphone only accessible through a biometric key is less secure than what millions of people do - a password scribbled in a notebook or set to the name of the family dog!