Rabobank Money Mover Facility - is it safe?
- Thread starter apple1
- Start date
B
beara
Guest
It's on a secure server so it's safe enough. And it is convenient. Five days for BOI to add a new beneficiary.
RaboDirect
Registered User
- Messages
- 186
The [broken link removed]operates on the Originator Plus direct debit scheme. If you want to set up a Money Mover you do so in the secure banking website. You cannot access the secure banking website without your Customer Number and [broken link removed]. You also confirm your Money Mover set up using your Digipass. RaboDirect customers have the benefit of a "[broken link removed]".
We have been actively encouraging the other banks to adopt this type of technology (based on "two-factor authentication") and have been sharing information with them on this via the Irish Bankers Federation for a number of months now. However, we still do not see any movement from the primary banks other than the usual statements like "be careful with your passwords and PIN's and never respond to emails requesting your log-in details". We hope that they will move to more secure forms of online security in the near future.
We have been actively encouraging the other banks to adopt this type of technology (based on "two-factor authentication") and have been sharing information with them on this via the Irish Bankers Federation for a number of months now. However, we still do not see any movement from the primary banks other than the usual statements like "be careful with your passwords and PIN's and never respond to emails requesting your log-in details". We hope that they will move to more secure forms of online security in the near future.
Yes I would hope that the other banks listen to this. With one bank in particular where it askes you at random for some digits of a PIN (e.g. 1st, 3rd, 5th) you get the impression that you need to know all 6 digits and 2 other items like work phone number/birthdate.
However this is not the case -you only actually need know ANY 3 of the 6 digits and say the work phone number along with the user ID then that's enough. I emailed the bank concerned about this problem about a year ago and they, amazingly, admitted there was an issue and would look into it "immediately".
the issues is still there today - I'm not going to say here how it works but I can pass it on to brendan together with the email if anyone doesn't believe me. So say you're in an internet cafe, someone could look over your shoulder- they can see the user id etc displayed un-encripted on the screen, they only have to watch the 3 keys you type when entering the PIN subset.
If found the email from the bank mentioned above - here's an extract from it:
"I have forwarded your email to Our Development Team who were very interested in your comments.
As you correctly mentioned there does appear to be a security issue on our log in page, we will have this looked into immediatley"
"I have forwarded your email to Our Development Team who were very interested in your comments.
As you correctly mentioned there does appear to be a security issue on our log in page, we will have this looked into immediatley"
The have now 'fixed it', it was a long running joke!
While some were complaining about it in the NR thread, NR's version which only rotates the numbers requested (on a separate screen) after a successful logon, is how it should be implemented.
But the bank in question have now replaced the text fields with dropdown boxes which don't accept keyboard entry. It might be more secure against keyboard loggers, but it is a bloody pain to use. Anyway why would someone bother logging just keyboard strikes when it is just as easy to install software to record the whole screen!
Towger
Yes, they fixed it this morning!
I was wondering why they went with pop ups, although now someone looking over your shoulder can see the numbers chosed before they are asterisked out.
There are other irish online insitutions with a similiar problem of not needing all of the PIN digits, so hopefully they will upgrade thier security too.
NIB have a interesting system where a softkey is required to be install on you pc (or you can keep it on a removable disk) that is required to access their online services. Internet explorer only.
If you change the passord a new key is generated.
So it seems pretty safe and is more convient than carrying around the rabo digpass. I think NIB also offer you the choice of a digipass (to work wiht firefox).
I've been using NIB's online service for a few months now and it's really excellent. Slick user interface, plenty funcionality.
I was wondering why they went with pop ups, although now someone looking over your shoulder can see the numbers chosed before they are asterisked out.
There are other irish online insitutions with a similiar problem of not needing all of the PIN digits, so hopefully they will upgrade thier security too.
NIB have a interesting system where a softkey is required to be install on you pc (or you can keep it on a removable disk) that is required to access their online services. Internet explorer only.
If you change the passord a new key is generated.
So it seems pretty safe and is more convient than carrying around the rabo digpass. I think NIB also offer you the choice of a digipass (to work wiht firefox).
I've been using NIB's online service for a few months now and it's really excellent. Slick user interface, plenty funcionality.
NR's version is not how it should be implemented. The main weakness of having to enter the same (complete) password each time is that someone has an opportunity every time to record all that they need to masquerade as you - if they record your password(s) during any one of your logins, they can login as you whenever they like.
Requiring that you enter only a portion of the password each time is done in the hope that if someone records what you enter during one single login, it won't easily allow them to masquerade as you as, when they subsequently try to login as you, they will (hopefully) be asked for a different portion of the password that they (hopefully) don't know. If any system asks you to enter the same portion of the password even a few times in a row then you are back to square one where someone who records that one portion has enough to login as you when they next try.
The random nature of the portion of the password that you are asked to provide isn't foolproof in either case above though. If you had a password that was 100 characters long, and you were asked for (a random) 5 of those characters each time, then that makes for a lot of possible combinations so the chances of the same combination coming up regularly should be relatively small, although whether this is an acceptably small risk is up to you to decide (depends on other controls on access, how much money you have at risk, etc.). If, on the other hand, you have a password of 10 characters long and you are asked for a random 2 of those characters each time, then there is a much greater chance of the same combination coming up and therefore greater risk of someone logging in as you even if they have only 2 characters of your password.
Greater strength/security in this area requires greater resources on the server side to support it. Some (very few) banks are willing to pay for that, others are not. Depending on the nature of the stronger security, it may also require greater effort on the part of the customer to remember a much longer password - there is a point at which people will just write out the password on a piece of paper, along with their other login details clearly labelled, an sellotape it to their office computer screen. Somewhere in the middle ground is a compromise of security versus usability and cost/effort. Unfortunately, a lot of online services don't veer far from the cheapest/easiest end of the scale and the strength of their security reflects that.
Towger said:
I'm not aware of any software that will easily allow you to record the contents of your screen. Other than a video camera over your shoulder that is.
It remains far easier to record what you type at the keyboard, and server-based/online keyboards (which you describe NIB as using) are a reasonable approach to dealing with that threat. They are not perfect, of course, or very convenient, but security generally is neither of those.
Last edited:
???
NR ask for 2 characters of a (long) alpha numeric password, the characters requested are only rotated on a successful logon. This is the system I believe BOI are now using, except using a 6 digit PIN. But up to now BOI asked for 3 numbers of the 6 digit PIN, if you did not know any of the numbers being prompted for, you just refreshed the screen and it would prompt for another random 3!!
Google will find you many products capable of recording a PC screen.
NR ask for 2 characters of a (long) alpha numeric password, the characters requested are only rotated on a successful logon. This is the system I believe BOI are now using, except using a 6 digit PIN. But up to now BOI asked for 3 numbers of the 6 digit PIN, if you did not know any of the numbers being prompted for, you just refreshed the screen and it would prompt for another random 3!!
Google will find you many products capable of recording a PC screen.
RaboDirect
Registered User
- Messages
- 186
Online Banking Security
The title of this thread should be changed now as this discussion thread is discussing online banking security as opposed to RaboDirect's Money Mover Facility.
Regarding online banking security the use of static passwords and PIN's to log on to banking websites, even when you are asked for random numbers/characters, is recognised as being vulnerable to phishing and keystroke logging. There is proven technology available to banks based on strong "two factor authentication". Rabobank offers its customers strong two factor authentication via the Digipass solution which is provided by Vasco and is based on:
(1) Something you know: - your Customer Number and personal PIN code for your [broken link removed]and,
(2) Something you physically have: - your Digipass which generates a one-time access code that expires every 36 seconds.
Your Digipass is also used to authenticate transactions giving a double layer of security.
Your Digipass cannot be used without your PIN making it worthless to somebody else should it be lost or stolen. Therefore, if someone gets hold of your Customer Number, they can't access your accounts without having your Digipass & vice versa.
The reality is that many banks take a view that the cost of paying out on fraudulent cases of online fraud is cheaper than migrating their customers on to more robust technology. This is in our view entirely unacceptable especially when you look at the profits that large banks make.
In some countries the Regulator insists on minimum standards of online banking security (normally based on two factor) which all banks must adopt. It would be desirable in Ireland if a common and more secure standard existed. For example, the implementation of chip & pin on credit cards has helped to drastically reduce fraud levels.
However, customers must also play their part by ensuring that they protect their PC's from viruses on a continual basis and maintain vigilence. It would also be no bad thing to insist that your bank adopts better security.
RaboDirect
The title of this thread should be changed now as this discussion thread is discussing online banking security as opposed to RaboDirect's Money Mover Facility.
Regarding online banking security the use of static passwords and PIN's to log on to banking websites, even when you are asked for random numbers/characters, is recognised as being vulnerable to phishing and keystroke logging. There is proven technology available to banks based on strong "two factor authentication". Rabobank offers its customers strong two factor authentication via the Digipass solution which is provided by Vasco and is based on:
(1) Something you know: - your Customer Number and personal PIN code for your [broken link removed]and,
(2) Something you physically have: - your Digipass which generates a one-time access code that expires every 36 seconds.
Your Digipass is also used to authenticate transactions giving a double layer of security.
Your Digipass cannot be used without your PIN making it worthless to somebody else should it be lost or stolen. Therefore, if someone gets hold of your Customer Number, they can't access your accounts without having your Digipass & vice versa.
The reality is that many banks take a view that the cost of paying out on fraudulent cases of online fraud is cheaper than migrating their customers on to more robust technology. This is in our view entirely unacceptable especially when you look at the profits that large banks make.
In some countries the Regulator insists on minimum standards of online banking security (normally based on two factor) which all banks must adopt. It would be desirable in Ireland if a common and more secure standard existed. For example, the implementation of chip & pin on credit cards has helped to drastically reduce fraud levels.
However, customers must also play their part by ensuring that they protect their PC's from viruses on a continual basis and maintain vigilence. It would also be no bad thing to insist that your bank adopts better security.
RaboDirect
I just have to say that I think the online log-in set up at Rabo is probaby the safest out there. It's a bit annoying at times if I want to log-in from a PC outside of my home and don't have my Digipass, but that's my problem for forgetting it! And I'd rather have it like that and have enhanced security tbh.
The NR password is 9 characters long, which isn't very long (although it is longer than that of some online banks). Asking for 3 out of 6 certainly is worse though.
The issue that I have with NR's system is that it asks you for the same characters every time until you have successfully logged in. If you enter the wrong ones 3 times in a row then you are locked out, which is a good thing, but when their system was virtually unusable recently you could enter the correct details and still not login successfully. Next time you tried you were prompted for the same characters again, but you were unlikely to login successfully then either. And so on. Basically, for as long as the system was unable to successfully log you in, your account was protected by the same 2-character password (which somone could potentially record during any of your failed login attempts), which is not good.
Changing the combination of characters that you are prompted for each and every time is better, whether you successfully login or not, as long as the possibility of the same combination arising more than once in a "short" space of time is small. Basically, if someone has 2 characters of your password, and they sit their refreshing the login page and getting a different combination of characters prompted for every time, then if the number of possible combinations is small (e.g. a combination of 3 characters from a 6 character long password) you are correct to be concerned as they won't have to wait long to be prompted for the specific two characters that they know. One way to significantly reduce the risk is to reduce the probability of any one combination cropping up (which reduces the possibility of them being prompted for the characters they know), and this can be done by using longer passwords, using passwords with a wider variety of characters in them (e.g. characters that contains punctuation characters as well as letters and digits), etc. This would require more effort, and perhaps more expense, on the part of the provider of the service so such commitment tends to be rare.
Of course, another approach is to require you to change your password every now and again. This tends to be the approach taken in office environments for passwords used to access local network services. Again though, most service providers don't implement that because of the hassle and the expense (most of the expense is in providing some kind of support service for customers who are confused by the need to change their password, can't remember their new password, etc.).
Another approach which addresses most of the above concerns is to use the kind of authentication that Rabodirect uses, where your password is determined by the numbers output by your Rabodirect token/fob. It is based on the same basic theory that your password is a selection of random digits from a finite number of possibilities, but basically with this system your password actually changes every time you login so it increases the number of possible passwords by a huge amount therefore making it extremely unlikely that someone can either guess your password or re-use one that you have already used. Of course, this system isn't perfect either as its additional complexity requires more complex software to implement it and the more software you have the greater the risk of there being bugs/errors/holes in it which might be exploited, but it still remains better than most of the other alternatives out there.
Towger said:
I wonder how capable such products are. They would need to record your screen contents (presumably from the machines memory) at the right time in order to capture your password. And considering your screen content is changing constantly, that would be far from easy.
NR, I don’t know that their max length is but it is more than 9. I originally had a 18 character password, but it was pain counting the letters.! Of course the loggon on problems should never happen in the first place.
RD, Security tokens are much better solution (unless you are like my wife who writes her PIN on the back!). But I agree they are a pain to use and there is more to go wrong. I first came across their actual use by BACS about 10 or 12 years ago. But as you know Irish banks hate to spend money.
Back on topic. Is the use of Money Mover (Originator Plus) to Direct Debit accounts safe?
It safe as any other banking transaction, when used to take money from your own account. But Rabo are leaving them selves open to problems if someone manages to use their Money Mover (Originator Plus) facility to DD a 3rd party account. It will quickly be traced back to them, they will have to repay the money and then go chasing their customer.
A question for Rabo, as proof of PPS Number you include a P60 as a document “issued by Revenue or the Minister of Social and Family affairs” (as per your demo). Unless a P60 is produced by ROS, which is not common. It is printed on Revenue supplied paper by an employer, which is easy to get hold of. From next year Revenue are phasing out the use of pre-printed P60s, They will just be printed on plain paper by the payroll software, as has been done in the UK for years. So my questions is, should you be accepting a P60 as proof of PPS Number.
BTW you might want to change Minister of Social and Family Affairs to Department of Social and Family Affairs
RD, Security tokens are much better solution (unless you are like my wife who writes her PIN on the back!). But I agree they are a pain to use and there is more to go wrong. I first came across their actual use by BACS about 10 or 12 years ago. But as you know Irish banks hate to spend money.
Back on topic. Is the use of Money Mover (Originator Plus) to Direct Debit accounts safe?
It safe as any other banking transaction, when used to take money from your own account. But Rabo are leaving them selves open to problems if someone manages to use their Money Mover (Originator Plus) facility to DD a 3rd party account. It will quickly be traced back to them, they will have to repay the money and then go chasing their customer.
A question for Rabo, as proof of PPS Number you include a P60 as a document “issued by Revenue or the Minister of Social and Family affairs” (as per your demo). Unless a P60 is produced by ROS, which is not common. It is printed on Revenue supplied paper by an employer, which is easy to get hold of. From next year Revenue are phasing out the use of pre-printed P60s, They will just be printed on plain paper by the payroll software, as has been done in the UK for years. So my questions is, should you be accepting a P60 as proof of PPS Number.
BTW you might want to change Minister of Social and Family Affairs to Department of Social and Family Affairs
RaboDirect
Registered User
- Messages
- 186
Note: Disclosing the PIN for your Digipass invalidates the "No Fraud Online Banking Guarantee"
From our website:
RaboDirect guarantees to refund you for any money that is withdrawn from your bank account without your authorisation. This includes money withdrawn as a result of the online theft of your customer or account numbers or passwords provided you meet us half way:
- Keep your Digipass safe and do not disclose your PIN or Customer Number to anyone
- Notify us immediately if your Digipass or PIN is lost or stolen
- Notify us immediately of any fraudulent activity on your bank account
- You make sure that you only use your Digipass when the address of the website in the address bar of your internet browser starts with https://secure1.rabodirect.ie/ or https://secure2.rabodirect.ie/.
Important: When banking online with RaboDirect you should always make sure that the web address is either [broken link removed] or [broken link removed]. Be vigilant by looking out for the's' in https and always look for the secure padlock icon normally located at the bottom of your screen. RaboDirect will NEVER email you asking you for your Customer Number or personal Digipass PIN code.
M
Moggy
Guest
Anyone who logs on to their online bank account using a public PC (work, cafe whatever) is just asking to be robbed. My tupence.
RaboDirect
Registered User
- Messages
- 186
International Funds Transfer
Currently we do not have a genuine demand from our customers for this. We operate as a secondary bank and people generally transfer money from their RaboDirect savings account back to their primary bank when need to (or to any 3rd party Irish bank account). If there was a level of demand for it we would consider the business case of offering international funds transfer. It is possible that our service could expand in the future due to European Directives such as the Single Euro Payments Area which aims to make it easier to facilitate cross-border payments.
Currently we do not have a genuine demand from our customers for this. We operate as a secondary bank and people generally transfer money from their RaboDirect savings account back to their primary bank when need to (or to any 3rd party Irish bank account). If there was a level of demand for it we would consider the business case of offering international funds transfer. It is possible that our service could expand in the future due to European Directives such as the Single Euro Payments Area which aims to make it easier to facilitate cross-border payments.