undefined | Better HN

0 pointsjessriedel15y ago0 comments

I see three problems.

> most banks now provide customers with a small reader (that looks like a calculator) for logging on to online banking, or authorising payments made via internet banking.

This means you can only make online purchases easily and securely at home. If I want to be able to make purchases at someone else's computer, an insecure back door must necessarily be left open even when you're not away.

> To authorise a payment you: put your card into the reader, type in the account number you want to pay, type in the amount, and type in your pin.

This doesn't solve the problem (which people may not care about) that the merchant could now have your pin.

>You then get an cryptographic authorization code to type into online banking.

This seems like a huge burden. Physically typing in long cryptographic codes? Do people actually subject themselves to this?

Thanks very much for the perspective.

EDIT: I retract the second criticism for reasons explained below.

0 comments

2 comments · 1 top-level

Tibbes15y ago· 1 in thread

> This means you can only make online purchases easily and securely at home.

Fair point - I had this problem when wanting to use Internet banking at work, but these pin readers are compact (smaller than an iPhone, marginally thicker) so I just keep mine in my bag now.

> This doesn't solve the problem (which people may not care about) that the merchant could now have your pin.

Only if the reader itself is compromised (very unlikely with the small ones provided by banks for online banking, and pretty unlikely in a shop too). However, note that the PIN is useless without the card, because the crypto chip is on the card, and it can't be cloned by a reader.

> This seems like a huge burden. Physically typing in long cryptographic codes?

They are only 8 digits long. And yes, I don't want fraudulent use of my account so I don't mind.

jessriedelOP15y ago

> However, note that the PIN is useless without the card, because the crypto chip is on the card, and it can't be cloned by a reader.

Ahh. So then the merchant could only really make use of a pin (which it would have to do by compromising the pin reader--a tall order for small time crooks) if he also stole your physical credit card. I agree that this isn't much of a risk, and retract that criticism.

j / k navigate · click thread line to collapse