Quote:
Originally Posted by Draby
Regarding Phorm as a "man in the middle" and able to see even https sites if they choose to.
Today I received in the post from Nationwide (whom I bank with), a battery powered card reader, that's not connected to my pc in anyway.
What happens is, I log in as usual to their secure site, select the third party I want to send a payment to, Nationwide then asks me to insert my debit card into the reader, which asks for the "atm" pin, then asks for the ref. no.that Nationwide gives me, plus the amount to pay.
Still with me? The reader gives me an eight digit number to enter on the website, and after confirming, the payment goes through.
So... it seems that Nationwide no longer, implicitly trusts https and ssl encryption, and has inserted an extra layer. I wonder if Phorm are the trigger for this, or just the (what seems to be), trend towards profiling of users via traffic interception. Does anyone know of other banks making similar moves?
Richard
|
So now you will be sending the chip data, your pin and your on line banking pin to nationwide via the Phorm profiler.
When your card gets cloned and Nationwide turn around and say it is your loss as they knew the PIN can you go back to them and highlight that Phorm could have snooped it so Chip and Pin is no longer secure. I would have thought an RSA SecureID key would be more secure than this approach in many respects. Now you have a token and two shared secrets, both have alternate uses wheras with a SecureID you would still have a token and a secret, not much less secure and well the token cannot be cloned and put in an ATM or used to fill the car up.