Cater Allen Internet Banking - Not very secure?

**Waldorf** · 3 April 2014, 07:14

What on earth are you talking about?

I use Cater Allen, I am very happy with the service and have no concerns over security.

**borderreiver** · 3 April 2014, 08:40

They are as secure as most UK banks, which means not as secure as you might think.

Any system where you enter individual random characters from a password means they either store those passwords as plaintext or they have to encrypt every character individually

And don't get me started on the memorable pet/maiden name/primary school stuff. It's laughable.

**TheFaQQer** · 3 April 2014, 08:48

Originally posted by borderreiver View Post

Any system where you enter individual random characters from a password means they either store those passwords as plaintext or they have to encrypt every character individually

Or they decrypt the password and then compare the one character against that character.

When I last worked in banking with CRM, we used Red Pike to encrypt and decrypt the password - the system asked for three random characters and the API decrypted the password and returned just those characters to the front-end.

**Eirikur** · 3 April 2014, 09:17

I do agree with the OP although I never had problems. I'm not very comfortable with the level of security when logging in and how easy it is to transfer money. My first on-line banking account 15 years ago had more security.

**borderreiver** · 3 April 2014, 09:59

Originally posted by TheFaQQer View Post

Or they decrypt the password and then compare the one character against that character.

When I last worked in banking with CRM, we used Red Pike to encrypt and decrypt the password - the system asked for three random characters and the API decrypted the password and returned just those characters to the front-end.

So they're storing the unencrypted password in memory at least some of the time ...

**lilelvis2000** · 3 April 2014, 10:17

I have noticed that with all my debit cards when I go to purchase online I go through that verification screen....but not with my CA card. Is it because it is deemed to be a 'credit card' and not a debit card by merchant systems?

**SueEllen** · 3 April 2014, 10:39

Originally posted by lilelvis2000 View Post

I have noticed that with all my debit cards when I go to purchase online I go through that verification screen....but not with my CA card. Is it because it is deemed to be a 'credit card' and not a debit card by merchant systems?

Nope it's nothing to do with that.

A couple of my cards both credit and debit don't force me to the verification screen because:
1. The verification screens have shown not to be safe and are hackable.
2. What I do matches my spending pattern - the card issuer can and will block it stopping the transaction
3. People find it annoying.

**DaveB** · 3 April 2014, 12:09

Originally posted by borderreiver View Post

They are as secure as most UK banks, which means not as secure as you might think.

Any system where you enter individual random characters from a password means they either store those passwords as plaintext or they have to encrypt every character individually

And don't get me started on the memorable pet/maiden name/primary school stuff. It's laughable.

Originally posted by TheFaQQer View Post

Or they decrypt the password and then compare the one character against that character.

When I last worked in banking with CRM, we used Red Pike to encrypt and decrypt the password - the system asked for three random characters and the API decrypted the password and returned just those characters to the front-end.

Not necessarily.

Most partial password systems use a method whereby at the point the full password is hashed the system calculates the possible permutations for the number of characters required for the partial password system and hashes them at the same time. When the user enters the password characters these are hashed and compared to the hash of that combination. At no point is the plain text password stored anywhere, only ever the actual characters at point of entry by the user.

The isn't efficient from a storage point of view, requirements scale quadratically, not linearly with the length of password, and the hashing process can be compute intensive, but it is more secure than either plaintext password storage or using a reversible encryption algorithm.

There is another way of doing it discussed here: Smart Architects - Home

This uses Polynomials to calculate points and indices for the character values resulting in faster computation, lower storage overheads and fewer limitations on password length or number of partial password characters selected.

**d000hg** · 3 April 2014, 15:02

Originally posted by Optimus Prime View Post

No email/text messages when adding new payees.

No confirmation via a code sent to my phone or via a debit card + card reader + pin.

Did I miss some kind of choice to set up more security?

It is fast and snappy though. That's nice.

I find all those things annoying and prefer online banking that lets me get on with things!

Cater Allen Internet Banking - Not very secure?