# Rabobank Money Mover Facility - is it safe?



## apple1 (5 Oct 2007)

Hi,
Would welcome any views on whether its safe to post bank details on Rabobank's Money Mover account.  Its certainly convenient, but wondering about the virtue of entering this data on the web?  Thanks, apple1


----------



## ClubMan (5 Oct 2007)

It's as secure as any direct debit based payment as far as I know. Don't forget that anybody who gets a cheque from you has your bank account number, sort code and signature. I wouldn't get too paranoid about this though.


----------



## beara (5 Oct 2007)

It's on a secure server so it's safe enough. And it is convenient. Five days for BOI to add a new beneficiary.


----------



## RaboDirect (5 Oct 2007)

The [broken link removed]operates on the Originator Plus direct debit scheme. If you want to set up a Money Mover you do so in the secure banking website. You cannot access the secure banking website without your Customer Number and [broken link removed]. You also confirm your Money Mover set up using your Digipass. RaboDirect customers have the benefit of a "[broken link removed]". 

We have been actively encouraging the other banks to adopt this type of technology (based on "two-factor authentication") and have been sharing information with them on this via the Irish Bankers Federation for a number of months now. However, we still do not see any movement from the primary banks other than the usual statements like "be careful with your passwords and PIN's and never respond to emails requesting your log-in details". We hope that they will move to more secure forms of online security in the near future.


----------



## Mr Magoo (17 Oct 2007)

RaboDirect said:


> We have been actively encouraging the other banks to adopt this type of technology (based on "two-factor authentication") and have been sharing information with them on this via the Irish Bankers Federation for a number of months now. However, we still do not see any movement from the primary banks other than the usual statements like "be careful with your passwords and PIN's and never respond to emails requesting your log-in details"



Yes I would hope that the other banks listen to this. With one bank in particular where it askes you at random for some digits of a PIN (e.g. 1st, 3rd, 5th) you get the impression that you need to know all 6 digits and 2 other items like work phone number/birthdate.

However this is not the case -you only actually need know ANY 3 of the 6 digits and say the work phone number along with the user ID then that's enough. I emailed the bank concerned about this problem about a year ago and they, amazingly, admitted there was an issue and would look into it "immediately".
the issues is still there today - I'm not going to say here how it works but I can pass it on to brendan together with the email if anyone doesn't believe me. So say you're in an internet cafe, someone could look over your shoulder- they can see the user id etc  displayed un-encripted on the screen, they only have to watch the 3 keys you type when entering the PIN subset.


----------



## Mr Magoo (17 Oct 2007)

If found the email from the bank mentioned above - here's an extract from it:

"I have forwarded your email to  Our Development Team who were very interested in your comments. 

As you correctly mentioned  there does appear to be a security issue on our log in page, we will have this  looked into immediatley"


----------



## Towger (17 Oct 2007)

Mr Magoo said:


> I emailed the bank concerned about this problem about a year ago and they, amazingly, admitted there was an issue and would look into it "immediately".




The have now 'fixed it', it was a long running joke! 

While some were complaining about it in the NR thread, NR's version which only rotates the numbers requested (on a separate screen) after a successful logon, is how it should be implemented.
But the bank in question have now replaced the text fields with dropdown boxes which don't accept keyboard entry. It might be more secure against keyboard loggers, but it is a bloody pain to use. Anyway why would someone bother logging just keyboard strikes when it is just as easy to install software to record the whole screen!


Towger


----------



## Mr Magoo (17 Oct 2007)

Yes, they fixed it this morning! 
I was wondering why they went with pop ups, although now someone looking over your shoulder can see the numbers chosed before they are asterisked out.

There are other irish online insitutions with a similiar problem  of not needing all of the PIN digits, so hopefully they will upgrade thier security too.

NIB have a interesting system where a softkey is required to be install on you pc (or you can keep it on a removable disk) that is required to access their online  services. Internet explorer only.

If you change the passord a new key is generated. 
So it seems pretty safe and is more convient than carrying around the rabo digpass. I think NIB also offer you the choice of a digipass (to work wiht firefox).

I've been using NIB's online service for a few months now and it's really excellent. Slick user interface, plenty funcionality.


----------



## askew70 (18 Oct 2007)

Towger said:


> The have now 'fixed it', it was a long running joke!
> 
> While some were complaining about it in the NR thread, NR's version which only rotates the numbers requested (on a separate screen) after a successful logon, is how it should be implemented.



NR's version is not how it should be implemented. The main weakness of having to enter the same (complete) password each time is that someone has an opportunity every time to record all that they need to masquerade as you - if they record your password(s) during any one of your logins, they can login as you whenever they like. 

Requiring that you enter only a portion of the password each time is done in the hope that if someone records what you enter during one single login, it won't easily allow them to masquerade as you as, when they subsequently try to login as you, they will (hopefully) be asked for a different portion of the password that they (hopefully) don't know. If any system asks you to enter the same portion of the password even a few times in a row then you are back to square one where someone who records that one portion has enough to login as you when they next try.

The random nature of the portion of the password that you are asked to provide isn't foolproof in either case above though. If you had a password that was 100 characters long, and you were asked for (a random) 5 of those characters each time, then that makes for a lot of possible combinations so the chances of the same combination coming up regularly should be relatively small, although whether this is an acceptably small risk is up to you to decide (depends on other controls on access, how much money you have at risk, etc.). If, on the other hand, you have a password of 10 characters long and you are asked for a random 2 of those characters each time, then there is a much greater chance of the same combination coming up and therefore greater risk of someone logging in as you even if they have only 2 characters of your password.

Greater strength/security in this area requires greater resources on the server side to support it. Some (very few) banks are willing to pay for that, others are not. Depending on the nature of the stronger security, it  may also require greater effort on the part of the customer to remember a much longer password - there is a point at which people will just write out the password on a piece of paper, along with their other login details clearly labelled, an sellotape it to their office computer screen. Somewhere in the middle ground is a compromise of security versus usability and cost/effort. Unfortunately, a lot of online services don't veer far from the cheapest/easiest end of the scale and the strength of their security reflects that.



			
				Towger said:
			
		

> But the bank in question have now replaced the text fields with dropdown boxes which don't accept keyboard entry. It might be more secure against keyboard loggers, but it is a bloody pain to use. Anyway why would someone bother logging just keyboard strikes when it is just as easy to install software to record the whole screen!
> 
> Towger



I'm not aware of any software that will easily allow you to record the contents of your screen. Other than a video camera over your shoulder that is. 

It remains far easier to record what you type at the keyboard, and server-based/online keyboards (which you describe NIB as using) are a reasonable approach to dealing with that threat. They are not perfect, of course, or very convenient, but security generally is neither of those.


----------



## Towger (19 Oct 2007)

??? 
NR ask for 2 characters of a (long) alpha numeric password, the characters requested are only rotated on a successful logon. This is the system I believe BOI are now using, except using a 6 digit PIN. But up to now BOI asked for 3 numbers of the 6 digit PIN, if you did not know any of the numbers being prompted for, you just refreshed the screen and it would prompt for another random 3!!

Google will find you many products capable of recording a PC screen.


----------



## RaboDirect (19 Oct 2007)

*Online Banking Security*

The title of this thread should be changed now as this discussion thread is discussing online banking security as opposed to RaboDirect's Money Mover Facility. 

Regarding online banking security the use of static passwords and PIN's to log on to banking websites, even when you are asked for random numbers/characters, is recognised as being vulnerable to phishing and keystroke logging. There is proven technology available to banks based on strong "two factor authentication". Rabobank offers its customers strong two factor authentication via the Digipass solution which is provided by Vasco and is based on: 

(1) Something you *know*: - your Customer Number and personal PIN code for your [broken link removed]and, 

(2) Something you physically *have:* - your Digipass which generates a one-time access code that expires every 36 seconds. 

Your Digipass is also used to authenticate transactions giving a double layer of security. 

Your Digipass cannot be used without your PIN making it worthless to somebody else should it be lost or stolen. Therefore, if someone gets hold of your Customer Number, they can't access your accounts without having your Digipass & vice versa. 

The reality is that many banks take a view that the cost of paying out on fraudulent cases of online fraud is cheaper than migrating their customers on to more robust technology. This is in our view entirely unacceptable especially when you look at the profits that large banks make. 

In some countries the Regulator insists on minimum standards of online banking security (normally based on two factor) which all banks must adopt. It would be desirable in Ireland if a common and more secure standard existed. For example, the implementation of chip & pin on credit cards has helped to drastically reduce fraud levels. 

However, customers must also play their part by ensuring that they protect their PC's from viruses on a continual basis and maintain vigilence. It would also be no bad thing to insist that your bank adopts better security. 

RaboDirect


----------



## messyleo (19 Oct 2007)

I just have to say that I think the online log-in set up at Rabo is probaby the safest out there. It's a bit annoying at times if I want to log-in from a PC outside of my home and don't have my Digipass, but that's my problem for forgetting it! And I'd rather have it like that and have enhanced security tbh.


----------



## askew70 (19 Oct 2007)

Towger said:


> ???
> NR ask for 2 characters of a (long) alpha numeric password, the characters requested are only rotated on a successful logon. This is the system I believe BOI are now using, except using a 6 digit PIN. But up to now BOI asked for 3 numbers of the 6 digit PIN, if you did not know any of the numbers being prompted for, you just refreshed the screen and it would prompt for another random 3!!



The NR password is 9 characters long, which isn't very long (although it is longer than that of some online banks). Asking for 3 out of 6 certainly is worse though.

The issue that I have with NR's system is that it asks you for the same characters every time until you have successfully logged in. If you enter the wrong ones 3 times in a row then you are locked out, which is a good thing, but when their system was virtually unusable recently you could enter the correct details and still not login successfully. Next time you tried you were prompted for the same characters again, but you were unlikely to login successfully then either. And so on. Basically, for as long as the system was unable to successfully log you in, your account was protected by the same 2-character password (which somone could potentially record during any of your failed login attempts), which is not good.

Changing the combination of characters that you are prompted for each and every time is better, whether you successfully login or not, as long as the possibility of the same combination arising more than once in a "short" space of time is small. Basically, if someone has 2 characters of your password, and they sit their refreshing the login page and getting a different combination of characters prompted for every time, then if the number of possible combinations is small (e.g. a combination of 3 characters from a 6 character long password) you are correct to be concerned as they won't have to wait long to be prompted for the specific two characters that they know. One way to significantly reduce the risk is to reduce the probability of any one combination cropping up (which reduces the possibility of them being prompted for the characters they know), and this can be done by using longer passwords, using passwords with a wider variety of characters in them (e.g. characters that contains punctuation characters as well as letters and digits), etc. This would require more effort, and perhaps more expense, on the part of the provider of the service so such commitment tends to be rare.

Of course, another approach is to require you to change your password every now and again. This tends to be the approach taken in office environments for passwords used to access local network services. Again though, most service providers don't implement that because of the hassle and the expense (most of the expense is in providing some kind of support service for customers who are confused by the need to change their password, can't remember their new password, etc.).

Another approach which addresses most of the above concerns is to use the kind of authentication that Rabodirect uses, where your password is determined by the numbers output by your Rabodirect token/fob. It is based on the same basic theory that your password is a selection of random digits from a finite number of possibilities, but basically with this system your password actually changes every time you login so it increases the number of possible passwords by a huge amount therefore making it extremely unlikely that someone can either guess your password or re-use one that you have already used. Of course, this system isn't perfect either as its additional complexity requires more complex software to implement it and the more software you have the greater the risk of there being bugs/errors/holes in it which might be exploited, but it still remains better than most of the other alternatives out there.



			
				Towger said:
			
		

> Google will find you many products capable of recording a PC screen.



I wonder how capable such products are. They would need to record your screen contents (presumably from the machines memory) at the right time in order to capture your password. And considering your screen content is changing constantly, that would be far from easy.


----------



## askew70 (19 Oct 2007)

Sorry for changing the topic/direction of the thread.


----------



## Towger (19 Oct 2007)

NR, I don’t know that their max length is but it is more than 9. I originally had a 18 character password, but it was pain counting the letters.! Of course the loggon on problems should never happen in the first place.

RD, Security tokens are much better solution (unless you are like my wife who writes her PIN on the back!). But I agree they are a pain to use and there is more to go wrong. I first came across their actual use by BACS about 10 or 12 years ago. But as you know Irish banks hate to spend money.

Back on topic. Is the use of  Money Mover (Originator Plus) to Direct Debit accounts safe? 
It safe as any other banking transaction, when used to take money from your own account. But Rabo are leaving them selves open to problems if someone manages to use their Money Mover (Originator Plus) facility to DD a 3rd party account. It will quickly be traced back to them, they will have to repay the money and then go chasing their customer.

A question for Rabo, as proof of PPS Number you include a P60 as a document “issued by Revenue or the Minister of Social and Family affairs” (as per your demo). Unless a P60 is produced by ROS, which is not common. It is printed on Revenue supplied paper by an employer, which is easy to get hold of. From next year Revenue are phasing out the use of pre-printed P60s, They will just be printed on plain paper by the payroll software, as has been done in the UK for years. So my questions is, should you be accepting a P60 as proof of PPS Number.  

BTW you might want to change Minister of Social and Family Affairs to Department of Social and Family Affairs


----------



## RaboDirect (19 Oct 2007)

Towger said:


> RD, Security tokens are much better solution (unless you are like my wife who writes her PIN on the back!).


 
*Note: Disclosing the PIN for your Digipass invalidates the "No Fraud Online Banking Guarantee"*

From our website:
RaboDirect guarantees to refund you for any money that is withdrawn from your bank account without your authorisation. This includes money withdrawn as a result of the online theft of your customer or account numbers or passwords provided you meet us half way:

Keep your Digipass safe and do not disclose your PIN or Customer Number to anyone
Notify us immediately if your Digipass or PIN is lost or stolen
Notify us immediately of any fraudulent activity on your bank account
You make sure that you only use your Digipass when the address of the website in the address bar of your internet browser starts with https://secure1.rabodirect.ie/ or https://secure2.rabodirect.ie/.
*Important: *When banking online with RaboDirect you should always make sure that the web address is either *[broken link removed]* or *[broken link removed].* Be vigilant by looking out for the's' in https and always look for the secure padlock icon normally located at the bottom of your screen. *RaboDirect will NEVER email you asking you for your Customer Number or personal Digipass PIN code.*​


----------



## Moggy (19 Oct 2007)

Anyone who logs on to their online bank account using a public PC (work, cafe whatever) is just asking to be robbed.  My tupence.


----------



## Godfather (19 Oct 2007)

Ciao Rabodirect, could you pls let me know if you'll introduce the "international transfer of funds" functionality to your online banking? Thank you in advance for your answer


----------



## RaboDirect (19 Oct 2007)

*International Funds Transfer*



Godfather said:


> Ciao Rabodirect, could you pls let me know if you'll introduce the "international transfer of funds" functionality to your online banking? Thank you in advance for your answer


 
Currently we do not have a genuine demand from our customers for this. We operate as a secondary bank and people generally transfer money from their RaboDirect savings account back to their primary bank when need to (or to any 3rd party Irish bank account). If there was a level of demand for it we would consider the business case of offering international funds transfer. It is possible that our service could expand in the future due to European Directives such as the Single Euro Payments Area which aims to make it easier to facilitate cross-border payments.


----------



## dfg75 (19 Oct 2007)

Rabo,
If you had the facility to do online transfers both outside and inside of the EU -- this would be of great benefit. Definitely worth considering! I am currently look for banks that offer this ability.


----------



## Godfather (19 Oct 2007)

I totally agree with dfg75. The international transfers are among the very latest trends and I kindly ask Rabo to investigate into how useful would be to the existing customer-set.


----------



## RaboDirect (19 Oct 2007)

*International Transfers*

Happy to get the feedback. Bear in mind that we don't offer current account banking so the demand hasn't been there for international payments. It is also likely that if we were to offer this service we would probably have to charge transaction fees to cover the cost.


----------



## Godfather (20 Oct 2007)

*Re: International Transfers*



RaboDirect said:


> Bear in mind that we don't offer current account banking


 
I find this sentence to be quite incorrect. When I applied for the savings account I got a savings account no. and a current account number. Of course the current account is restricted to the T&Cs of rabo.


----------



## Nemesis (20 Oct 2007)

*Re: International Transfers*



Godfather said:


> RaboDirect said:
> 
> 
> > Bear in mind that we don't offer current account banking
> ...



I don't believe this sentence is incorrect. Technically, RaboDirect do provide you with a current account but they do not offer current account _banking_ (cheque book, ATM card, DD etc.). The current account is really just a feature of RaboDirect's system for transferring money out to other banks from the savings account.


----------



## GeneralZod (20 Oct 2007)

*Re: International Transfers*



Nemesis said:


> The current account is really just a feature of RaboDirect's system for transferring money out to other banks from the savings account.



The bit I still don't get is why they don't just offer the interest on the "current" account, call it a savings account as it bears more resemblance to one and drop the separate savings account.  I'll hazard the guess that the answer is Dutch market systems that don't localise well to Ireland.

Or maybe they eventually intend offering full current account banking once we've gotten rid of paper transactions and do everything electronically.


----------



## Nemesis (20 Oct 2007)

After a bit of searching, found RaboDirect's explanation for this from a post earlier this year. Looks like the intention is to streamline the system in the future.


----------



## Mr Magoo (21 Oct 2007)

Moggy said:


> Anyone who logs on to their online bank account using a public PC (work, cafe whatever) is just asking to be robbed.  My tupence.


Yes online banking access in a cafe to be avoided with the possible exception of rabo.
At work - depends on their security, if the network is properly firewalled and updated virus sofware properly installed then it should be as safe as at home.


----------



## Godfather (22 Oct 2007)

*Re: International Transfers*



Nemesis said:


> I don't believe this sentence is incorrect. Technically, RaboDirect do provide you with a current account but they do not offer current account _banking_ (cheque book, ATM card, DD etc.). The current account is really just a feature of RaboDirect's system for transferring money out to other banks from the savings account.


 
Nemesis, as I wrote their "current account" is restricted to rabo's T&Cs. So this means that is a different current accounts from the ones we commonly know.

But Rabo still gives you a so-called current account when a savings account is opened.

I hope this helps...


----------



## RaboDirect (22 Oct 2007)

*RaboDirect Current Account*

As alluded to in previous posts the 'current account' we operate is used purely as a transaction account to move money out of RaboDirect. We do not offer current account services such as the provision of ATM cards, cheque books etc and nor do we plan to. We expect to remove the current account completely from our banking plaform in Q1 next year. 

In the RaboDirect online application form we specifically mention that the RaboDirect is not designed to be a replacement of your main current account:

"A RaboDirect Current Account will automatically be set up for you when you become a customer. This account will allow you to transfer money from your RaboDirect Accounts. Don't worry, you won't be charged any fees for this. This account is not a replacement for your main current account and does not earn interest".


----------



## Nemesis (22 Oct 2007)

*Re: International Transfers*



Godfather said:


> Nemesis, as I wrote their "current account" is restricted to rabo's T&Cs. So this means that is a different current accounts from the ones we commonly know.
> 
> But Rabo still gives you a so-called current account when a savings account is opened.
> 
> I hope this helps...



Godfather, if you feel what RaboDirect offers can be reasonably described as "current account banking" then fair enough. I think you'll find most people would require a great many more features to describe it as such.


----------



## Mr Magoo (23 Oct 2007)

*Re: RaboDirect Current Account*



RaboDirect said:


> We expect to remove the current account completely from our banking plaform in Q1 next year.



This would be most welcome!
I get paid into my rabo deposit a/c so I pay practically all of my bills from rabo using standing orders. All external transfers must go via the c/a so each monthly regular payment has to have 2 standing orders - one from deposit to c/a  and then one from c/a to the outside bank. 
I've about 4 of these: mortgage, regular savings, spending money (bank with c/a and atm/cheques) twice a month. And then a manual monthly payment to the credit card.


----------

