About debit cards in the Netherlands
By Guillaume Mouron on Thursday 10 May 2007, 23:46 - Permalink
I've just recently open a bank account in the Netherlands and with it comes a debit card. in this entry, I will talk about the differences with my french debit card, and especially about the security involved for internet banking and also with the french banking system.
So this is it :
First thing, it belongs to the Maestro network. Not very common in France, for instance, you can't pay the highway toll with it but very often shops take it (not online sites though). Hopefully I've kept my French VISA card.
Talking about VISA cards, in the Netherlands, if you want a VISA or EuroCard/MasterCard, you can't have it as your regular debit card, but as another, separate one. It works completely differently : it is a credit card, so you will be charged for a transaction (and lots of shops don't take them because they also pay a fee, so I can't use my French VISA card either), the money will be retrieved one month later, and you can have your credit card with bank A while you have your bank account in bank B (without having any bank account in bank A).
It appeared to be a bit strange to me as I'm used to the fact that my VISA card is also my Carte Bleue, so my regular debit card, that the amount is directly taken from my account (which, surprises everybody here in the Netherlands) and that I don't pay any fee (but French shops do as far as I remember). I think this is here a French specificity and I find it much more convenient.
Now let's continue with differences between French and Dutch cards :). You can see that there is a chip. You (if you are French) might think that this is for the security stuff. It's not. Actually, it's a bit like the Moneo system, you can transfer money from your bank account to the chip and use it for paying the parking or in the supermarket. I'm not sure if I will use it, I still have to see some scenario where it could be convenient.
So if I want to pay with my card, I have to use the magnetic band. Basically I slide the card in the device, then I have to type my pin code and press ok. And that's it. So it's a bit different from the French system where the verification is made with the chip. However, when I use my French card here (for instance for paying at the gas station), I also have to use the magnetic band. But I do not type my pin code and I just have to sign the receipt. That's what I will have to do if I want to use my Dutch card in France.
It's really strange to see that even with Europe, euros and things like that, the bank card system is different and that when you change from a country to another, you kind of "swap" the way you have to use your card ...
So, let's talk about internet banking. When I opened the account, they gave me a small device, similar to a calculator (but it isn't, which is a bit silly, they could have added that ...). I've been told that this system is not used by every bank in the Netherlands, but Rabobank does it so ...
This device is necessary for internet banking. I have to go on my bank website, enter my card number. Insert my card in the device, press "I", enter my pin code, then a token is generated by the device and I have to enter it below my card number. Then I can login.
According to my colleague, I can do "everything" with internet banking (and there is an English manual, but not a direct English translation). We'll see but at least, I can do more than with the Société Générale internet banking system as I can move money from my bank account to an international bank account whereas I can't do that with Société Générale (I have to send a fax).
Talking about money transfer, if I want to do one, I have to reuse the calculator. I have to press S this time, enter the pin code, then enter another random (?) code displayed on the web site and it gives me another number that I have to enter to confirm the transaction.
The login procedure with my French bank account is just to put my bank account number, then a flash numeric keyboard is displayed with the digits being randomly placed and you have to enter a code that you chose when you opted for internet banking. This can be logged by a malicious program so the randomness of the keyboard is useless, and the fact that YOU choose the code is bad thing in my opinion. Especially because it's limited to 6 digits.
See what Serge Humpich thinks about it on google video :D
OK so that was the description part. But I'm wondering exactly how secure this is. The device doesn't communicate with the web site, so it means that this can't be completely random (I know it can't anyway but I mean not even pseudo-random) even if the device is called "random reader".
So I guess one could find the algorithm. What do you think is taken into account as input parameters ? Probably the card number, the pin code. Maybe another code stored into the card. There is no info on the product page concerning that topic. You have to know also that this random reader is not personal, so I can use someone else's reader for authenticating meaning that all the input parameters are related to the card.
What do you think of such a system ?
Comments
These numbers are not random. This system uses a one-time password ( http://en.wikipedia.org/wiki/One-ti... and http://en.wikipedia.org/wiki/Hash_c... ), which is a very very secure system.
You can find the algorithm but you have no way of reversing the hash function. If you're interested, the report I wrote during the third year's internship is precisely on this subject.
Ok now I know why most shops don't take my Visa. By the way I only have to sign and I don't type my PIN. So secure....
By the way, the same applies in Germany... Very few people have VISA and I found it quite hard to find an ATM that supports it (to find an ATM at all...).
And you also have to use the magnetic band, with your ultra-secure (very) uncheap chip-shipped paiment card, and to sign a nice receipt... SURE I didn't sign the back of my card, I don't need to use a pen (a what ? In which century are you living, Fraulein ?) to put a silly calligraphed "signature" that will last more than the ink of the receipt...
After saving me from the harsh reprimand from the cashier (ACHTUNG-PAPIER-ACH-AUSWEIS-****LOCH) she said that people don't really remember their PIN code :-).
Oh I love Germany... or at least german Mädchen... or their mother... whatever