By Matthew Broersma, 18 July 2008 14:51
NEWS
Barclays claims to have reduced online fraud to zero among users of its two-factor authentication system, PINsentry.
The UK's third-largest bank said this week that it has distributed the card reader, made by Amsterdam-based Gemalto, to more than one million customers, and that none have been hit by fraud.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
Take-up of the devices has been higher than expected, exceeding 30 per cent of the online user base, Barclays said.
The bank chose PINsentry because of its similarity to chip and PIN, rolled out in 2006 across UK retailers.
Barclays began distributing the authentication devices in the second half of last year, initially sending out 500,000 units, becoming the first UK bank to distribute end-user chip and PIN terminals. Any user wishing to set up an online transfer to a new third-party account, other than a standard supplier such as a utility company, is required to use the system.
Barnaby Davis, director of electronic banking at Barclays, said last year that the arrangement was intended to limit the damage that could be caused by someone using stolen bank details. Barclays digital banking director Sean Gilchrist said the system was designed to be easy to use and highly secure. "Adoption of the PINsentry reader by one million cardholders in one year is a clear demonstration that we made the right choice," he stated.
Not everyone agrees that PINsentry is as secure as Barclays claims. The devices are still vulnerable to sophisticated man-in-the-middle attacks, said Sophos senior technology consultant Graham Cluley at the time of the rollout. "These chip and PIN devices do not prevent all identity theft - hackers can still steal screenshots of what you are doing on your PC, and find out information about you and your account which could potentially be used for fraudulent purposes," he said.
Some users have also complained about the necessity of carrying the device with them, leading one user to hack PINsentry to send new access codes to his mobile phone via SMS.
Earlier this month Barclays offered all its online customers free Kaspersky security software, including parental controls as well as protection from spam, adware, spyware and viruses.
Comments
There are 4 comments. Join the discussion
1. Michael Greenland
Yes but Barclays compels all its Premier customer to use this EVEN TO LOG ON. Which is very annoying as you can't access banking without it. They treat their best cusomers worst. I have been in comm swith them for months over this and they won't listen.
2. anonymous
Pinsentry may well increase security over on-line banking but this just makes the strong link even stronger when the weak link is the real problem. By weak link I mean having to give out every time you buy on-line or by phone, debit card details that allows access to your account. This data could be abused or copied by unsrupulous employees or stolen. Over time dozens of records of my bank details will be floating around hotels, box offices and many other businesses small and large that I may have bought from. Doesn't this represent a bigger risk to my account's security than hacking into a secure, encrypted on-line account.
3. anonymous
As a customer of several banks, including Barclays, I love PIN Sentry.
Firstly, it makes me feel more confident about logging on - At least one other financial institution I use still requires my mothers maiden name and password in full - perfect for keyloggers.
It also allows raised "sending limits" - no longer am I limited to just a small amount per day - and if you don't have pin sentry with you, you can still log on and check your balances etc (you just need your card number).
Card numbers however are the next problem - especially with mail order / telephone sales. So many companies now want the security number - which was put on the back of the card so a copy could not be made - and you either have to write it on an order form (which totally obviates its purpose) or a telephone operator will do the same. How much better if PinSentry (or something similar) could be used to give the merchant a "one shot" code ?
4. Richard Marshall
Personally, I loathe, detest and abhor PIN Sentry and have reduced my online banking to almost nil since its introduction.
PIN sentry has thrown 75% of the benefits of internet banking straight out of the window
Previously all I needed was my account number (Stored in my head or on my laptop) and my password (only stored in my head and accessible to nobody) - then I could bank anywhere and on any computer: in the living room, at work, in a cafe, on holiday...
Now I must carry my bank card and PIN sentry everywhere, **together**, in case I need to use internet banking. Both are liable to theft, loss or damage with dire consequences.
If either breaks or is mislaid, I cannot bank online at all. If my card fails, is mislaid, lost or stolen, I cannot use ATMs but nor can I use internet banking until the new card arrives.
If both are stolen and the PIN is compromised, I am shafted and Barclays will doubtless make the customer liable.
This is one step forward and two steps back to Victorian times. Next they'll be closing branches at 3pm...