Barclays to provide chip-and-pin card readers to UK customers
The use of chip-and-pin devices to reduce internet fraud and phishing raises the prospect of consumers being given multiple devices by each website and online store with which they interact.
In late 2005 Lloyds TSB began trialling a token device which provided online banking customers with a one-time six digit passcode. Now, Barclays, one of the world's largest financial service providers, is to provide chip-and-pin card readers to half a million customers in the UK. Barclays online customers will be required to use the handheld device to generate a one-time passcode that will have to be entered when conducting certain online banking functions. The device will only generate a passcode once the user's bank card has been swiped through it, and the PIN code entered.
While the PINsentry device should reduce the risk of phishing emails and spyware that aim to steal login details and passwords from internet users, this is unlikely totally eradicate the risk of online fraud.
"Including two-factor authentication in the online banking process is definitely better security - keyboard logging spyware and phishing emails won't be effective if user passcodes keep changing," said Graham Cluley, senior technology consultant for Sophos.
"However, these chip-and-pin devices do not prevent all identity theft - spyware can still steal screenshots of what bank customers are doing online, and can capture account information to use for fraudulent purposes. More sophisticated hackers can even develop 'man-in-the-middle' attacks that sit in between users and their banks, automatically capturing information in real-time and sending unauthorised instructions to the bank posing as the customer."
"More and more banks are looking to introduce technology to better protect their customers and reassure them that online banking needn't be filled with peril," continued Cluley. "Of course, all of these solutions cost money for the banks, and ultimately that expense will be passed on to the customer one way or another."
"At the moment only a small number of online firms are providing their visitors with two-factor authentication. A concern is that as more online banks and stores recognise that consumers need better protection when they log onto websites they may all produce their own chip-and-pin devices," explained Cluley. "It may not be long before desks are covered in a mountain of chip-and-pin devices, one for every site you log onto! Ideally you would only need one authentication device to access all of your favourite sites, but that would be a huge logistical problem for online businesses to manage."
Reproduced from an article published by Security Park
© Security Park
The original article can be viewed here:
http://www.securitypark.co.uk/article.asp?articleid=26907&Categoryid=1
Permalink Bookmark Digg this story
