Barclays has announced plans to send out handheld chip and PIN card readers to their online banking customers in a bid to combat online fraud. The bank is to provide chip-and-PIN 'PINsentry' card readers to half a million customers in the UK, starting later this year. Barclays online customers will be required to use the …
Only a few years late!
ABN AMRO, the Dutch bank, issued me with one of these card readers in 2001. To access their internet banking service, I put in the card, entered my PIN, and generated a number to be entered onto their website.
Why are UK banks so many years behind?
Half the appeal of online banking using a web browser is that I can access it from any machine I choose, wherever I happen to be. If banks start to make physical devices mandatory for access, that convenience evaporates in a moment.
Two-factor authentication is fine and dandy, but to be workable it needs to be a) portable, and b) require some common token for multiple services. If I have to start carrying separate tokens around for my job, my bank account and anything else using a similar mechanism, my pockets are going to bulge in no time.
Maybe the answer is a man-bag...
it's just wrong
I often work/access the internet and internet banking from not only home, but other places, too. it would be a major pain in the ass to have to bother with this thing. There are places where banks send you an SMS when u want to enter your account, when you initiate a payment, and when a payment is actually made. be it direct debit, standing order, whatever attended or unattended transfer. when your balance changes above a pre-set limit, there's an SMS to you. I consider that a helluvalot more consumer friendly that bulky devices that may or may not work in the first place.
Lost my wallet
So, I've lost my wallet and need to log onto the Barclays website to request a new card (ok so that's a lie, everyone knows you need to catch the 32 into town or pay £20 in parking to queue on a Saturday behind hordes of people waiting for a cashier to become available and no I'm not paying in cheques...).
I've got my account number, password and memorable word (written on a post-it note stuck on my monitor, backwards, for security of course) and now I need to swipe my card to get access so I reach for my wallet....
Dont forget the rest of us
If they push this on to their customers let us hope they don't forget businesses like mine. We are using open source software whenever possible and things like this have the potential to cut us off from basic online services.
Take HSBC.net for example. That requires a smart card reader that only works on IE under Windows. Not even any support under OS X so forget Linux!
I don't even believe that banks are doing this to protect their customers. Once the cards can be duplicated or emulated we are back to square one. Your fraud coverage will evaporate. The bank will turn around and say that only you can authorise transactions because of the magical chip n pin system. Even though some evil bugger has just ripped you off.
Right now if somebody nabbed my pin using a hidden camera at a cash point, and then swiped my wallet or whatever and used the card with the pin the bank would refuse to give me any compensation as only I should know the pin. This has happened already.
And dont get me started on those black helicopters...
should be optional
There are those for whom this would be a boon. My father, bless his rather antiquarian ways, would be one of them. He only accesses the 'intaweb' from one spot, his home PC, and currently he is a little scared of online transactions, although he has recently started, but banking - woo, that's a bit too far at the moment, and this would give him the reassurance he needs. But for those of us who use more than one machine in the world - No thank you.
I'd much rather either a) be responsible for not being phished, or if a middle ground is required, b) have a list of 'acceptable IPs/ranges/hostnames' for logging in from (using my current details). I am perfectly happy not to have the complete freedom to log in from random internet cafes, as quite frankly that is a little brave, to say the least, but I guess it would need some form of method for updating the ranges in real time. I think they have a new device called the telephone for that sort of thing.
Not to mention that this will completely bugger up the egg style password safes - although I still haven't quite got over being told by their security techs that there were no plans to ever ever support firefox or other browsers due to lack of security compared to IE6, so perhaps that is no great loss after all:)
The card reader doesn't have to be a PC peripheral. Mine (from UBS, also since around 2001) is the size of a small pocket calculator that the card slots into. Get this - it functions as a calculator too!
I just stick it in my pocket with the card in.
Before this they used scratch lists.
To clear up a couple of misunderstandings
The reader does not connect to the computer. It is used as an external means of getting one-time passwords based on the chip on your bank card. Therefore browser compatibility is not an issue. It also means that you have a real air-break between the device and the internet.
I'm not sure whether they are enabling the feature in this trial, but the readers also provide means to 'sign' a payment by keying in details and generating a hash. This is an effective defence against the man-in-the-middle attacks Sophos seem to be worried about.
It works well for online banking, since the bank can implement all the extra measures they want based on the standard. This at least prevents account take-overs. Whether it gets used by online retailers is a different matter. It's also a UK only standard, which means that it's unlikely that international online retailers would ever make use of it. Therefore it wouldn't prevent someone from using your card details to make purchases, except as an extension to something like the 'Verified by Visa' service.
Trend Micro wrong - Sophos better
"Consumer confidence in online transactions and online banking has been waning and better safeguards, such as biometrics or smartcards needs to be considered by other banks,"
Yeah! Thank you for pushing for the technology hype. What about using our brain for 5 secs?
Banking security doesn't need biometrics. Biometrics is for identification only, and in this case it is optional and not sufficient. It is easy to imagine scheme using biometrics (like most scheme today actually) that can't even counter phishing or man-in-the-middle attacks.
To counter 99.99% of current and future internet banking attacks, the only thing you need is a strong transaction authorisation scheme. Authorisation means "signature on the transaction *content*", i.e. integrity protection + non-repudiation.
How to do this? Easy! Example: 1 secure device, 1 secure display (for showing the content) and 1 secure input device (for signature). Like a small calculator with cryptographic keys. You enter the amount, you enter the target account, you enter your password, and you receive an authorisation code. The calculator is the token, the password is the authorisation step --> 2-way authentication.
Now, that is *really* secure! And actually very easy to deploy and use (you can take the calculator anywhere with you).
That banks just keep doing the wrong way is either a proof of their ignorance in the matter or their lack of will to really solve the issue.
If I wanted to carry a calculator...
...I'd carry one. And probably buy a pocket protector too. But I don't, and my phone has a calculator built in anyway.
My employer already foists a second phone, two smart cards and two RSA tokens on me, none of which I particularly want to carry, but I do because it's part of the job. If a supplier (which is all a bank really is) wants me to carry more crap around, they can stick it.
Re: ABN Amro using 2-factor authentication
Is the ABN Amro solution the same one that's currently listed on El Reg, because it's been circumvented via a MitM attack?
I keep my money in a shoebox underneath my mattress. There's no chance of a MitM attack happening without me being aware.