Barclays Bank is introducing a handheld chip and PIN card reader for the home in an escalation of its online banking security. Other chip and PIN cards will work with the Barclays device, not just cards issued by Barclays. Barclays has designed its system in accordance with standards issued by payment association APACS. …
Easy way to get two auth codes
Unfortunatly, most people, if presented with a login failed screen, will enter the details again.
By automaticaly failing the first login attempt, this behavour will give man-in-the-middle attacks two authentication codes.
Hopefully this means that we'll be able to use the system from any operating system. If it was a usb plug-in module with only windows drivers available, I'd be trying to avoid it for as long as possible because I'd rather use internet banking from my linux PC than from the family windows PC even with a PINsentry.
Lets think now. You have to use the PINsentry twice. Tricky one that eh? How could a phisher possibly encourage a victim to use the device twice?
Its a good job they'd never think of a bogus "login failed" message implying that the pin had been entered incorrectly or that the session had timed out and you had to login again.
ABN AMRO two factor authentication
I'd like to correct the misconception about the ABN AMRO two factor authentication; the ABN two factor authentication is required at login and
when finally submitting the batch of transactions you have created.
The man in the middle attack worked by piggybacking a rogue transaction as part of the final submission. The bank now suggests to always verify your balance after submitting the transactions; not that a smart MITM could not subvert that check.
When rogue software on your computer interferes with your webbrowser,
the game is basically over except in those cases were there is an additional out of band message, e.g., an SMS detailing all submitted transactions is sent as part of the verification process.