Logistic and technical issues have hampered the rollout of a system designed to thwart phishing scams by UK bank Barclays. The bank is issuing calculator-sized chip-and-PIN 'PINsentry' card readers to its online banking customers in a bid to combat online fraud. Barclays' online customers (both consumers and small business) are …
>> Logistic and technical issues have hampered the rollout of a system designed to >> thwart phishing scams by UK bank Barclays.
WTF ? Barclays are up to this phishing lark as well ? Well at least someone is trying to thwart them. My friend in Nigeria said he would help protect my bank account details as well, if I told him what they were.
In Soviet Russia,,,,
FINALLY! UK gets these. We've had these across Europe for years, you can make bank transfers and pay bills even safely even in Soviet Russia in an internet cafe.
I was getting sick of hearing UK whine about identity fraud when a fix was available years ago.
Now if you can fix your credit card purchase validation problem, Netherlands is using iDEAL for this, Visa and Mastercard are refusing to fix their online validation problem (their policy is cross fingers and if the transaction is bogus, bill the merchant), so the Dutch banks had enough and designed their own system:
"Jerry-rigging". Surely something is either "jury-rigged" (as a quick 'n dirty fix) or "jerry built" (shoddily constructed)?
The mixed metaphor squad will be kicking your door in shortly, I'm sure.
had it for years
with my Dexia account. Little hand held swiper, you need your cashcard and PIN and it does a challenge response routine to log in or make a payment. Works nice, and their charges are not taht bad.
Even my el cheapo free bank account that I have had for a while is going to start doing this, I think.
c'mon UK of A ... time to play a little catchup.
Very happy with pin sentry.
Device arrived automatically as I regularly do transfers and set up new payees. I have had no issues what so ever and did not have to replace my debit card. The system is very simple to use and also means that new transfers are validated immediately rather than getting held for 24 hours for fraud checks as previously happened.
Only issues I see are leaving my debit card at home in the device by mistake and possibly having to take it away with me as I sometimes do transfers whilst travelling.
With any new system or large rollout, there will always be those who don't like it, take time to get used to it, find it difficult to understand and a few circumstances were things don't go smoothly.
I hate these things
I really do - I was forced to use one in Sweden, just hassle. If you go traveling you're screwed or you have to carry it with you (which means you forget it etc.). Now I have to carry this thing with me if I go traveling. I also need to remember my 'Verified by Visa' junk. All in all, it's a system that's more error prone than anything else.
The Finnish system on the other hand rules; I have a set of once-off 4 digit codes, along with a bunch of reuse verification codes. They come as the size credit card, laminated and with 3 pages. If I don't want to carry that with me I can enter the codes into a PDA, my computer or my phone.
These boxes are just like airport security; It only affects the ones who are honest. (Any proper criminal will come up with a way to get around these boxes).
It sounds like a great programme (read the details for both merchants and users), but it requires the banks to be on-board. In the UK I suppose APACS would do well to subscribe to the system to allow all banks to use it. Of course, organisations like MBNA may not want to join, but who do you push to get this kind of programme accepted?
C+P works in France and Germany, Netherlands and Italy, so banks might simply dismiss the idea of having a separate authentication system for online shopping.
"Barclays said that since most users carry out e-banking transactions at home" whereas the rest of us now have to carry a stupid little card reader back and forth between home and work :(
PITA = Pain In the A*se
And what exactly is wrong with sending a one time code via SMS instead of doing all this crap. Simplicity is key to sell security to customers and nothing can beat the good old text message. But no, let's give them a backpack's worth of hardware and user guides, let's make sure they cannot use the system. That'll teach them.
Handy little device
Especially if you mug someone and want a quick way of confirming their PIN. Simply insert card, type in PIN and you have confirmation.
Well done to negating the advantages of online banking. What used to be a simple, use anywhere system now requires a bulky device to be carried at all times. Boo.
If you're daft enough to be taken in by phishing scams, you shouldn't be using online anything tbh.
Don't want to carry the reader between home and work? Just get two of them. Since it's a standards-based devices, the idea is that they'll eventually be commonplace, and you'll just have to carry your cards (which you carry anyway). You'll still have to take it when you travel, though.
SMS can be a good solution, but it doesn't work everywhere, doesn't work all the time, and doesn't work for everyone.
Using the reader for log-in is excellent, but leave the door open to advanced Trojan/man-in-the-middle attacks. But they've thought of that--it can also be used to authenticate specific payment details. In this mode, it offers extremely high security. Pre-printed password lists can't adapt in this way.
Finally, note that you don't need a PC to use the reader. In future, expect to see it used for mail-order and telephone-order shopping, and e-commerce applications. According to APACS figures, that's where the bulk of the fraud is.
It's all jolly high-tech, but here is a lower-tech replacement.
Whilst at home:
1) Use the PINsentry calcumalator and your debit card and follow the instructions supplied by Barclays for generating the magic numbers needed for the online banking site.
2) Write it down on a slip of paper. I find the back of the perforated receipts you get from the newsagent to be ideal.
3) Repeats steps 1 and 2 until you have run out of space on your paper.
When out and about, without your PINsentry bulkomatic pocket filler:
1) Go to the Barclays site. When prompted for the magic number generated by the PINsentry type in the first number from your piece of paper.
2) Tear off and discard that first number from your piece of paper to avoid accidental repititious use.
It works for me. YMMV.
I like to check my account regularily, whether I'm at work, at home or travelling and with the introduction of this system I can't (unless I carry this stupid device with me everywhere I go). I've changed banks now because of this (and there ridicuous daily transfer limits). Goodbye Barclays.
Yep tis a pain! Although you're meant to need it to transfer money to people you haven’t transferred money too before, Barclays seem to have removed any previous entries you had in your payment address book! grrrrrrr
There are three problems with cards and online transactions.
1) Someone steals it and uses it for online transactions.
2) Your computer is compromised and/or you're entering your details into a phishing site.
3) The fake merchant you're buying from steals your card details and uses it for online transactions.
Exactly which of these problems does a one time pad solve that a piece of paper with a list of pin codes and numbers does not solve, it just makes it far less usable for the user as far as I can tell. Usability -1, Security -1. (-1 for security assuming that the OTP can be used to guess the user's pin code by trial and error).
On the plus side, I was happily surprised that they didn't deploy chip and pin readers which use telephone touch tones back when chip and pin was deployed in the UK.
(1) and (3) are solvable by using something like ideal (someone else already mentioned it), in Finland we have something like ideal except in order to pay someone from your bank account you go to your own bank's website (redirected from the online shop, including payment details), effectively the same but without the middleman, we only have 4 major banks though. All the banks use a password combined with one time passwords (normally printed on a credit card sized piece of card). Unrelated, but interesting; physical purchases in shops over €50 require identification when using plastic, it's not foolproof but it's a hell of a lot harder to abuse than the UK system.
(2) can be solved by educating the idiots that use the Internet to keep their computer(s) secure, patched and how to recognize a phishing site.
These things are the worst idea I've ever seen. First the device is huge compared to those nice key chain authenticators other banks use, so you go from internet banking anywhere to internet banking at home and if you do choose to use it outside the home then how secure is it entering your pin code into this device in an internet cafe? Then the damn thing doesn't work, it says in the manual that it should work with "all" your exisitng cards, we tried 3 cards and it worked with 1. Then they have to send you the device, we currently live abroad and they sent it to our UK address, for a certain time you can select "we have not yet received the pin-sentry" and access as normal but then they force you to use it, cutting off our access to internet banking until we were next back in the UK(and the call centre would not overide this for us).
I'm leaving Barclays
I hate this system. I think the reasons are pretty well stated in the link in the article.
What I want to know is why Barclays haven't:
a. Made this optional? I will never fall for a phishing scam, so why do I have to suffer for those that do?
b. Replied to my email complaint 3 weeks ago which has an SLA of 3-5 working days?
Does not work wth other banks cards
My mastercard and another banks cards both generate "card not valid" responses when I put thise cards in.
Does this mean I have to carry 3 of the flipping things depending on what I want to use. Another reasdon I have to dump Barclays as a bank..
I recently worked out that I was about £100 worse off banking with Barclays than (say) Nationwide, thanks to low current account interest, overdraft interest rates, and international ATM charges. The pinsentry device was the icing on the cake really. Completely impractical if you use online banking anywhere other than in the home. Farewell Barclays, and no longer shall I have to listen to your callcentre staff trying to upsell 'Additions' accounts or home insurance poicies.
I can still log in even without the device. Barclays online banking will let me in with my old details (long pin, memorable word etc.) to check my balances and transfer money around my own accounts (which is most of what I do online) then when I need to pay externally I can log in with the pinSentry.
I thought I'd hate it too but it's not that bad. Yes it's big, ugly and awkward but it's version 1 and not really worth changing banks for. Barclays has always had better online security than most other banks. My old US bank, for example, used to use my debit card number and its ATM pin as login credentials.
Having said all that, of course, it's Barclays so people will still complain. "Grr profits bank grrr city bonuses grr corporates grr capitalism globalisation grr save the whales aaagh climate change we're all going to die and it's everyone's else's fault but mine."
half hearted and ignoring users
Yep this device is a pain as most people just dont carry it around. In business these transactions are done all over the place... at home, at work, on the work laptop in the other work office, etc etc.
As someone else said they negate all the versatility of online banking by tying you to your home. They also make things easier for crimes who mug you, as they get the card and the reader.
Perhaps if big companies spoke to users (i know a crazy idea) then they would have learned something.
Not a barclays customer anymore.
so if you get mugged and someone nicks your bank card, it's likely you'll also be carrying your pinsentry so they'll take that too
although apparently any pinsentry unit will work with your card
i don't see how that makes it more secure - it's just the same as if i loose my bank card at the moment and someone picks it up
if someone has been able to phish your name, account details, the nth letter from your 'secret' passcode, the mothers maiden name and the age your cat died when you were a kid, then surely it's not beyond their means to have also cloned your bank card the last time you used it to buy petrol.
if most people use it at home, then what added security is it going to give? only to someone sitting outside snooping on your wifi i guess. but any man-in-the-middle systems won't be compromised by this
am also seriously thinking of ditching Barclays - i moved all my current accounts to an online bank because of those bloody stupid adverts and only keep the Barclays for the cashing cheques. am thinking of ditching that too now
Barclays catchin up fast...
Why do these solutions take so long to implement in the UK, with it's long banking tradition? Like someone said before, this is being used for years now in other countries. Whether you like the solution or not is a different topic. As far as travelling goes, it fits in your laptopbag among the iPod, mobile, SatNav and your laptop ofcourse.
PinSentry sucks, it's the inconvienience of being forced to carry the plastic calculator back and forth between office(s) / home(s). Despite what they imply they force you to use it even if you just want to logon & check balances OR transfer to existing individual/organisations with whom you already have a relationship. It's a PITA!!!
I'm looking for alternative banking...
One of my businesses was one of the initial large pilot group. It is a royal pain to take the PS with me anytime I'm traveling (*) , and if it's lost in transit, so's my business's banking until a replacement can be obtained. Not easy if I'm in Guangdong, China or Silly-Con Valley at the time.
"[...] most of the other banks who decided to deploy this have therefore been quietly issuing these new cards for quite some time as part of their normal card issuance/replacement programmes" -- well, I've tried mine with a Co-Op Plat. Visa, HSBC Premier Maestro (brand new card), Abbey Business Visa Debit and AmEx Green Debit (also new), and it gave "Card not valid" for each, so I'm guessing the rollout isn't that advanced, yet.
Jocke had it right: it's only the honest ones who are inconvenienced. Barclays is being seen to be taking action, so that's OK. (Irony.)
(* @Robin - nice idea on the face of it, but if someone gets the paper, you've just handed over many accesses to your online banking - best to store the numbers in a way that's somewhat obfuscated, for example by deliberately subtracting a fixed amount, known only to you, from each)
Internet banking? Never saw the point
There are only three reasons I ever go near a bank branch. (1) To pay in money, (2) To draw out money, or (3) Very rarely, when all else has failed, to speak to a human being. Since it's not possible for me to upload a digital photograph of a pile of money to my bank account, nor to print pound notes out of my printer, the Internet can't replace what I need out of banks.
Whats the matter with you people!
This is very similar to the on line banking system UBS implemented in the pervious century. It works fine for me, and is actually much easier then the previous "list of signatures" thingy.
As for the "I will never fall for a phishing scam" - read a few security blogs the levels of technical sophistication involved in some scams beggers belief. I suppose Switzerland is much more of a target than the UK as the bank accounts contain money rahter than overdrafts.
I've had one of these from NatWest a few months ago. Thus far, I haven't been forced to use it. I can assure El Reg, that if and when I am required to use it, and they don't disable it immediately when I request they do so, I shall be informing them that "There is another way" and closing my account!
...er, does anybody know of a bank that has not introduced and has no plans to introduce this crap?
I'm in the process of moving our business away from Barclays, they are a completely hideous operation.
We make 20-30 payments every day, I do not appreciate having to put my pin into this crappy little box every single time I want to pay an invoice, it has made our life hell and yet Barclays refuse to remove it - it now takes me 4x longer to pay invoices.
Not only this, we moved offices and in the process lost the pinsentry device, we needed to move money urgently or we were going to go overdrawn from direct debits. Barclays wouldn't let us pick one of the devices up at a bank, they wouldn't let us transfer money over the phone, and it took a good 7 days for the unit to arrive ... by then we were well overdrawn and they even had the cheek to charge us for going overdrawn, refusing to refund the money!
Take some advice - go with a bank who have a clue about what a business actually is, like Alliance & Leicester Commercial.
To the "PinSentry Grumbles" AC. Yes, Pinsentry would not work with those cards. Two of them are credit cards, and the other two belong to the two major UK banks who are currently not planning to roll out two factor authentication. AFAIK this is usually deployed onto Debit Cards.
@jai - The PINSentry application resides on the secure portion of the chip, and is extremely difficult (if not impossible) to clone, and you still need the pin and the owners internet banking credentials. Current card cloning usually involves cloning the magstripe and using overseas where chip and pin is not deployed.
To those proclaiming the superiority of "nice key chain devices" or cards with printed TANs (Transaction Authentication Numbers). Fraudsters already have ways around those, predominantly involving capturing and replaying the code, or using trojans to alter transactions on the fly. To be blunt, if a UK bank is giving out TANS or time based token generators, then they don't understand the problem. The reason PINSentry is better is that it can be used to validate the actual details of the transaction (ie Account number and amount).
SMS One Time Keys
No one has responded to "Anon Coward's" point about sending one time keys to your mobile phone; a suggestion I've been trying to punt for about 5 years now. It requires one extra field in their database, to store the phone number. The validation of any transaction requires you to hand over to the checkout assistant or website the 4 digit PIN you've just received on your mobile. Which means that anyone using a credit card must also be in possession of the Mobile it was registered with. Yes the thief could steal both, but it won't be long before they're reported missing and the mobile and card can be de-activitated, minimising ongoing risk.
Would someone care to explain what would be wrong with that?
Agreed, not everyone has a mobile phone. Those who don't can use one of the alternative systems and pay extra for it. But given that about 95% of the population does indeed have mobiles, it seems a no brainer that it should become our primary authentication platform.
(See http://www.fullmoon.nu/book/side_issues/IdentityCards.htm for more on that)
Not good enough to make me want to switch!
I liked the old system and have used it for at least 8 years. In this time I have not been a victim of online fraud.
This is not so secure as it looks since an attacker will now need to watch for you pin number and then get the card off you (clearly dangerous) since they need the physical card, also there is no extra security on the pin sentry device as one lady in barclays tried to tell me "The one sent to you will only work with your card" - erm no.
Also to quote Bruce Schneier :
"Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time."
At the moment I have asked them to reverse the change for me, which they did eventually - for a limited period.
Aside from the nonsense of carrying this piece of hardware around...
@Tim - Re: "Barclays has always had better online security than most other banks."
Source? Smile.co.uk was the first bank (and still the only one?) to be ISO27001 accredited.
@A J Stiles - Re: "Internet banking? Never saw the point"
Internet Bank + Post Office is a splendid setup for 1) paying in and 2) withdrawing money. And having 3) never required any face-to-face dealings with objectionable individuals due to totally exemplary call centre staff, Smile.co.uk comes out on top once again. Internet banks like Smile and Cahoot were/are inherently set up to more efficiently than Barclays/HSBS/HBOS/LloydsTSB. We're heading back towards the time when online banking meant installing some software specific to one PC and being tied to that PC. And even when 'the big four' ditched the PC-specific setup, and tried to play catch-up with Smile/cahoot et al, each and every one of their online login procedures were an absolute textbook case in user unfriendliness. Whenever there has been a small hiccup with Smile, they've always fixed it quick-smart. The big four have systematically lost my custom due to major grievances.
@ Harry Stottle
(A bugger for the bottle? Sorry, Python joke.)
The problem with mobile-based authentication is that it assumes that the user is in coverage and not subject to SMS delay. Neither is guaranteed, particularly for anyone who travels abroad a lot - and that includes many board-level business-people.
I don't have a problem with the idea of mobile authentication as such, it's just that there has to be a fallback alternative, because it's simply not a complete solution in and of itself.
[Same AC that posted "PinSentry grumbles" above]
Smoothly - Says Who????
I had a pinsentry imposed on me by Barclays for a small business account.- things did NOT go smoothly
You'd think that a bank imposing four factor security would put a little effort into designing the introduction process. Not so Barclays. And yes, it IS 4 factor - pinsentry, card, pin, ID of person permitted to carry out online banking.
Generally the business only needs to do banking a couple of times a month, and that's usually weekend evenings. Pinsentry arrived at a time which was busy with customer facing activity so wasn't used the first time banking was required. The second time, the original process had been disabled and I had to dif out the ps and the new card which also arrived, and the new pin. Ploughing through the documentation it became clear that the card number onthe new card issued byBarclay should not be acceptable to the PS. PS did not like the old card.Needless to say, Barclays does not provide a round the clock help desk, even when enforcing major change in short timescales. So I couldn't do the banking. And of course the help desk hadn't a clue what PS was about.
Eventually it turned out that Barclays had sent out incorrect documentation and the card was OK - and if the documentation is lacking it doesn't give much confidence in the whole setup. But just a little common sense applied to the transition process would have given a fallback when the new PS process failed to work properly
@djberriman : Fabulous System
I've had first hand experience of Barclays problems...
First i receive a 'replacement' card two months after I received a replacement card that i actually requested - no cover letter etc explaining that the reason I received the second replacement was PinSentry... for a while have also been asked if I had received my PinSentry device whenever I logged into on-line banking - last weekend i drove past my old address (of about 18 months ago) and called on the off chance they had any mail for me.
There it was, received a month or two earlier - my PinSentry device!
I guess I'm just lucky my 'replacement' card arrived at the correct address...
Natwest introduced this a while ago
But I've never needed it yet ... rang up and asked the nice man which of the 3 cards I should be using (debit/credit/joint debit) and how this was better than the old pin system (which is a PIA but at least one you can carry around in your head).
He offered to send me another device to keep at work. Then said I could use telephone banking, which I've never used because I use internet banking!
Not heard anything for 8 weeks or so and I'm beginning to wonder if they've quietly dropped it ... suspect I wasn't the only hostile customer ringing in ...
I knew this was coming. I used to be with Woolwich, and was perfectly happy.
Then Barclays buys Woolwich, and slowly we get moved over.
I'm already not happy with their attempt at doing the account sweeping, and having seen several other Barclays clients at work have these calculators arrive, I know it's only a matter of time before I get sent one.
When it does, I'm off!
I do most of my online banking from work, and I don't want to have to carry this damn thing about. How about a challenge response for Symbian, then I can just use my phone to make the numbers? After all, this new system is only secure if you don't loose the card and the calculator, and I'm far more likely to notice my mobile phone has vanished than their silly little box.
For years we've been told not to write our passwords down and here's evidence that the message isn't getting through! I wouldn't advocate anyone doing this.
While I don't use the Barclays PinSentry device, I've used one in a development project. There is a security flaw with authenticating yourself with one of the devices. If you go down the pub and show it to your mates, and one of them remembers one of the numbers (he'd have to be numerically minded as they tend to be 8+ digits long), he could potentially sign in to your online bank account using it. It's a valid number and will remain so until the real owner actually uses the card reader and a new passcode in their bank's online site. OK, he'd also need to know your username and possibly your date of birth or something personal about you, but it would be possible.
Despite this, I'd use it if my bank introduced it. As more banks roll this technology out, there will always be someone else that has a reader if you forget to take yours to work. Then I'd have to watch out for the man in the middle scams. How many people are so paranoid that they check the certificate for the web site they're accessing these days? Count me in.
For Harry Stottle
In South Africa the First National Bank uses a SMS code to authenticate online transactions, for each transaction.
As a result, clients are now being targeted for theft of their mobiles. Or, if the criminals can't grab the phone, they steal the number: once the nasties know a bank client's mobile number, they (the crooks) report the phone lost or stolen, and obtain a "replacement" SIM card from the cellular service provider by submitting bogus documentation.
When the thieves have the new SIM card, now programmed with the bank client's phone number, they set about draining the account. Which they can do, because they now get all the one-time transaction codes.
By the time the bank client complains about not being able to make or receive calls, the account is empty.
So in practice it is not proving as successful as the bank had anticipated.
It should also be noted that a standard SMS is not encrypted and could be grabbed by a scanner within the footprint of the cell that the mobile user is in.
Re: Re: Overkill
"If you go down the pub and show it to your mates, and one of them remembers one of the numbers (he'd have to be numerically minded as they tend to be 8+ digits long), he could potentially sign in to your online bank account using it. It's a valid number and will remain so until the real owner actually uses the card reader and a new passcode in their bank's online site. OK, he'd also need to know your username and possibly your date of birth or something personal about you, but it would be possible."
Only if you are the sort of dimwit who thinks that letting your mates see your online banking details is clever.
I suppose you let your mate type in your PIN number for you at the ATM, and walk down dark alleys counting the twenties in your hand out loud, yes? Because that's about as clever...
Not The first and not the last
Barclay's have always been some three to five steps behind the pack at the best of times and their Swedish Bank counterparts continue to run rings around them on the security side since the dawn of the electronic age !
The only polite thing to say about those brain dead wankers at that bank is that they routinely seek out and employ many more of the same identical idiot clones as themselves who at best know no more then one percent of everything in every field and at every skill level as they make those with an IQ less then 75 look quite intelligent !
The bank is a living testament to the "Peter Principle" and would even make all those one cent in the dollar Kiwi's from the twin islands of the South Pacific beneath the continuous white fog bank quite proud as to how cheap they can go !
Still it is a pity about the Dutch customers being hooked up with these extinct living dodo's !
Never mind perhaps in about thirty years time the Chinese who are bankrolling this dog of an amalgamation due to extensive self induced problems in the World of Bush , will send in the cleaners to remove the deadwood at every level !
Not exactly new
Anon#1: Soviet Russia collapsed in 1989, some years before any sort of Internet banking became available. So using one of these from there would be clever, to say the least.
I have had the Swiss version of PinSentry for about 5 years - it has its own dedicated card and works well. It allows them to offer things like SWIFT transfers that you wouldn't want to provide on a password only service.
I am surprised that Barclays don't offer a more sophisticated device with a USB port. Also, it would make sense for the banks to get together so that only one device was needed - and while they're handing out devices, adding "electronic wallet" functions for personal payments would make sense.
barclays really do suuuck...
i've been with them for over 17 years and have 2 accounts...
i recently had to complain as they sent a replacement card to a previous address, even tho i had changed it and i got an apology letter which stated that they had lost my original complaint (so they didn't know what they were apologising for), but apologised anyway...i got £75 for that one.
i also remember the time that someone from abroad (via email) said they wanted to buy something i was selling, so asked barclays what to do and they said get the person to send the cheque to us...so this dork sent barclays some fraud check, so barclays shut all my accounts.
so i said to them, excuse me, i was doing what you said?
i got £100 for that one...
then this fiasco...cos ur surname, banking number, passcode and 2 random letters from your pass word isn't enough...^^
...and then you ring up some call center in the phillipines and try and talk to someone about it...
PIN SENTRY FIX
All you have to do is to write down the pass code the pin sentry generates as many times as you want and take the list with you to work or on holiday or wherever. The pass code is not time dependant and appears to work fine whether generated on the sentry at the time or input from a list of pass codes in the future. Simply cross off the number you just used. So hardly secure at all really.
Possibly one of the worst security "fixes" ever introduced (FORCED) to customers. Seriously considering changing home and business accounts
My missus is happy with PIN Sentry
It all worked pretty much as advertised. She tried to transfer some money to me, but was prevented by the Barclays web-site because she needed said PIN Sentry. That arrived in the post a couple of days later, and a new card a couple of more days after that. She's used it, and is very happy with it.
Anyway, it's much better than the Nationwide's idea of security. They recently asked me to answer a whole load more of "secure" "standard" questions.
That's great that is... NOT!!!
Natwest sent me one of these little doo-dats ages ago but they never seem to have used it. I'm hoping they implement it soon - the age of passwords and pin numbers for online banking is well and truly dead. We need single usage authentication ASAP.
After 20 years as a foolishly loyal barclays customer this Pin Sentry has finally driven me to switch away to a different bank.
The main problem that I have with it is that I used to have to two completely seperate sets of credentials username, 5 digit pin and password for my online banking and pin debit card/pin number for giving to those pesky retailers when out in public.
In the old world if you managed to use one of the ample opportunities to shoulder surf me in the petrol station, supermarket etc etc you could only get access to the funds in my current account (normally only sufficient enough cash for day to day banking)
whereas now without too much efforft, you can go online, use the openly available card reader, the pin number you shoulder surfed and my birth date (not exactly uncommon knowledge) to go to the barclays site and find out my username for online banking (it does tell you online, they don't post it to you) and then you can not only nick all the money in my current account, but you could empty all my other accounts into the current account and spend that too. Or even pay yourself up to £2,500 because Barclays are so confident in this piece of crap that they have upped the maximum transaction level.
I hate these things, I am forced to use one and it's made online banking a real chore having to dig this thing out of my drawer when I just want to check my balance. I never take it out of the house as I don't want to lose it, so I can only ever check my account at home.
How long before the numbers rub off the buttons on my little calcumalator, helpfully revealing, if not the order, the 4 (or less for repetitions) most used digits on the keypad?
"OOOOO....K so the '4' has been completely erased so I am gonna go with 4444.......Bingo"
PS If your PIN is the same digit 4 times, you deserve to be robbed blind, but you get the idea!
I'm off to rub 4 random numbers not in my PIN off of my PinSentry.
*The name of this poster has been changed to protect the sarcastic.