Technical problems mar Barclays' PINSentry roll-out Logistic and technical issues have hampered the rollout of a system designed to thwart phishing scams by UK bank Barclays. The bank is issuing calculator-sized chip-and-PIN 'PINsentry' card readers to its online banking customers in a bid to combat online fraud. Barclays' online customers (both consumers and small business) …
>> Logistic and technical issues have hampered the rollout of a system designed to >> thwart phishing scams by UK bank Barclays.
WTF ? Barclays are up to this phishing lark as well ? Well at least someone is trying to thwart them. My friend in Nigeria said he would help protect my bank account details as well, if I told him what they were.
FINALLY! UK gets these. We've had these across Europe for years, you can make bank transfers and pay bills even safely even in Soviet Russia in an internet cafe.
I was getting sick of hearing UK whine about identity fraud when a fix was available years ago.
Now if you can fix your credit card purchase validation problem, Netherlands is using iDEAL for this, Visa and Mastercard are refusing to fix their online validation problem (their policy is cross fingers and if the transaction is bogus, bill the merchant), so the Dutch banks had enough and designed their own system:
http://www.ideal.nl/
with my Dexia account. Little hand held swiper, you need your cashcard and PIN and it does a challenge response routine to log in or make a payment. Works nice, and their charges are not taht bad.
Even my el cheapo free bank account that I have had for a while is going to start doing this, I think.
c'mon UK of A ... time to play a little catchup.
Very happy with pin sentry.
Device arrived automatically as I regularly do transfers and set up new payees. I have had no issues what so ever and did not have to replace my debit card. The system is very simple to use and also means that new transfers are validated immediately rather than getting held for 24 hours for fraud checks as previously happened.
Only issues I see are leaving my debit card at home in the device by mistake and possibly having to take it away with me as I sometimes do transfers whilst travelling.
With any new system or large rollout, there will always be those who don't like it, take time to get used to it, find it difficult to understand and a few circumstances were things don't go smoothly.
I really do - I was forced to use one in Sweden, just hassle. If you go traveling you're screwed or you have to carry it with you (which means you forget it etc.). Now I have to carry this thing with me if I go traveling. I also need to remember my 'Verified by Visa' junk. All in all, it's a system that's more error prone than anything else.
The Finnish system on the other hand rules; I have a set of once-off 4 digit codes, along with a bunch of reuse verification codes. They come as the size credit card, laminated and with 3 pages. If I don't want to carry that with me I can enter the codes into a PDA, my computer or my phone.
These boxes are just like airport security; It only affects the ones who are honest. (Any proper criminal will come up with a way to get around these boxes).
It sounds like a great programme (read the details for both merchants and users), but it requires the banks to be on-board. In the UK I suppose APACS would do well to subscribe to the system to allow all banks to use it. Of course, organisations like MBNA may not want to join, but who do you push to get this kind of programme accepted?
C+P works in France and Germany, Netherlands and Italy, so banks might simply dismiss the idea of having a separate authentication system for online shopping.
:-\
And what exactly is wrong with sending a one time code via SMS instead of doing all this crap. Simplicity is key to sell security to customers and nothing can beat the good old text message. But no, let's give them a backpack's worth of hardware and user guides, let's make sure they cannot use the system. That'll teach them.
Especially if you mug someone and want a quick way of confirming their PIN. Simply insert card, type in PIN and you have confirmation.
Well done to negating the advantages of online banking. What used to be a simple, use anywhere system now requires a bulky device to be carried at all times. Boo.
If you're daft enough to be taken in by phishing scams, you shouldn't be using online anything tbh.
Don't want to carry the reader between home and work? Just get two of them. Since it's a standards-based devices, the idea is that they'll eventually be commonplace, and you'll just have to carry your cards (which you carry anyway). You'll still have to take it when you travel, though.
SMS can be a good solution, but it doesn't work everywhere, doesn't work all the time, and doesn't work for everyone.
Using the reader for log-in is excellent, but leave the door open to advanced Trojan/man-in-the-middle attacks. But they've thought of that--it can also be used to authenticate specific payment details. In this mode, it offers extremely high security. Pre-printed password lists can't adapt in this way.
Finally, note that you don't need a PC to use the reader. In future, expect to see it used for mail-order and telephone-order shopping, and e-commerce applications. According to APACS figures, that's where the bulk of the fraud is.
It's all jolly high-tech, but here is a lower-tech replacement.
Whilst at home:
1) Use the PINsentry calcumalator and your debit card and follow the instructions supplied by Barclays for generating the magic numbers needed for the online banking site.
2) Write it down on a slip of paper. I find the back of the perforated receipts you get from the newsagent to be ideal.
3) Repeats steps 1 and 2 until you have run out of space on your paper.
When out and about, without your PINsentry bulkomatic pocket filler:
1) Go to the Barclays site. When prompted for the magic number generated by the PINsentry type in the first number from your piece of paper.
2) Tear off and discard that first number from your piece of paper to avoid accidental repititious use.
It works for me. YMMV.
I like to check my account regularily, whether I'm at work, at home or travelling and with the introduction of this system I can't (unless I carry this stupid device with me everywhere I go). I've changed banks now because of this (and there ridicuous daily transfer limits). Goodbye Barclays.
There are three problems with cards and online transactions.
1) Someone steals it and uses it for online transactions.
2) Your computer is compromised and/or you're entering your details into a phishing site.
3) The fake merchant you're buying from steals your card details and uses it for online transactions.
Exactly which of these problems does a one time pad solve that a piece of paper with a list of pin codes and numbers does not solve, it just makes it far less usable for the user as far as I can tell. Usability -1, Security -1. (-1 for security assuming that the OTP can be used to guess the user's pin code by trial and error).
On the plus side, I was happily surprised that they didn't deploy chip and pin readers which use telephone touch tones back when chip and pin was deployed in the UK.
(1) and (3) are solvable by using something like ideal (someone else already mentioned it), in Finland we have something like ideal except in order to pay someone from your bank account you go to your own bank's website (redirected from the online shop, including payment details), effectively the same but without the middleman, we only have 4 major banks though. All the banks use a password combined with one time passwords (normally printed on a credit card sized piece of card). Unrelated, but interesting; physical purchases in shops over €50 require identification when using plastic, it's not foolproof but it's a hell of a lot harder to abuse than the UK system.
(2) can be solved by educating the idiots that use the Internet to keep their computer(s) secure, patched and how to recognize a phishing site.
These things are the worst idea I've ever seen. First the device is huge compared to those nice key chain authenticators other banks use, so you go from internet banking anywhere to internet banking at home and if you do choose to use it outside the home then how secure is it entering your pin code into this device in an internet cafe? Then the damn thing doesn't work, it says in the manual that it should work with "all" your exisitng cards, we tried 3 cards and it worked with 1. Then they have to send you the device, we currently live abroad and they sent it to our UK address, for a certain time you can select "we have not yet received the pin-sentry" and access as normal but then they force you to use it, cutting off our access to internet banking until we were next back in the UK(and the call centre would not overide this for us).
</rant>
I hate this system. I think the reasons are pretty well stated in the link in the article.
What I want to know is why Barclays haven't:
a. Made this optional? I will never fall for a phishing scam, so why do I have to suffer for those that do?
b. Replied to my email complaint 3 weeks ago which has an SLA of 3-5 working days?
I recently worked out that I was about £100 worse off banking with Barclays than (say) Nationwide, thanks to low current account interest, overdraft interest rates, and international ATM charges. The pinsentry device was the icing on the cake really. Completely impractical if you use online banking anywhere other than in the home. Farewell Barclays, and no longer shall I have to listen to your callcentre staff trying to upsell 'Additions' accounts or home insurance poicies.
I can still log in even without the device. Barclays online banking will let me in with my old details (long pin, memorable word etc.) to check my balances and transfer money around my own accounts (which is most of what I do online) then when I need to pay externally I can log in with the pinSentry.
I thought I'd hate it too but it's not that bad. Yes it's big, ugly and awkward but it's version 1 and not really worth changing banks for. Barclays has always had better online security than most other banks. My old US bank, for example, used to use my debit card number and its ATM pin as login credentials.
Having said all that, of course, it's Barclays so people will still complain. "Grr profits bank grrr city bonuses grr corporates grr capitalism globalisation grr save the whales aaagh climate change we're all going to die and it's everyone's else's fault but mine."
Yep this device is a pain as most people just dont carry it around. In business these transactions are done all over the place... at home, at work, on the work laptop in the other work office, etc etc.
As someone else said they negate all the versatility of online banking by tying you to your home. They also make things easier for crimes who mug you, as they get the card and the reader.
Perhaps if big companies spoke to users (i know a crazy idea) then they would have learned something.
Not a barclays customer anymore.
so if you get mugged and someone nicks your bank card, it's likely you'll also be carrying your pinsentry so they'll take that too
although apparently any pinsentry unit will work with your card
i don't see how that makes it more secure - it's just the same as if i loose my bank card at the moment and someone picks it up
if someone has been able to phish your name, account details, the nth letter from your 'secret' passcode, the mothers maiden name and the age your cat died when you were a kid, then surely it's not beyond their means to have also cloned your bank card the last time you used it to buy petrol.
if most people use it at home, then what added security is it going to give? only to someone sitting outside snooping on your wifi i guess. but any man-in-the-middle systems won't be compromised by this
am also seriously thinking of ditching Barclays - i moved all my current accounts to an online bank because of those bloody stupid adverts and only keep the Barclays for the cashing cheques. am thinking of ditching that too now
Why do these solutions take so long to implement in the UK, with it's long banking tradition? Like someone said before, this is being used for years now in other countries. Whether you like the solution or not is a different topic. As far as travelling goes, it fits in your laptopbag among the iPod, mobile, SatNav and your laptop ofcourse.
PinSentry sucks, it's the inconvienience of being forced to carry the plastic calculator back and forth between office(s) / home(s). Despite what they imply they force you to use it even if you just want to logon & check balances OR transfer to existing individual/organisations with whom you already have a relationship. It's a PITA!!!
I'm looking for alternative banking...
One of my businesses was one of the initial large pilot group. It is a royal pain to take the PS with me anytime I'm traveling (*) , and if it's lost in transit, so's my business's banking until a replacement can be obtained. Not easy if I'm in Guangdong, China or Silly-Con Valley at the time.
"[...] most of the other banks who decided to deploy this have therefore been quietly issuing these new cards for quite some time as part of their normal card issuance/replacement programmes" -- well, I've tried mine with a Co-Op Plat. Visa, HSBC Premier Maestro (brand new card), Abbey Business Visa Debit and AmEx Green Debit (also new), and it gave "Card not valid" for each, so I'm guessing the rollout isn't that advanced, yet.
Jocke had it right: it's only the honest ones who are inconvenienced. Barclays is being seen to be taking action, so that's OK. (Irony.)
(* @Robin - nice idea on the face of it, but if someone gets the paper, you've just handed over many accesses to your online banking - best to store the numbers in a way that's somewhat obfuscated, for example by deliberately subtracting a fixed amount, known only to you, from each)
There are only three reasons I ever go near a bank branch. (1) To pay in money, (2) To draw out money, or (3) Very rarely, when all else has failed, to speak to a human being. Since it's not possible for me to upload a digital photograph of a pile of money to my bank account, nor to print pound notes out of my printer, the Internet can't replace what I need out of banks.
This is very similar to the on line banking system UBS implemented in the pervious century. It works fine for me, and is actually much easier then the previous "list of signatures" thingy.
As for the "I will never fall for a phishing scam" - read a few security blogs the levels of technical sophistication involved in some scams beggers belief. I suppose Switzerland is much more of a target than the UK as the bank accounts contain money rahter than overdrafts.
I've had one of these from NatWest a few months ago. Thus far, I haven't been forced to use it. I can assure El Reg, that if and when I am required to use it, and they don't disable it immediately when I request they do so, I shall be informing them that "There is another way" and closing my account!
...er, does anybody know of a bank that has not introduced and has no plans to introduce this crap?
I'm in the process of moving our business away from Barclays, they are a completely hideous operation.
We make 20-30 payments every day, I do not appreciate having to put my pin into this crappy little box every single time I want to pay an invoice, it has made our life hell and yet Barclays refuse to remove it - it now takes me 4x longer to pay invoices.
Not only this, we moved offices and in the process lost the pinsentry device, we needed to move money urgently or we were going to go overdrawn from direct debits. Barclays wouldn't let us pick one of the devices up at a bank, they wouldn't let us transfer money over the phone, and it took a good 7 days for the unit to arrive ... by then we were well overdrawn and they even had the cheek to charge us for going overdrawn, refusing to refund the money!
Take some advice - go with a bank who have a clue about what a business actually is, like Alliance & Leicester Commercial.
To the "PinSentry Grumbles" AC. Yes, Pinsentry would not work with those cards. Two of them are credit cards, and the other two belong to the two major UK banks who are currently not planning to roll out two factor authentication. AFAIK this is usually deployed onto Debit Cards.
@jai - The PINSentry application resides on the secure portion of the chip, and is extremely difficult (if not impossible) to clone, and you still need the pin and the owners internet banking credentials. Current card cloning usually involves cloning the magstripe and using overseas where chip and pin is not deployed.
To those proclaiming the superiority of "nice key chain devices" or cards with printed TANs (Transaction Authentication Numbers). Fraudsters already have ways around those, predominantly involving capturing and replaying the code, or using trojans to alter transactions on the fly. To be blunt, if a UK bank is giving out TANS or time based token generators, then they don't understand the problem. The reason PINSentry is better is that it can be used to validate the actual details of the transaction (ie Account number and amount).
No one has responded to "Anon Coward's" point about sending one time keys to your mobile phone; a suggestion I've been trying to punt for about 5 years now. It requires one extra field in their database, to store the phone number. The validation of any transaction requires you to hand over to the checkout assistant or website the 4 digit PIN you've just received on your mobile. Which means that anyone using a credit card must also be in possession of the Mobile it was registered with. Yes the thief could steal both, but it won't be long before they're reported missing and the mobile and card can be de-activitated, minimising ongoing risk.
Would someone care to explain what would be wrong with that?
Agreed, not everyone has a mobile phone. Those who don't can use one of the alternative systems and pay extra for it. But given that about 95% of the population does indeed have mobiles, it seems a no brainer that it should become our primary authentication platform.
(See http://www.fullmoon.nu/book/side_issues/IdentityCards.htm for more on that)
I liked the old system and have used it for at least 8 years. In this time I have not been a victim of online fraud.
This is not so secure as it looks since an attacker will now need to watch for you pin number and then get the card off you (clearly dangerous) since they need the physical card, also there is no extra security on the pin sentry device as one lady in barclays tried to tell me "The one sent to you will only work with your card" - erm no.
Also to quote Bruce Schneier :
"Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time."
At the moment I have asked them to reverse the change for me, which they did eventually - for a limited period.
@Tim - Re: "Barclays has always had better online security than most other banks."
Source? Smile.co.uk was the first bank (and still the only one?) to be ISO27001 accredited.
@A J Stiles - Re: "Internet banking? Never saw the point"
Internet Bank + Post Office is a splendid setup for 1) paying in and 2) withdrawing money. And having 3) never required any face-to-face dealings with objectionable individuals due to totally exemplary call centre staff, Smile.co.uk comes out on top once again. Internet banks like Smile and Cahoot were/are inherently set up to more efficiently than Barclays/HSBS/HBOS/LloydsTSB. We're heading back towards the time when online banking meant installing some software specific to one PC and being tied to that PC. And even when 'the big four' ditched the PC-specific setup, and tried to play catch-up with Smile/cahoot et al, each and every one of their online login procedures were an absolute textbook case in user unfriendliness. Whenever there has been a small hiccup with Smile, they've always fixed it quick-smart. The big four have systematically lost my custom due to major grievances.
(A bugger for the bottle? Sorry, Python joke.)
The problem with mobile-based authentication is that it assumes that the user is in coverage and not subject to SMS delay. Neither is guaranteed, particularly for anyone who travels abroad a lot - and that includes many board-level business-people.
I don't have a problem with the idea of mobile authentication as such, it's just that there has to be a fallback alternative, because it's simply not a complete solution in and of itself.
[Same AC that posted "PinSentry grumbles" above]
I had a pinsentry imposed on me by Barclays for a small business account.- things did NOT go smoothly
You'd think that a bank imposing four factor security would put a little effort into designing the introduction process. Not so Barclays. And yes, it IS 4 factor - pinsentry, card, pin, ID of person permitted to carry out online banking.
Generally the business only needs to do banking a couple of times a month, and that's usually weekend evenings. Pinsentry arrived at a time which was busy with customer facing activity so wasn't used the first time banking was required. The second time, the original process had been disabled and I had to dif out the ps and the new card which also arrived, and the new pin. Ploughing through the documentation it became clear that the card number onthe new card issued byBarclay should not be acceptable to the PS. PS did not like the old card.Needless to say, Barclays does not provide a round the clock help desk, even when enforcing major change in short timescales. So I couldn't do the banking. And of course the help desk hadn't a clue what PS was about.
Eventually it turned out that Barclays had sent out incorrect documentation and the card was OK - and if the documentation is lacking it doesn't give much confidence in the whole setup. But just a little common sense applied to the transition process would have given a fallback when the new PS process failed to work properly
I've had first hand experience of Barclays problems...
First i receive a 'replacement' card two months after I received a replacement card that i actually requested - no cover letter etc explaining that the reason I received the second replacement was PinSentry... for a while have also been asked if I had received my PinSentry device whenever I logged into on-line banking - last weekend i drove past my old address (of about 18 months ago) and called on the off chance they had any mail for me.
There it was, received a month or two earlier - my PinSentry device!
I guess I'm just lucky my 'replacement' card arrived at the correct address...
But I've never needed it yet ... rang up and asked the nice man which of the 3 cards I should be using (debit/credit/joint debit) and how this was better than the old pin system (which is a PIA but at least one you can carry around in your head).
He offered to send me another device to keep at work. Then said I could use telephone banking, which I've never used because I use internet banking!
Not heard anything for 8 weeks or so and I'm beginning to wonder if they've quietly dropped it ... suspect I wasn't the only hostile customer ringing in ...
We'll see.
I knew this was coming. I used to be with Woolwich, and was perfectly happy.
Then Barclays buys Woolwich, and slowly we get moved over.
I'm already not happy with their attempt at doing the account sweeping, and having seen several other Barclays clients at work have these calculators arrive, I know it's only a matter of time before I get sent one.
When it does, I'm off!
I do most of my online banking from work, and I don't want to have to carry this damn thing about. How about a challenge response for Symbian, then I can just use my phone to make the numbers? After all, this new system is only secure if you don't loose the card and the calculator, and I'm far more likely to notice my mobile phone has vanished than their silly little box.
For years we've been told not to write our passwords down and here's evidence that the message isn't getting through! I wouldn't advocate anyone doing this.
While I don't use the Barclays PinSentry device, I've used one in a development project. There is a security flaw with authenticating yourself with one of the devices. If you go down the pub and show it to your mates, and one of them remembers one of the numbers (he'd have to be numerically minded as they tend to be 8+ digits long), he could potentially sign in to your online bank account using it. It's a valid number and will remain so until the real owner actually uses the card reader and a new passcode in their bank's online site. OK, he'd also need to know your username and possibly your date of birth or something personal about you, but it would be possible.
Despite this, I'd use it if my bank introduced it. As more banks roll this technology out, there will always be someone else that has a reader if you forget to take yours to work. Then I'd have to watch out for the man in the middle scams. How many people are so paranoid that they check the certificate for the web site they're accessing these days? Count me in.
In South Africa the First National Bank uses a SMS code to authenticate online transactions, for each transaction.
As a result, clients are now being targeted for theft of their mobiles. Or, if the criminals can't grab the phone, they steal the number: once the nasties know a bank client's mobile number, they (the crooks) report the phone lost or stolen, and obtain a "replacement" SIM card from the cellular service provider by submitting bogus documentation.
When the thieves have the new SIM card, now programmed with the bank client's phone number, they set about draining the account. Which they can do, because they now get all the one-time transaction codes.
By the time the bank client complains about not being able to make or receive calls, the account is empty.
So in practice it is not proving as successful as the bank had anticipated.
It should also be noted that a standard SMS is not encrypted and could be grabbed by a scanner within the footprint of the cell that the mobile user is in.
"If you go down the pub and show it to your mates, and one of them remembers one of the numbers (he'd have to be numerically minded as they tend to be 8+ digits long), he could potentially sign in to your online bank account using it. It's a valid number and will remain so until the real owner actually uses the card reader and a new passcode in their bank's online site. OK, he'd also need to know your username and possibly your date of birth or something personal about you, but it would be possible."
Only if you are the sort of dimwit who thinks that letting your mates see your online banking details is clever.
I suppose you let your mate type in your PIN number for you at the ATM, and walk down dark alleys counting the twenties in your hand out loud, yes? Because that's about as clever...
Barclay's have always been some three to five steps behind the pack at the best of times and their Swedish Bank counterparts continue to run rings around them on the security side since the dawn of the electronic age !
The only polite thing to say about those brain dead wankers at that bank is that they routinely seek out and employ many more of the same identical idiot clones as themselves who at best know no more then one percent of everything in every field and at every skill level as they make those with an IQ less then 75 look quite intelligent !
The bank is a living testament to the "Peter Principle" and would even make all those one cent in the dollar Kiwi's from the twin islands of the South Pacific beneath the continuous white fog bank quite proud as to how cheap they can go !
Still it is a pity about the Dutch customers being hooked up with these extinct living dodo's !
Never mind perhaps in about thirty years time the Chinese who are bankrolling this dog of an amalgamation due to extensive self induced problems in the World of Bush , will send in the cleaners to remove the deadwood at every level !
Anon#1: Soviet Russia collapsed in 1989, some years before any sort of Internet banking became available. So using one of these from there would be clever, to say the least.
I have had the Swiss version of PinSentry for about 5 years - it has its own dedicated card and works well. It allows them to offer things like SWIFT transfers that you wouldn't want to provide on a password only service.
I am surprised that Barclays don't offer a more sophisticated device with a USB port. Also, it would make sense for the banks to get together so that only one device was needed - and while they're handing out devices, adding "electronic wallet" functions for personal payments would make sense.
i've been with them for over 17 years and have 2 accounts...
i recently had to complain as they sent a replacement card to a previous address, even tho i had changed it and i got an apology letter which stated that they had lost my original complaint (so they didn't know what they were apologising for), but apologised anyway...i got £75 for that one.
i also remember the time that someone from abroad (via email) said they wanted to buy something i was selling, so asked barclays what to do and they said get the person to send the cheque to us...so this dork sent barclays some fraud check, so barclays shut all my accounts.
so i said to them, excuse me, i was doing what you said?
i got £100 for that one...
then this fiasco...cos ur surname, banking number, passcode and 2 random letters from your pass word isn't enough...^^
...and then you ring up some call center in the phillipines and try and talk to someone about it...
"'scuse pliz?"
All you have to do is to write down the pass code the pin sentry generates as many times as you want and take the list with you to work or on holiday or wherever. The pass code is not time dependant and appears to work fine whether generated on the sentry at the time or input from a list of pass codes in the future. Simply cross off the number you just used. So hardly secure at all really.
Possibly one of the worst security "fixes" ever introduced (FORCED) to customers. Seriously considering changing home and business accounts
It all worked pretty much as advertised. She tried to transfer some money to me, but was prevented by the Barclays web-site because she needed said PIN Sentry. That arrived in the post a couple of days later, and a new card a couple of more days after that. She's used it, and is very happy with it.
Anyway, it's much better than the Nationwide's idea of security. They recently asked me to answer a whole load more of "secure" "standard" questions.
That's great that is... NOT!!!
After 20 years as a foolishly loyal barclays customer this Pin Sentry has finally driven me to switch away to a different bank.
The main problem that I have with it is that I used to have to two completely seperate sets of credentials username, 5 digit pin and password for my online banking and pin debit card/pin number for giving to those pesky retailers when out in public.
In the old world if you managed to use one of the ample opportunities to shoulder surf me in the petrol station, supermarket etc etc you could only get access to the funds in my current account (normally only sufficient enough cash for day to day banking)
whereas now without too much efforft, you can go online, use the openly available card reader, the pin number you shoulder surfed and my birth date (not exactly uncommon knowledge) to go to the barclays site and find out my username for online banking (it does tell you online, they don't post it to you) and then you can not only nick all the money in my current account, but you could empty all my other accounts into the current account and spend that too. Or even pay yourself up to £2,500 because Barclays are so confident in this piece of crap that they have upped the maximum transaction level.
Rubbish!!!
How long before the numbers rub off the buttons on my little calcumalator, helpfully revealing, if not the order, the 4 (or less for repetitions) most used digits on the keypad?
"OOOOO....K so the '4' has been completely erased so I am gonna go with 4444.......Bingo"
PS If your PIN is the same digit 4 times, you deserve to be robbed blind, but you get the idea!
I'm off to rub 4 random numbers not in my PIN off of my PinSentry.
*The name of this poster has been changed to protect the sarcastic.
This post has been deleted by its author
I found myself rather vexed last week after trying to log into my account and being told "you should now have received your pin sentry reader" which, of course, I hadn't.
So I ring up Barclays to ask them why they have switched to this new style of login without actually bothering to ask me that I'd successfully received my pin sentry. (Surely a letter at the very least telling you the date of the switch over is not too much?) So the guy on the other end of the phone claims it was sent out a month ago and asks to check my address details. Seems that some how they have got the postcode of my old address. How this has happened lord only knows, as all my other mail, including my statements, have successfully arrived at my current address, with the correct postcode for some time. So, I ask how am I supposed to access my personal and business banking and the call centre guy says that he'll switch the system back to the old authentication system, but I won't be able to make any payments to new payees. Well, funny that, because that's EXACTLY what I was logging on to do!
What really p****es me off about these kind of roll outs from banks is they never actually ask you whether you want it first. Yes, I do want good security from my online banking, but I would rather have the convenience of being able to log in anywhere, without carying around some bulky card reader, which I do from at least three locations on a regular basis.
Ahh, I feel better now. RANT OVER.
If you get mugged, one of three things is going to happen in the next hour, either you're going to phone up your card company and get it cancelled. This is not difficult. Or you might get killed, in which case you don't need to worry about it too much, or you might get seriously injured, in which case it should be the least of your problems.
The security advantage of the PS is obvious, to me anyway, they are one time codes for a start. If someone tricks you online with a spoofed page (which you probably shouldn't be putting your details into anway) they can only use the code once. If you get your card cloned they won't be able to purchase online without your pin.
It makes it a lot easier to protect what you're doing, although I agree that the mobile phone should be used, but only as a fallback. People should generally be discouraged from entering card details on random networks, for a start, and secondly, I don't particularly want to have to have my mobile by my PC all the time in case I want to buy something.
If I'm wrong then feel free to correct me, I won't take offence.
Although an additional aggravation, this kind of backup is pretty damned useful. A number of sites insist on Verified by VISA (newegg for instance) and it is just a little piece of mind.
If EVERY site insisted on this second level of protection most online fraud would be stamped out.
Of course the simple expedient of having your OWN photo printed on the card would pretty much eliminate direct fraud too.
I've also had a similar problem to some people above... I received my card reader, however my card didn't work with it. I phoned up Barclays asking for a new card, and waited to receive it.
I received nothing. Since then my existing card has been cancelled, and I've been without full access to my account for the last three weeks, exactly the time of year I need it most.
I've now tried three time to order a new card, and the other day whilst speaking to one of the telephone operators I found out that they'd made a mistake with one of my address changes, over a year ago, and so they've been sending cheque books and debit cards to a group of people I don't even know in a house I used to rent.
Fraud prevention, my arse. This could have caused me severe financial issues.
The problem is that Barclays staff are all so poorly trained that sorting this problem out has near left me frequently becoming incredibly angry and pissed off.
I'd feel a lot better about this if I actually trusted Barclays to hold the correct data about me. The number of times I've gone into a branch to change my address and then later found out that, despite my statements coming to my new address, they actually have about 5 different places they store the addy and failed to update all of them. Morons.
Twice now these pillocks have made changes to their online banking, and both times are annoying, and due to stupid people who get suckered in by scams.
This PIN sentry is the second annoyance, the first time was a few months ago and they just disabled all new payees from online banking. I had to phone the bank, and argue with them, and only when I threatened to move my savings did they re-enable this service for me.... wonder if that'll work again?
But recently, I found PIN sentry was interfering with online banking too, so I had to go to a branch. They told me that PIN sentry was for my security, and as a work around to transferring some money to a Lloyds account electronically, they offered me the cash and told me to go an pay it in in a Lloyds. I tried to point out the irony there, but it was lost on the bankers.
It then took 2 members of staff to get the money transferred, and only once I had left the branch did I realise I hadn't signed anything, nor presented my PIN (not that I use chip+pin, cos of the shift of responsibility). Shocking.
A while ago Barclays also set up telephone banking for me when I specifically told them I didn't want it. If I can ring up the bank and empty my account, potentially so can someone else. If my account isn't allowed to accessed via the phone, its more secure for me.
These abusive companies only speak money, so I recommend people waste company's time when you have a gripe, and make your gripe clear to them.
@Jason
Verified by Visa is a crap authentication system, its just another password. These credentials are regularly traded along with the card numbers by criminals, and it just means the transaction sails through with fewer if any fraud checks.
Oh, and what happens if you forget your Verified by Visa password? You get asked security questions, like mothers maiden name, DOB etc. Easy to get, easy to exploit.
Seems to me that PIN Sentry is appropriate for payments to new personal payees - but not logon.
Barclays wont have done this because they wanted to - costs too much - so take it that there was a problem that needed a solution.
Simple tokens and strips of numbers no longer work due to man in middle / man in browser / social engineering so this option where details from payment have to be entered into the device to generate release code is better.
Looks horrible though and wouldn't want to carry one around personally - should become standard in mobiles so don't have to have an extra stupid gadget.
I would agree with you except that it is possible to be relieved of your card by deception rather than outright mugging. In fact card fraud and mugging genreally don't go hand in hand for the very reasons that you have specified.
You also don't need the card for very long in order to commit the fraud, with 3G networks + laptops. Take the following example:
1) Discover the marks birthday (not difficult)
2) Lift the marks card without him realising (More difficult, but not for a skilled fraudster)
3) Go to the barclays website, use the Marks name (written on the card), Date of birth see above and visa number (also written on card) to get the users logon to the Barclays online banking.
4) perform transfers setup payments on random days etc etc
5) return the marks card.
With the old system you would need to find out my password which was obscure and would never come up in even the most bizarre conversation.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
