Barclays' roll-out of handheld card readersto 500,000 online banking customers has been welcomed for
raising security awareness among consumers, but it may do little to
stop real-time
phishing attacks, security experts have warned.
Barclays said last year that it would offer two-factor
authentication via card readers to all of its two million
banking customers. However, the deployment announced last week will
only be to customers who are actively setting up payments, said
Barnaby Davis, director of electronic banking at Barclays.
"We are confident that we have a process in place that will
protect against
man-in-the-middle attacks, where the customer is redirected to
a hacker's site that looks like their banking site. We have focused
on setting up new payments because, even if a fraudster gets into
an account, they still need to set up a payment to transfer the
money out," he said.
The roll-out will make Barclays the first UK bank to offer
online authentication that uses a card reader to validate
transactions. But experts have said that the hardware-based device
will not combat real-time phishing attacks, nor will it be
interoperable with other firm's systems.
Ross Anderson, a professor of security engineering at Cambridge
University, said his research team tested the devices while they
were in development and was not impressed. This was because during
real-time phishing attacks counterfeit banking sites could still
extract
chip and
Pin data from the card reader. This could then be used to
access customer accounts.
"This is barely a road-bump for a real-time phishing attack. It
is security theatre rather than real security," Anderson said.
Benjamin Ensor, senior analyst at Forrester Research, said the
Barclays launch was to be welcomed for dealing with the issue of
customer perception of security online, but the interoperability
issue was "huge".
Graham Cluley, senior technology consultant at security supplier
Sophos, said that a lack of interoperability meant that consumers
may have to manage a mountain of chip and Pin devices.
"Ideally you would only need one authentication device to access
all of your favourite sites, but that would be a huge logistical
problem for online businesses to manage," he said.
Barclays' reader works by generating a one-time passcode that
needs to be entered when conducting certain online banking
functions. The device will only generate an eight-digit passcode
once the user's card has been inserted and the Pin code
entered.
Davis said, "The system does not just rely on the customer
log-on the card reader, debit card and Pin are also used to set up
new payments. It offers protection against both current and future
threats because of its use in the authentication process of the
destination account number and the amount of the payment."
Barclays and ABN Amro staff brace for merger >>
Barclays embraces on-demand analytics to track web customers
>>
Users call for tougher online security >>
Comment on this article:computer.weekly@rbi.co.uk