Bank card scanners used to authenticate online bank
users only have a 100% safety record because criminals have softer
targets to attack, an academic has warned.
Banks should not become complacent, because criminals have the
time and resources to find ways of defrauding users of these
two-factor authentication devices.
Steven Murdoch, a member of an academic research team at
Cambridge University, which
last week published the weaknesses of card readers, said that
the only reason users of these devices have not been hit by fraud
is becauseso fewpeopleuse them.
"The criminals are not targeting these users now, but will in
the future when more banks roll out the units. If they want to
break it, they are capable of finding the weaknesses, but right now
there are easier targets," said Murdoch.
The researchers reverse-engineered devices from Barclays and
NatWest which are used as part of the
Chip Authentication Program (CAP). CAP is an initiative and
technical specification for using chip and pin banking smartcards
for authenticating users and transactions in online and telephone
banking.
Murdoch said the main risks are that the fraudsters can fool
users into doing the wrong thing through emails or malware.
Clean track record
Barclays said users of its
Pinsentry card readers have not lost any money to fraud. The
devices were first distributed in November last year and are now
used by over two million customers.
A Barclays spokeswoman said,"We still think the Pinsentry
devices are infallible if used correctly.Criminals have to trick
the users. We think that it is a very convoluted and
labour-intensive way for fraudsters to get money.It is about
customer education."
She added that the bank also has back office monitoring systems
to spot fraud in real time.
Falling levels of fraud
The
Association of Payment and Clearing Services (Apacs) said last
week,"The banks that are most actively involved in these programmes
have reported falls in the amount of fraud."
But Murdoch said the organisation has not ruled out the
possibility that it couldhappen in the future.
Hesaid there wasanother, more complicated way of stealing money,
involving
fake chip and pin readers, which could lead to bigger sums of
money being stolen.
In response to the research, NatWest, which has over three
million users of its card reader, said it is just one part of a
layered security approach, which has proved very effective in
combating online fraud without inconveniencing the customer.
“Our customers are asked to use their card reader only for
certain actions, including changing a password, setting up or
paying a new payee. In addition to our robust security processes we
provide free PC security software to offer additional protection.
This software complements two-factor authentication and a
customer's existing anti-virus software.”