Barclays' roll-out of handheld card readers to 500,000 online banking customers has been welcomed for raising security awareness among consumers, but it may do little to stop real-time phishing attacks, security experts have warned.
Barclays said last year that it would offer two-factor authentication via card readers to all of its two million banking customers. However, the deployment announced last week will only be to customers who are actively setting up payments, said Barnaby Davis, director of electronic banking at Barclays.
"We are confident that we have a process in place that will protect against man-in-the-middle attacks, where the customer is redirected to a hacker's site that looks like their banking site. We have focused on setting up new payments because, even if a fraudster gets into an account, they still need to set up a payment to transfer the money out," he said.
The roll-out will make Barclays the first UK bank to offer online authentication that uses a card reader to validate transactions. But experts have said that the hardware-based device will not combat real-time phishing attacks, nor will it be interoperable with other firm's systems.
Ross Anderson, a professor of security engineering at Cambridge University, said his research team tested the devices while they were in development and was not impressed. This was because during real-time phishing attacks counterfeit banking sites could still extract chip and Pin data from the card reader. This could then be used to access customer accounts.
"This is barely a road-bump for a real-time phishing attack. It is security theatre rather than real security," Anderson said.
Benjamin Ensor, senior analyst at Forrester Research, said the Barclays launch was to be welcomed for dealing with the issue of customer perception of security online, but the interoperability issue was "huge".
Graham Cluley, senior technology consultant at security supplier Sophos, said that a lack of interoperability meant that consumers may have to manage a mountain of chip and Pin devices.
"Ideally you would only need one authentication device to access all of your favourite sites, but that would be a huge logistical problem for online businesses to manage," he said.
Barclays' reader works by generating a one-time passcode that needs to be entered when conducting certain online banking functions. The device will only generate an eight-digit passcode once the user's card has been inserted and the Pin code entered.
Davis said, "The system does not just rely on the customer log-on the card reader, debit card and Pin are also used to set up new payments. It offers protection against both current and future threats because of its use in the authentication process of the destination account number and the amount of the payment."
Comment on this article: [email protected]