Online card readers will become fraud target

Bank card scanners used to authenticate online bank users only have a 100% safety record because criminals have softer targets to attack, an academic has warned.

Banks should not become complacent, because criminals have the time and resources to find ways of defrauding users of these two-factor authentication devices.

Steven Murdoch, a member of an academic research team at Cambridge University, which last week published the weaknesses of card readers, said that the only reason users of these devices have not been hit by fraud is because so few people use them.

"The criminals are not targeting these users now, but will in the future when more banks roll out the units. If they want to break it, they are capable of finding the weaknesses, but right now there are easier targets," said Murdoch.

The researchers reverse-engineered devices from Barclays and NatWest which are used as part of the Chip Authentication Program (CAP). CAP is an initiative and technical specification for using chip and pin banking smartcards for authenticating users and transactions in online and telephone banking.

Murdoch said the main risks are that the fraudsters can fool users into doing the wrong thing through emails or malware.

Clean track record

Barclays said users of its Pinsentry card readers have not lost any money to fraud. The devices were first distributed in November last year and are now used by over two million customers.

A Barclays spokeswoman said,"We still think the Pinsentry devices are infallible if used correctly. Criminals have to trick the users. We think that it is a very convoluted and labour-intensive way for fraudsters to get money. It is about customer education."

She added that the bank also has back office monitoring systems to spot fraud in real time.

Falling levels of fraud

The Association of Payment and Clearing Services (Apacs) said last week,"The banks that are most actively involved in these programmes have reported falls in the amount of fraud."

But Murdoch said the organisation has not ruled out the possibility that it could happen in the future.

He said there was another, more complicated way of stealing money, involving fake chip and pin readers, which could lead to bigger sums of money being stolen.

In response to the research, NatWest, which has over three million users of its card reader, said it is just one part of a layered security approach, which has proved very effective in combating online fraud without inconveniencing the customer.

“Our customers are asked to use their card reader only for certain actions, including changing a password, setting up or paying a new payee. In addition to our robust security processes we provide free PC security software to offer additional protection. This software complements two-factor authentication and a customer's existing anti-virus software.”

Read more on Hackers and cybercrime prevention