By Rhodri MarsdenI have one of these card readers, which I received last year from my bank. Prior to receiving it, Barclays just had a fairly standard log-in procedure, but now I need to have both it and my debit card to hand in order to access my account online. It's slightly irritating; I mentioned my mild annoyance on my personal blog, and was overwhelmed by the torrent of bile that spewed forth from people who hate it far more than I do.
The procedure as it stands goes like this:
1. Type surname and 12-digit membership number into browser and return
2. Put debit card into a special card reader
3. Type PIN into reader
4. Type last 5 digits of debit card into browser
5. Type 8 digits generated by card reader into browser and return
But Barclaycard, meanwhile, still have a three-step, password-authenticated system:
1. Type 9 digit membership number and return
2. Type 6 digit passcode and surname and return
3. Enter two letters from your "memorable word" using dropdown menus and return
HSBC, I'm told, only have two steps:
1. Type 12 digit membership number and return
2. Type date of birth and three digits from your "secret number" and return
And for Sainsburys it's all apparently on one screen:
1. Type 11-digit membership number, password, and either a "memorable place", "memorable name", "memorable date", or, er, "favourite singer" and return.
Obviously there is a trade off between having a secure account and having one that's annoyingly difficult to access; have Barclays struck the right balance? This blogger doesn't believe that they have, and nor do the 137 members of this Facebook group; one friend of mine has had her bank account compromised since she started using the Pinsentry, which hasn't given her much faith in the system; another rang up Barclays and demanded that she be allowed to opt out of the Pinsentry scheme, which they have allowed – and now she's back to the old system. But if she wants to set up new payees to transfer money electronically, she'll have to opt back in again.
Natwest are also moving to card reader schemes; while it's easy to brush off customer complaints by saying "well, it's for your own good", it seems that the biggest gripe people have is that these things are so big; the Pinsentry is about the size of an old-fashioned pocket calculator. HSBC's business accounts use much smaller number-generating devices; maybe if you could slip these things onto a keyring and were thus less likely to forget them, they might go down better with the general public.
(By the way, on another subject: Mac users – check out the new beta of Firefox: it's quite beautiful. Enhanced with a hacked Adblock extension, it's undoubtedly the best Macintosh web browser I've yet used. And it's not even finished yet!)
CONFUSED ABOUT TECHNOLOGY? SUBMIT YOUR QUERIES TO CYBERCLINIC USING THE COMMENT FORM BELOW, OR EMAIL QUESTIONS HERE.
it wouldn't be that bad if barclays somehow managed to get the thing on their site that you can click so that it will remember your '12-digit membership number' to, well, remember the 12 sodding digits. cause it doesn't (in firefox).
Posted by: jg | Thursday, 14 February 2008 at 04:26 PM
The best compromise between security and ease of use is the RSA "random" number generator used by Coutts. One enters ones' usename into the browser, keys a PIN into the credit card sized number generator which then displays a passcode number. You enter that into the browser and you're in. It takes seconds.
Posted by: Jerry Goldstein | Friday, 15 February 2008 at 07:03 AM
Er... I thought the whole point of online banking was supposed to be convenience. If it's not convenient, why bother? I just use phone banking and ATMs, and I've never signed up for online banking, so I have no particular worries about online banking security, and I have no problems accessing my cash or account info when I need it. Works for me!
Posted by: BagOfHammers | Friday, 15 February 2008 at 09:10 AM
What on earth made you think online banking was about convenience? Its all about head count.. from branches down to call centres to the internet. Head count reduced every step of the way. Less head count = more profit. Soon it will be just the senior managers and a software team in China.. with the servers in Lesotho.
Posted by: PeopleSBanker | Monday, 18 February 2008 at 09:42 AM
As part of the team that developed this solution for the global banking industry, we've been surprised at how badly Barclays have implemented this. Most other banks only use the device for key 'dangerous' transactions like adding a new payee or sending transactions to new payess. As 99% of online banking is balance checking and shifting funds to known payees, this would limit use of the Personal Card Reader (PCR) to only a small number of occasions.
However, for those of you that keep suggesting that RSA-style tokens are the best compromise, they don't do you any good at all - both Trojans and Man-in-the-Middle attacks exploit them and your banking remains insecure. Professor Ross Anderson at Cambridge University has written some excellent papers on the subject if you want to explore further.
And finally, the reason why banks are having to rollout this technology (and protect your accounts) is because the bulk of people using the web have no concept of personal security in the online world. Many run without up-to-date anti-virus, or anti-spyware. Even fewer use personal firewalls or scan their computer regularly for malware, or even think about securing their WiFi router. It's the equivalent of putting all of your cash on the dining table and then going out to the pub leaving the door open - I don't think many of you would do that, but you're all happy to do it with your home computer. So before you begin grumbling at the banks about cumbersome security, they're just being careful with your money - like you expect them to be in the physical world.
Posted by: acwanaut | Wednesday, 20 February 2008 at 12:48 PM
hi Ainsley - very interesting comment, thanks.
While saying that RSA devices "don't do you any good", surely they're still placing SOME kind of extra layer of security over and above the password / security question combo that the majority of online banking sites still use?
It's certainly an important point that these devices may have to become compulsory for all, purely in order to protect those of us who are clueless about online security.
Many will moan that they have a well-chosen, oblique password, that they have WPA in place on their router, that they run a Mac and thus are unblighted by spyware, and so they don't need these devices.
But the banks are largely dealing with people who choose "password" as their password, write down their membership details and put it in their wallet, use their router's default configuration and click on emails asking them to verify their online banking details. We might all end up being inconvenienced as a result - but there's really not a lot we can do about it. Online crime is rampant - c'est la vie.
Posted by: Rhodri Marsden | Wednesday, 20 February 2008 at 01:08 PM
Hi Rhodri,
Thanks for the comments back. Got to admit I was a little over-zealous with "don't do you any good" as they do prevent problems with phishing, keyloggers and a good many other issues. But as you quite rightly point out, banks are largely dealing with people trained to press the OK button on all error messages and using 'password' as their password.
I think that there is definitely scope for banks to add an opt-out of these solutions, but then liability should fall upon the account holder. Basically, if you choose not to accept the bank's security as you think that the precautions that you take are more than adequate, then perhaps they should let you - and pass the risk on to you. It would certainly be a solution for those that value convenience and are willing to take a risk to maintain it. After all, the banks are only pushing security like this because in the bulk of cases they are liable for the losses in eBanking.
Posted by: acwanaut | Wednesday, 20 February 2008 at 02:22 PM
Phishing? Don't ever respond to bank emails.
Trojan key-logging? - No such thing on Macs. (Virus free!)
Bank with HSBC - They think it's silly too!
Posted by: Nic | Thursday, 13 March 2008 at 10:55 AM
hi acwanaut,
why then did banks implement online banking in the first place knowing these issues, passing the buck back to someone that has become accustomed to usage of such a service via an opt out option seems most unfair.
Posted by: Jared | Friday, 18 April 2008 at 02:25 PM