Feeds

Barclays to launch two-factor authentication

Card readers secure online banking

Internet Security Threat Report 2014

All online banking customers of Barclays will be issued with handheld card readers next year that will read their bank cards and generate one-time passwords to better secure their transactions.

The announcement came in an interview between director of online banking Barnaby Davis and Computing magazine last week. Barclays is expected to be the first bank to apply a new standard from UK payments association Apacs.

Last year, Apacs issued guidance to banks that called for stronger security. "In view of the growing incidence of Trojans and phishing attacks directed at internet users, banks are recommended to move towards stronger authentication for their online banking customers," it said.

The association worked with a number of banks to develop a standard for devices that can read chip and PIN cards to better secure online banking and ecommerce. The customer inserts his card to a reader (which is not connected to his PC). The device will generate a unique 12-digit number that the customer enters on his keyboard.

Barclays spokesperson Elizabeth Holloway told OUT-LAW that its plans are at an early stage: while the intention is to follow the Apacs standard, the date of deployment in 2007 is undecided, as is the supplier of the card readers. Customers will not be charged for the supply of readers.

Holloway said Barclays already offers free anti-virus software to its online banking customers. It also sends SMS text messages to a customer's mobile phones when a third party payment is set up on his account. If the customer did not authorise the payment it suggests a fraudster has compromised his account – and he can contact Barclays immediately – as opposed to the common practice of only identifying and reporting suspicious activity when it appears on end-of-month statements.

A customer report received the same day or the following day in response to an SMS alert may be quick enough for the bank to block the transfer – although transfer times will depend on the destination account – but it also facilitates faster investigation.

Barclays will refund customers who lose money from their accounts through no fault of their own. Asked if the bank refunds victims of phishing attacks who revealed their security details to a fraudster, Holloway indicated that the professionalism of a particular attack will be relevant and each instance would be judged on a "case by case" basis. Barclays does not disclose how many of its customers have suffered such attacks.

Apacs spokesman Mark Bowerman said the Barclays card reader could be the first solution to market that conforms to its standard. Apacs does not know of any other banks currently deploying its standard. He noted that Lloyds TSB introduced a password generating token device for 30,000 online banking customers last October and that Alliance & Leicester account holders register an image that is displayed on subsequent visits to reassure users they are on the right site; but neither solution uses bank cards.

Bowerman said the advantage of the Apacs solution is that any card reader conforming to the standard will work with any card. "We have four cards each on average so we didn't want people to have to carry four different readers," he said.

However, many existing cards will not be compatible with the Apacs standard. It requires a particular script on the chip in the bank card, meaning some banks will need to issue new cards if they adopt the standard. Barclays was unable to confirm at the time of writing whether its customers will need new chip and PIN cards to use the new technology.

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.