"The roll-out has been ongoing since August and has being going pretty smoothly, although there have being peaks and troughs," he said. "There's been a lot of requests, 614,000 in total, more than expected so there may have been delays in call centres."
Pressed on whether customers would need new cards, he said this wasn't necessarily the case. "Customers can use existing debit cards. They shouldn't need to change cards," he told El Reg.
Reg reader Shane, a Barclays business customer, was able to get the system up and running without a new card, but only after the intervention of his bank manager. Shane was the first to draw our attention to potential problems with the roll-out.
"It seems that when they did the preparation for the roll-out of the PINSentry system they either created a series of duplicate entries which meant that when I put in my details it didn't match what they had," Shane explained.
"I got it sorted by my bank manager eventually (apparently he sat on hold for 45 minutes to their call centre rather than I) but I suspect that judging by the comments online and the very long hold times that it is a problem."
Users are revolting
Some users have taken a bit of a dislike to the technology, complaining it's too bulky, among other gripes. Barclays said that since most users carry out e-banking transactions at home, this oughtn't to be much of a problem. At least one enterprising user has taken matters into his own hands by jerry-rigging technology to send SMS messages.
Like other corporations that claim to be web-savvy, Barclays failed to take the precaution of registering a domain featuring a name closely tied to an online project. The pinsentry.co.uk domain is registered and parked with a low-cost domain registration firm by a private individual. There's no evidence of any wrongdoing, but the possibility of fraudsters registering domains on the back of technology designed to make online transactions secure is troubling.
Although the technology stands a good chance of reducing exposure to basic phishing frauds - a greater problem than most in the UK banking industry care to admit - it isn't a "silver bullet" solution and still leaves open avenues for more sophisticated (man in the middle-style) attacks. ®
I would agree with you except that it is possible to be relieved of your card by deception rather than outright mugging. In fact card fraud and mugging genreally don't go hand in hand for the very reasons that you have specified.
You also don't need the card for very long in order to commit the fraud, with 3G networks + laptops. Take the following example:
1) Discover the marks birthday (not difficult)
2) Lift the marks card without him realising (More difficult, but not for a skilled fraudster)
3) Go to the barclays website, use the Marks name (written on the card), Date of birth see above and visa number (also written on card) to get the users logon to the Barclays online banking.
4) perform transfers setup payments on random days etc etc
5) return the marks card.
With the old system you would need to find out my password which was obscure and would never come up in even the most bizarre conversation.
Seems to me that PIN Sentry is appropriate for payments to new personal payees - but not logon.
Barclays wont have done this because they wanted to - costs too much - so take it that there was a problem that needed a solution.
Simple tokens and strips of numbers no longer work due to man in middle / man in browser / social engineering so this option where details from payment have to be entered into the device to generate release code is better.
Looks horrible though and wouldn't want to carry one around personally - should become standard in mobiles so don't have to have an extra stupid gadget.
Verified by Visa - NO!
Verified by Visa is a crap authentication system, its just another password. These credentials are regularly traded along with the card numbers by criminals, and it just means the transaction sails through with fewer if any fraud checks.
Oh, and what happens if you forget your Verified by Visa password? You get asked security questions, like mothers maiden name, DOB etc. Easy to get, easy to exploit.