Original URL: http://www.theregister.co.uk/2007/12/17/pinsentry/

Technical problems mar Barclays' PINSentry roll-out

The tricky business of thwarting online fraud

By John Leyden

Posted in Small Biz, 17th December 2007 10:02 GMT

Logistic and technical issues have hampered the rollout of a system designed to thwart phishing scams by UK bank Barclays.

The bank is issuing calculator-sized chip-and-PIN 'PINsentry' card readers to its online banking customers in a bid to combat online fraud.

Barclays' online customers (both consumers and small business) are required to use the handheld device to generate a one-time passcode that will have to be entered at login and to run some online banking functions, such as setting up payments to new third party accounts. The device will only generate a passcode once the user's bank card has been read, and the PIN code entered. The approach is a refinement of two-factor authentication approaches already in use by some UK banks, such at Lloyds TSB, and more widely by banks in Scandinavia and elsewhere in Europe for some time.

Safety first

PINsentry was launched in April and initially offered on request and from branches in October. Late last month the bank changed its policy so that customers who set up new third-party account payments were obliged to use the technology. After initially restricting the roll-out of the technology to 500,000 customers, Barclays now expects to supply 614,000 readers by the end of 2007. Two million regular online banking customers, who only use the service to check balances or pay trusted parties such as utilities, aren't obliged to use PINSentry.

Nonetheless, the accelerated roll-out has been accompanied by reports of delays at call centres and other problems. The Barclays device should be usable by any other UK bank because it conforms to APACS standard. However, a developer familiar with the project tells us that initial plans to use it with existing cards have proved problematic because banks found that it could interfere with the existing anti-fraud measures built into the cards and back-end processing systems.

As a result a decision was made to separate PINSentry (which is based on Mastercard's Chip Authentication Program [CAP]) into a new 'application' on the card.

"Barclays, and most of the other banks who decided to deploy this have therefore been quietly issuing these new cards for quite some time as part of their normal card issuance/replacement programmes," the developer explained. "This is one of the reasons why it's taken so long to get the technology deployed."

All change?

As well as problems getting readers into the hands of customers - that can take six days according to Barclays, and longer according to critics - there's also the potential problem of having to issue new cards. We say 'potential problem' because the system can be made to work with existing cards if customers kick up a fuss, according to anecdotal evidence from Reg readers. Some customers have succeeded in deferring the application of the technology after complaining.

This in turn has contributed to delays in reaching Barclays's call centre helplines. A Barclays spokesman admitted to possible delays in call centres, but maintained that the roll-out was proceeding smoothly.

"The roll-out has been ongoing since August and has being going pretty smoothly, although there have being peaks and troughs," he said. "There's been a lot of requests, 614,000 in total, more than expected so there may have been delays in call centres."

Pressed on whether customers would need new cards, he said this wasn't necessarily the case. "Customers can use existing debit cards. They shouldn't need to change cards," he told El Reg.

Reg reader Shane, a Barclays business customer, was able to get the system up and running without a new card, but only after the intervention of his bank manager. Shane was the first to draw our attention to potential problems with the roll-out.

"It seems that when they did the preparation for the roll-out of the PINSentry system they either created a series of duplicate entries which meant that when I put in my details it didn't match what they had," Shane explained.

"I got it sorted by my bank manager eventually (apparently he sat on hold for 45 minutes to their call centre rather than I) but I suspect that judging by the comments online and the very long hold times that it is a problem."

Users are revolting

Some users have taken a bit of a dislike to the technology, complaining it's too bulky, among other gripes. Barclays said that since most users carry out e-banking transactions at home, this oughtn't to be much of a problem. At least one enterprising user has taken matters into his own hands by jerry-rigging technology to send SMS messages.

Like other corporations that claim to be web-savvy, Barclays failed to take the precaution of registering a domain featuring a name closely tied to an online project. The pinsentry.co.uk domain is registered and parked with a low-cost domain registration firm by a private individual. There's no evidence of any wrongdoing, but the possibility of fraudsters registering domains on the back of technology designed to make online transactions secure is troubling.

Although the technology stands a good chance of reducing exposure to basic phishing frauds - a greater problem than most in the UK banking industry care to admit - it isn't a "silver bullet" solution and still leaves open avenues for more sophisticated (man in the middle-style) attacks. ®