Did Barclays err in going with card readers for two-factor security?

Did Barclays err in going with card readers for two-factor security?

Summary: Here on Between the Lines, I've routinely hounded the US banking industry for not biting the bullet and moving all of its customers (regardless of whether the customers like it or not) to a multi-factor (two or more) system for authenticating users for online banking.  For some banks in Europe, it's standard operating procedure.

SHARE:
TOPICS: Banking
5

Here on Between the Lines, I've routinely hounded the US banking industry for not biting the bullet and moving all of its customers (regardless of whether the customers like it or not) to a multi-factor (two or more) system for authenticating users for online banking.  For some banks in Europe, it's standard operating procedure. From a post I did earlier this year:

Two years ago, a friend from The Netherlands who was visiting asked if he could use one of our PCs to do some online banking.  As he began to login to his bank's Web site, he pulled a credit-card sized authenticator out of his wallet.  Hardware-based authenticators like RSA's keyfob-esque SecurID 700 generate a random sequence of numbers at regular time intervals (eg: every 60 seconds).  The way this works is, at any point in time when yo login to your banking system, you have to use your authenticator to randomly generate a key.  I watched my friend as he pressed a button on his authenticator and then, from authenticator's LCD display, he read-off and keyed-in (on the keyboard) a long string of randomly generated digits.

If you had something similar and you were using one of RSA's authenticators, then, the bank would have an RSA-built appliance on its internal network that's generating matching keys for your account.  The only way someone can log into your account is if they have your UserID, your password, and your authenticator.  Randomly generated keys are only good for a minute or so.  So, even if someone gets a hold of your UserID, password, and one of the randomly generated keys (eg: if they watched you key it on your keyboard), by the time they got to a computer to pretend to be you, the randomly generated key would have expired.

User names and passwords (the "what you know" factor -- often the first factor of multi-factor security) alone are no longer enough.  At the bare minimum, a second factor -- often referred to as the "what you have" factor -- is required.  ATM machines, for example, use two-factor authentication.  Neither your ATM card (what you have) nor your password (what you know) will work alone.  To activate an ATM machine, you need both. But to access most American banks online, all you need is a user ID and password. Even the US government issued federal guidelines to the banking industry (well, suggestions since they're not making banks do anything) suggesting that "what you know" security is not enough. The response from the banking industry has been underwhelming at best.

Last year, according to a story from The Register, APACS, the UK Payments Association, issued guidance to UK banks that was similar in nature to the guidelines issued by the US Government:

Last year, Apacs issued guidance to banks that called for stronger security. "In view of the growing incidence of Trojans and phishing attacks directed at internet users, banks are recommended to move towards stronger authentication for their online banking customers," it said.

In response, according to that same story, the UK-based Barclays bank is moving to a two-factor authentication system for online banking.  But unlike random number generation solutions like those from RSA security, Barclays instead is giving its customers card readers that works like this:

The customer inserts his card to a reader (which is not connected to his PC). The device will generate a unique 12-digit number that the customer enters on his keyboard.

Which leads me to the next natural question. Suppose you're like my Dutch friend and you're going to someoene else's house or heading out on international travel.  Are you supposed to bring a bulky card reader with you everywhere you go?  In contrast, RSA makes versions of its securID solution that fit on your keychain. Think I'm crazy about the sort of mobility that people want out of their online banking? According to a ZDNet research blog from last December:

Forrester Research found that 51% of existing online banking users in the UK ages 16 to 34 would like to try mobile banking. 25% of those users would switch to a new bank if it offered mobile capabilities.

To boot, card reading solutions as a means for securing online transactions have not been met with consumer enthusiasm.  Way back in 2001, Target (the retailer) announced that it would be issuing card readers (like this Target-branded one on sale for $5 at CraigsList) along with its Target-branded "smart Visa Cards" to help secure payments (card readers ensure that the end-user actually has a card as opposed to just the card number).  But, by 2004, the entire smart card program was failing so miserably that Target pulled the plug on the whole thing.

Smart card readers for consumers? They're a bust for enough reasons that it doesn't make sense to give them to end users Barclays will probably end up learning this the hard way. 

Topic: Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Physical 'tokens' are coming

    Its good to see that others are picking up on this trail. The card reader is an issue, although in the Netherlands I did see ABN Amro trial a version of this that was compact and generated a random number that could be entered much like the RSA keyfob.

    This allowed the device to be used with multiple accounts with a single reader and multiple cards. I'm not sure how popular it was in the end (as this was about 5 years ago now!).

    For interested readers, here is a post from a couple of days ago that highlights both approaches, and also links into some more detailed information about e-signatures, background and mechanisms: http://improving-nao.blogspot.com/2006/08/electronic-signatures-physical-tokens.html

    Cheers

    Phil
    phil_ayres@...
    • Update to comment

      Sorry for anyone that tried this - the URL in the comment above was broken. Here is the correct one:

      http://improving-nao.blogspot.com/2006/08/electronic-signatures-physical-tokens.html
      phil_ayres@...
  • RSA security

    Not to nit-pick (OK, so I am nit-picking), the RSA (or other similar device) does NOT produce a random string of digits. In fact, it produces a completely predictable string. Without this predictability, the system would be unusable.

    In order for the system to work, you must enter the number from your token which must be predictably verified by the server in order to make a match. What is secret in this transaction is the key(s) used to ?randomize? the digits that are displayed. If someone were able to take the output from a token and break the key(s) from the token, then they would also be able to predictably create the ?random? string of digits from the token without having to have the token.

    Mind you, I am not knocking the technology; it works well and seems very secure. I would personally feel a lot better if my bank allowed me to use a system like this. What I would not like is a keychain with 30 tokens for all of the different systems that I might have to interface with, but that is a different argument for a different day.
    tkarrmann
  • Another Card Reader Problem

    I may want to do my banking from my smart phone, which doesn't have a port for a card reader. Duh!
    lurker_mostly
  • RE: Did Barclays err in going with card readers for two-factor security?

    I bank online with HSBC in the UK and a keychain sized device that produces numbers. I think its a great tool and makes me much happier about carrying out online banking.

    APACS who get mentioned in the blog run a great website with advice on fraud

    <a href="http://www.apacs.org.uk">APACS ??? Cheque Clearing and Credit Card Advice</A>
    highwayfive