Barclaycard fights phishers with password generator

Barclaycard has issued thousands of credit and debit card holders with a special card reader that can generate temporary passwords

Barclaycard has issued 5,000 of its UK customers with credit and debit card readers designed to help prevent fraud and reduce exposure to phishing attacks.

The card readers contain a numerical keypad and a small display. They can read the cards using "chip and PIN" technology that are currently being rolled out on credit and debit cards to replace signatures.

To purchase an item from a Web site supporting the new system, users type in their credit or debit card details as usual, and are then prompted for a special password that has to be generated by the card reader.

Users can generate the password by inserting their card into the reader and typing in their usual PIN. This authorises the reader to generate and display the passwords so users don't have to send personal PINs over the Internet or use it when making telephone mail order purchase.

Ron Carter, payments product manager at security software specialists nCipher, said the system ensures customers can shop online with more confidence.

"This raises the bar significantly, especially if you are doing transactions from a not-so-trusted PC or over the telephone," he said.

nCipher, Barclaycard's technology partner on the card reader project, estimates that between 35 and 40 percent of all credit card losses result from transactions where the cardholder is not present. The card reader has been designed specifically to reduce these losses.

Andrew Kellett, senior research analyst at Butler Group, said as the whole country moves to chip and PIN cards, this system will provide greater security, especially for regular online shoppers.

"It is something that will have a great deal of appeal to regular Internet purchasers. The main benefit is that you never type in your PIN," said Kellett.

nCipher's Carter explained that Mastercard will be enticing merchants to sign up to the new system by offering to relieve them from the burden of being responsible for fraudulent transactions.

"At this moment, merchants are liable for losses. But if they implement the new system -- it’s a software plug-in to the payment system -- they will not be held liable," Carter said.

Dave Taylor, senior product manager at Barclaycard, said he hopes the new system will open e-commerce to users who were previously put off because of security concerns.

"Allowing for the secure authentication of our cardholders from wherever they happen to be breaks down critical barriers to e-commerce, making the shopping experience both more secure and convenient for consumers," Taylor said.