Here in the UK things such as ID-theft and bank fraud are “big news.” It feels like almost every day there is a news item about the government or large organisations losing personal data or a scare about how many people are out there stealing our online banking details. While I have a professional interest in people worrying about information security (and will provide a wonderful consultancy service for a discount if you quote WhyDontYou Blog) I have to say there is more than a small dose of hype and overkill in this.
That said, there is a risk and it is only sensible that people are aware of the potential risks and given the correct advice to mitigate against them.
The important bit is the “correct advice.”
In the UK at least, the Banks are largely responsible for making good any fraudulent use of an account unless they can prove it was the account owners fault. This is a good thing and while the banks will suffer a bit because of some stupid people, the majority of “innocent” victims are protected.
Obviously the banks dont like this. They could take measures to improve their banking security or they could take measures that give a superficial improvement but, on the whole, only shift the burden onto the account holder. Not too long ago, in the UK, if you wanted to buy something with a card you had to sign to prove who you were. The shop owner compared this with the signature on the card and verified your ID – if they were in doubt, they could seek additional documentation. Despite what people think, signatures are hard to forge. This method also forced the shop keeper to physically check the card and read the details.
Despite this, there was still some residual fraudulent activity so the banks changed the process to “Chip and PIN” where you now enter your card into a reader and type in a 4 digit PIN. Wonderful. This is a reasonably secure system but it has a few pitfalls. The most basic is often the shop staff have no contact with the card during the transaction. This means they don’t carry out the basic authentication check of seeing if the person before them is the owner of the card. My wife regularly uses my credit card to shop, because nowhere we go checks that the person in front of them is Mr **** ****** despite it saying that on the front of the card in big letters. This is less important because the 4 digit PIN becomes the safeguard, but basically, it makes it easier to pass of a cloned / fraudently created card – 4 numbers are reasonably easy to find out or, if the card is “created” then they are irrelevant. As far as security goes, this is (largely) marking time. But it does the important task of moving the burden away from the bank.
The latest brainwave the banks have come up with actually annoys me.
Barclays Bank has decided to implement “PINSentry” when you log into their online banking or try to make online payments. Wonderful idea. Well, maybe.
In a nutshell, they have sent everyone a card reader that you use when you log in. To do online banking, you enter your password (etc) as normal, then you have to enter your card into the reader, get an authorisation code and enter that. All well and good – in fact this is a wide scale implementation of a time-worn authorisation system. Previously the entry system was username+password, then a “secret” code. Now the secret code has been replaced by this token generation system.
The problem is that it undermines one of the reasons you do online banking. For me, I like to use online banking from various locations – I often use it from work and if I am travelling. If I were a Barclays’ customer I would now be forced to carry this bloody stupid PINsentry device around with me. Should my bag be stolen, the thief would have my card and the PINsentry, defeating any security improvement it gives.
From the banks point of view, however, it is a good idea. It shifts the burden of blame in the event of a fraudulent transaction. Now you have to prove your PINsentry was compromised, not them having to prove their systems were not compromised.
This is not a good change. It doesn’t really make your transactions any more secure. It just makes you more to blame if something goes wrong. (Even, I suspect, if the bank has sold your details on eBay…)