Friday, 28 October 2011

Online banking security: Good for you or your bank?

When banks implement new online banking security measures they have a problem.

They have to persuade customers that the often inconvenient new ways of accessing their accounts is actually for their own benefit. They do that by claiming that the new ways of doing things makes your money safer, which is surely for your own good.

First let's look at chip authentication programmes, one of which is Barclays Bank's PINsentry (from 2007). Another is Nationwide's Card Reader (from 2008).

If you have an account with either of these banks you'll receive a device that looks a little bit like the reader you see in high street retail outlets. You put your card into the slot, type your PIN and the transaction is authenticated.

This makes complete sense when paying for goods in a supermarket because, with the best will in the world, the average till operator is not really qualified to compare your signature on a receipt with the one on the card, as used to happen in the 'old days'.

However, when banking customers have to use these devices to access their online bank account from home, it becomes an inconvenience. Instead of just booting up the laptop, you need to find your card and your reader. If you are travelling then you're probably going to be unable to access your account at all. 

But surely, if these readers make your money safer, they are a good thing? Firstly, your money is safe, in that the bank has to refund you any losses made (as long as you've not been really careless with your banking details).

Secondly, throwing extra levels of technology at the problem does not necessarily make it safer. Let's take the example of a regular traveller. They will have to take their card reader with them if they want to access their accounts online. So what's to stop a mugger grabbing this device, along with the wallet and laptop?

Card readers can even be used by muggers to prove if a victim is lying about their PIN, which is convenient for the bad guy but not so great for the bank's unfortunate customer.

Things get even darker, though, when we look deeper into the security provided by these card readers. There are weaknesses in the protocol that they use. There is a fascinating paper on the subject by Saar Drimer, Steven J. Murdoch, and Ross Anderson. It is available from The University of Cambridge's website.

Just to lighten the mood, when Barclays launched PINsentry I was asked to participate in a promotional video. To be clear, I received no payment for this and I even pointed out the problems with using card readers at the time. I can't imagine why they did not include my points in the advert below...