The news that users of Barclays' PINSentry device have experienced zero fraud is a powerful endorsement of Remote Chip Authentication (RCA) and an important milestone in the adoption of this approach for secure online banking and payments.
As someone who's worked on this solution for many years in the form of MasterCard's CAP (Chip Authentication Program - Visa use the term Dynamic Password Authentication or DPA), allow me to reiterate the advantages:
- High security based on strong, two-factor authentication - Barclays' experience says it all.
- Cost-effectiveness - not only through reduced fraud but also because consumers only need to remember their PIN and this means significantly reduced call centre costs
- Coherence - Use of a secure chip card and a secret PIN is a natural, easy-to-understand extension of what consumers already do at the physical point of sale and at ATMs.
- A long term, strategic solution - RCA can be naturally extended to tackle future threats.
Two important points regarding this last point:
- The article mentions a perceived vulnerability to Man-In-The-Middle attacks. In fact, such attacks can be prevented by using RCA in Transaction Data Signing mode. The one-time-passcode is generated using additonal data - typically the payment amount
and the account number of the beneficiary - and any attempt to change these values is immediately detected. ABN AMRO already use this approach for high value transfers.
- RCA was designed from the outset to be extended to secure e-commerce. The way this works is that the one-time-password is treated as a MasterCard SecureCode or Verified by Visa code at merchants participating in these 3D Secure schemes, with the important
advantages that the code is no longer static, and so more secure (and suitable for use over the telephone), and only the PIN needs to be remembered. Many banks are preparing to use RCA with 3D Secure in this way and this promises to be an important step forward
in the fight against card-not-present fraud.
Finally there is the criticism that the RCA device is "clunky" and unsuitable for use when "on the road". A number of points here. Firstly, the PINSentry device was specifically designed to be easy to use by the visually impaired - you can't have it both
ways. Secondly, if you do want to use a small, portable key-fob like device, then there are several on the market. Thirdly, the secret is in the card not the reader - you can have one reader at home or another in the office, or just borrow someone else's.
Fourthly, MasterCard has developed prototypes where the mobile phone is used instead of a reader - watch this space.