Blog article
See all stories ยป

Online Banking Card Readers: no more room in the suitcase

Preparing for my latest overseas business trip, my online banking readers and tokens have been proudly promoted to the final mandatory check for travel along with... passport? ticket? cash? credit card? I'm gathering quite a collection of them now, and given the amount of airmiles they're undertaking I'm considering giving them their own loyalty card with their favourite airlines.

In all seriousness - what a pain!

Then I read with great interest Mr Ross Anderson and his colleagues at Cambridge University found weaknesses when they reverse engineered card readers from Barclays and NatWest. I guess it's no surprise to the majority of us. The true impact of the findings are of course the burning questions we want to know about.

Access the paper here>>> 

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

Whilst the success of significantly preventing online fraud spiraling out of control over the past couple of years will no doubt be attributed to the gadget, and I'm fully supportive of the initiative (having been involved in it), I've yet to be asked to verify myself over the phone when I spend, or service any of my various financial relationships with these organizations, and was amazed at the various security questions, reminders, passwords, pins, and code combinations I was expected to provide in response to my request to change an address whilst all the time the card reader sits relatively unused in the bag!

As a great boss once told me....never criticise; criticise and provide a solution.

So maybe I'll go and pop into my local branch instead so they can check my signature against the sample they took from me 15 years ago.

 

A big headache coming your way?
4154

Comments: (2)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 05 March, 2009, 19:06Be the first to give this comment the thumbs up 0 likes

One time password tokens are understandably native/proprietary amd divergent.  But I don't get why the unconnected card readers don't interoperate with all EMV cards.  Are there variations in the CAP implementation that means Visa cards don't work in MasterCard issuers' readers? 

[The Cambridge boys have grabbed headlines once again, but the moral of their findings is really that security devices need careful engineering, not that "Chip and PIN is broken".]

Isn't it time we took the next step, and advanced from unconnected readers (where there is clearly no imperative for interoperability) to connected readers where, like ATM and EFTPOS, the one reader would be expected to accomodate all cards?

I note that integrated smartcard readers are getting more widespread once again, probably in response to the fact that there are 1000 million EMV cards around the world, and at least 200 million government and health smartcards.  Dell even has a laptop now with both contact and contactless readers!

And here's a funny story about someone who didn't even notice that his laptop had a reader built in.

Connected readers remain a bugbear, but for no good reason.  It's a simple matter of supply and demand.  In 2003, most major laptop vendors (including Dell, Acer and Compaq) released product with built-in smartcard readers, in response to announcements from Bill Gates that Microsoft was committed to chips.  That wave of interest turned out to be premature, applications didn't materialise, and the vendors took the readers out in favour of other features.  Yet the clear lesson is it doesn't take much of a trigger for laptop makers to provide smartcard readers. 

If just one large financial institution was to commit to connected readers -- for all the inherent and unique benefits you get from proper signing of transactions -- then it's likely that built-in readers will quickly become standard, and we'd be on the way to getting rid of all the special gadgets. 

Grant McNicoll
Grant McNicoll - - - Dundee 06 March, 2009, 08:36Be the first to give this comment the thumbs up 0 likes

Your right about these being a pain.  However, I have one from the RBS, one from the Nationwide, and my wife has one from another bank.  I can use any reader with any card and it works.  So. if I'm away from home I need only pack one, and lighten the load.