Blog article
See all stories »

An article relating to this blog post on Finextra:

Barclays to roll out smart card readers to online banking customers

In the second half of this year, Barclays customers who use their online bank account to set up payments to new third party accounts will be issued with handheld chip and PIN readers provided by Dutch...


See article

Barclays faces protest over clunky PINSentry authentication

Rumblings of discontent among Barclay’s customers over the bank’s new PINSentry chip and PIN authentication device for online banking. The device, provided by Dutch vendor Gemalto is used together with the customer's normal debit card and  PIN, to authenticate the cardholder’s identity at log in and for making certain payments.

PINSentry may have a 21st Century name, but it’s the most clunky piece of kit I’ve seen in a long time. As with a merchant Eftpos terminal, users must insert their card into the top of the machine and tap their PINs using the large rubber numbers on the interface. It’s vaguely reminiscent of the early brick-lite hand-held calculators and light-years behind the more elegant keyring-styled random number generators produced by firms like Vasco and issued by HSBC.

And while the device is being issued as part of an effort to protect customers making third party payments under the proposed new Faster Payments regime, Barclays is also insisting that users connect via PINSentry at each log-in to their online account. This has caused a storm of protest among customers, who object to having to lug around PINSentry when they’re on the road and need to access their accounts remotely. One disgruntled user has even started an online petition against the release (you can also see a pic of the kit here).

Worse still, the message is spreading that PINSentry, as with other number-based two-factor authentication systems, is not really that watertight and can be circumvented by man-in-the-middle attacks and other sophisticated Web assaults.

I think it’s back to the drawing board for Barclays – and other banks backing this ill-advised Apacs-approved push to supply online account holders with Chip and PIN-style home banking technology.

10368

Comments: (2)

Paul Penrose
Paul Penrose - Finextra - London 19 December, 2007, 17:03Be the first to give this comment the thumbs up 0 likes Yes, the NatWest device is supplied by Xiring. Both Barclays and NatWest are complying with the broad guidelines agreed by umbrella payments body Apacs for using Chip and PIN online - essentially they've designed an Eftpos terminal for consumer use at home. Fine in theory, but it doesn't play very well with the average online banking consumer, who would typically expect to be able to perform routine transactions while at work or travelling away from home without the hassle of lugging around a card reader everytime they leave the house. I'm beginning to think HSBC and Abbey National had the right idea when they decided to go their own way and opted out of the national push for Chip and PIN online.
John Holden
John Holden - Future I S Consulting Limited - Hindhead 19 December, 2007, 17:26Be the first to give this comment the thumbs up 0 likes

Barclays has some account products only accessible through Internet banking, and the branch and telephone banking people claim not even to be able to see them.  Where PINSentry has to be used for log-in, if anything then goes wrong with the device, the Internet-only accounts become inaccessible until a replacement can be supplied.   Not good.