Rumblings of discontent among Barclay’s customers over the bank’s new PINSentry chip and PIN authentication device for online banking. The device, provided by Dutch vendor Gemalto is used together with the customer's normal debit card and PIN, to authenticate
the cardholder’s identity at log in and for making certain payments.
PINSentry may have a 21st Century name, but it’s the most clunky piece of kit I’ve seen in a long time. As with a merchant Eftpos terminal, users must insert their card into the top of the machine and tap their PINs using the large rubber numbers on the
interface. It’s vaguely reminiscent of the early brick-lite hand-held calculators and light-years behind the more elegant keyring-styled random number generators produced by firms like Vasco and issued by HSBC.
And while the device is being issued as part of an effort to protect customers making third party payments under the proposed new Faster Payments regime, Barclays is also insisting that users connect via PINSentry at each log-in to their online account.
This has caused a storm of
protest among customers, who object to having to lug around PINSentry when they’re on the road and need to access their accounts remotely. One disgruntled user has even started an
online petition against the release (you can also see a pic of the kit here).
Worse still, the message is spreading that PINSentry, as with other number-based two-factor authentication systems, is not really that watertight and can be circumvented by man-in-the-middle attacks and other sophisticated Web assaults.
I think it’s back to the drawing board for Barclays – and other banks backing this ill-advised Apacs-approved push to supply online account holders with Chip and PIN-style home banking technology.