The Barclays PINsentry device will be distributed to 500,000
users
Sophos, a world leader in IT security and control, has welcomed
news that one of the world's largest financial service providers,
Barclays, is to provide chip-and-pin card readers to half a million
customers in the UK. The device should help reduce the risk of
spyware and phishing emails that aim to steal login details and
passwords from internet users.
According to a statement by Barclays, customers will be required to
use the handheld 'PINsentry' device to generate a one-time eight
digit passcode that will have to be entered alongside their regular
login information when setting up transactions to new accounts. The
device will only generate a passcode once the user's bank card has
been swiped through it, and the PIN code entered. After two minutes
the passcode expires for security reasons.
Spyware is malicious code that often lies dormant in the
background on infected PCs, waiting for computer users to visit
legitimate online stores or banking websites. Once it notices the
computer has visited an online bank it springs into action,
capturing passwords by logging keypresses and taking screenshots.
This information is then relayed to remote hackers who can use it
to break into the bank accounts of innocent users and steal their
money.
"Including two-factor authentication into the online banking
process is definitely an improvement in security," said Graham Cluley, senior
technology consultant for Sophos. "Keyboard logging spyware and
phishing emails which try to steal your login information just
won't be effective as your passcode keeps changing. This will help
make life harder for the bad guys who are trying to break into your
account."
In late 2005 Lloyds TSB began trialling a token device which
provided online banking customers with a one-time six digit
passcode.
"More and more banks are looking to introduce technology to
better protect their customers and reassure them that online
banking needn't be filled with peril," continued Cluley. "Of
course, all of these solutions cost money for the banks, and
ultimately that expense will be passed on to the customer one way
or another."
"It's also worth pointing out that these chip-and-pin devices do
not prevent all identity theft - hackers can still steal
screenshots of what you are doing on your PC, and find out
information about you and your account which could potentially be
used for fraudulent purposes," added Cluley. "More sophisticated
hackers can even develop 'man-in-the-middle' attacks that sit in
between users and their banks, automatically capturing information
in real-time and potentially sending unauthorized instructions to
the bank while posing as the customer."
A chip-and-pin filled future?
The use of chip-and-pin devices to reduce internet fraud and
phishing raises the prospect of consumers being given multiple
devices by each website and online store with which they
interact.
"At the moment only a small number of online firms are providing
their visitors with two-factor authentication. A concern is that as
more online banks and stores recognise that consumers need better
protection when they log onto websites they may all produce their
own chip-and-pin devices," explained Cluley. "It may not be long
before desks are covered in a mountain of chip-and-pin devices, one
for every site you log onto! Ideally you would only need one
authentication device to access all of your favourite sites, but
that would be a huge logistical problem for online businesses to
manage."
The rise of identity theft
Phishing and identity theft has grown hugely as a problem in
recent years, as criminals have recognized the potential for
stealing large amounts of money. In February Sophos
reported how Turkish police had arrested 17 members of a gang
suspected of breaking into online bank accounts and stealing
$300,000 from internet users. The group is alleged to have worked
alongside three Russian hackers, who provided them with banking
usernames and passwords stolen through spyware.
Sophos continues to recommend that computer users ensure their
anti-virus software is up-to-date, and that companies protect
themselves with a consolidated solution
which can defend them from the threats of viruses, hackers, spyware
and spam.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.