Security news18 April 2007
Barclays chip-and-pin devices will reduce - but not eliminate - risk of fraud Sophos welcomes banks tightening online security, but users warned of continuing risks
The Barclays PINsentry device will be distributed to 500,000 users
Sophos, a world leader in IT security and control, has welcomed news that one of the world's largest financial service providers, Barclays, is to provide chip-and-pin card readers to half a million customers in the UK. The device should help reduce the risk of spyware and phishing emails that aim to steal login details and passwords from internet users.
According to a statement by Barclays, customers will be required to use the handheld 'PINsentry' device to generate a one-time eight digit passcode that will have to be entered alongside their regular login information when setting up transactions to new accounts. The device will only generate a passcode once the user's bank card has been swiped through it, and the PIN code entered. After two minutes the passcode expires for security reasons.
Spyware is malicious code that often lies dormant in the background on infected PCs, waiting for computer users to visit legitimate online stores or banking websites. Once it notices the computer has visited an online bank it springs into action, capturing passwords by logging keypresses and taking screenshots. This information is then relayed to remote hackers who can use it to break into the bank accounts of innocent users and steal their money.
"Including two-factor authentication into the online banking process is definitely an improvement in security," said Graham Cluley, senior technology consultant for Sophos. "Keyboard logging spyware and phishing emails which try to steal your login information just won't be effective as your passcode keeps changing. This will help make life harder for the bad guys who are trying to break into your account."
In late 2005 Lloyds TSB began trialling a token device which provided online banking customers with a one-time six digit passcode.
- Read a Sophos technical paper: "Can strong authentication sort out phishing and fraud?"
- Listen to a Sophos podcast: "Phishing: Are the banks to blame?"
"More and more banks are looking to introduce technology to better protect their customers and reassure them that online banking needn't be filled with peril," continued Cluley. "Of course, all of these solutions cost money for the banks, and ultimately that expense will be passed on to the customer one way or another."
"It's also worth pointing out that these chip-and-pin devices do not prevent all identity theft - hackers can still steal screenshots of what you are doing on your PC, and find out information about you and your account which could potentially be used for fraudulent purposes," added Cluley. "More sophisticated hackers can even develop 'man-in-the-middle' attacks that sit in between users and their banks, automatically capturing information in real-time and potentially sending unauthorized instructions to the bank while posing as the customer."
A chip-and-pin filled future?
The use of chip-and-pin devices to reduce internet fraud and phishing raises the prospect of consumers being given multiple devices by each website and online store with which they interact.
"At the moment only a small number of online firms are providing their visitors with two-factor authentication. A concern is that as more online banks and stores recognise that consumers need better protection when they log onto websites they may all produce their own chip-and-pin devices," explained Cluley. "It may not be long before desks are covered in a mountain of chip-and-pin devices, one for every site you log onto! Ideally you would only need one authentication device to access all of your favourite sites, but that would be a huge logistical problem for online businesses to manage."
The rise of identity theft
Phishing and identity theft has grown hugely as a problem in recent years, as criminals have recognized the potential for stealing large amounts of money. In February Sophos reported how Turkish police had arrested 17 members of a gang suspected of breaking into online bank accounts and stealing $300,000 from internet users. The group is alleged to have worked alongside three Russian hackers, who provided them with banking usernames and passwords stolen through spyware.
Sophos continues to recommend that computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of viruses, hackers, spyware and spam.
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
About Sophos
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.
