While one of the leading banks has decided to trial two-factor authentication for online payments, other are being more cautious. Barclays plan to trial a two-factor authentication device for Internet payments based on the standard template for debit cards that was recently proposed by the Association of Payment and Clearing Systems (APACS) next year, the bank said this week.
The Barclays' move follows the announcement by Lloyds TSB last week that it was trialling an online payment system based on smart tokens.
"We will be undertaking larger-scale pilots next year based on Chip-and-PIN technology utilising a card reader and the customers debit card," David Mitchell, director of electronic banking for Barclays, said in a statement.
MasterCard Barclaycard was involved in a credit card chip and pin trial earlier this year, called the Chip Authentication Programme. "The trial targeted approximately 5000 MasterCard Barclaycard cardholders using their chip cards and a handheld reader to authenticate themselves for Internet payment," Mitchell said.
That device worked when the customer inserting their card into a reader and then entering their normal PIN, used at the point of sale or cash point, Mitchell said. The card validated the PIN and produced a one-time number which is displayed on the reader and can be verified by the card issuer's system. The customer is able to enter the number on the Internet, over the phone or use it to logon to Internet or telephone banking, Mitchell said.
NatWest, however, has no plans to trial a consumer chip and pin reader. "NatWest has no current plans to change our existing procedures," a spokesperson for the company said. This is because NatWest believes its existing online procedures are "robust". NatWest are also, however, "working closely with APACS on the authentication standard".
APACS last year reported UK losses to online fraud across the banking industry as being £12m.
"The strategic authentication device for the UK industry is based on Chip-and-PIN technology which in itself is relatively new," said Barclays' Mitchell. "The industry standard chip algorithm for authentication has already been agreed and we are working with APACS on the card reader standard which should be agreed shortly."
NatWest stands by the view that its authentication is strong enough already. "We have every confidence in the procedures we have at the moment. Our procedures are strong and very secure," the spokesperson said. "You can usually find statistics for any argument."
Talkback
I have a Natwest online account and I believe it is more secure than the other banks currently.
Natwest use a few passwords, but crucially one of them only asks for a random subset of the characters of the password. This way if this is snooped, the snooper hasn't got all of the password.
Lloyds TSB have been doing that for a couple of years now. You get through the usual ID and password page, then comes a personal, self chosen, memorable word, from which they ask for 3 selections of letters or figures taken at random and selected from drop down lists.
Maybe nothing is foolproof, but this takes a lot of beating, in my view.
NatWest require a customer number/birthdate combination, a pin number with variable selected digits and a password with variable selected alphanumerics for full access. Some of this has to be repeated in order to transfer money outside.
This is much tougher than Barclays ibank access which simply requires a customer number, surname and 5 digit pin for full access and transfer outside. Barclays have recently restricted online payments to external accounts to £1K a day, clearly in response to fraud.
Correction to Barclays ibank access method:
they do require variable selections from your "memorable word" in addition to that I mentioned previously.