NatWest, my bank here in good ole England has seen fit to beef up security for some aspects of internet banking by moving to Strong Authentication. Unfortunately, they haven’t seemed to have done the PR on this move as well as hoped. Most of the reaction I’ve read on the net so far has been people annoyed.
Strong Authentication, or multi-factor authentication is considered by researchers to be significantly more secure than using a single factor. A factor in this case is something that identifies a person, and factors are usually classified into 1) things a person knows, like a password or PIN, 2) things a person has such as a bankcard or keyfob built for this purpose, and 3) things a person is or does, like a retinal scan or fingerprint. So online banking, which only required the user to enter in username/password combo relied on a single factor, whereas the ATM uses strong authentication since the user is required to have their bankcard and know their pin.
So NatWest (and I guess other RBS banks?) are sending that ATM-style authentication home to users by sending each a small calculator-like card reader for use with their bankcard. It works pretty much exactly like the card readers in the grocery store, except that they give you a code online to enter in reader, and then the reader gives you a code to enter online. I, for one am pleasantly geeked-out to use it, and glad to see that NatWest is taking the security of online banking seriously by putting so much money and effort into getting it out to users.
I don’t think they’ve done a particularly good job so far of allaying people’s concerns. Lots of comments on blog posts are bemoaning the fact that they’ll have to carry the damn thing around with them—no, you wont. You’ll only need it to make a payment to someone online if you’ve never made a payment to them before. The readers are also entirely identical, meaning you can borrow your cubemate’s reader if he has his at work and you keep yours at home. But I’ve heard rumors that the big reason NatWest is beefing up security is because they’ll be cutting down the delay between making a payment and the recipient getting credited. It’s now about 3 working days, and apparently the plan is to make it happen in seconds. If true, that’s a really important new feature that NatWest could use as a way to introduce the readers: “We’re working faster to process your payments, but also means that we need to increase security.”
Finally, since the reader is just a standard thing (even readers from other banks will apparently work), I’m hoping either they’ll release software that works with laptop smartcard readers, or someone hacks it together. The security is in the microchip on the card, so putting the reader as widely available as possible shouldn’t undermine the system.
Buhjillions 
June 13, 2008 at 8:03 am
[…] PayPal drops fees for personal payments (UK) June 13, 2008 — Spike PayPal just sent me an email saying that starting July 9th, they’ll stop charging for “Personal Payments” if they are funded from a bank account (i.e. not a credit/debit card). I’m guessing this is an attempt to cut into the market share that online banking gets for making these types of payments. It may also be a direct response to the move by banks to make these transfers instant (see post on card readers). […]
December 4, 2009 at 1:36 am
Barclays introduced this around the same time I’d guess.
It annoyed me yes – the stated premise was to increase security and prevent fraud.
I don’t think it’s been successful in that.
In the past I would frequently check my account online (securely).
Now I am required to use the card-reader to log in even to check my details, the result being that I check on my account far less frequently.
Rather than being able to check what’s going on with my account instantly, I now have to find my card and card-reader and hook them up, taking a good few minutes (so I’m far less inclined to bother). Realistically this makes my account far less secure to e.g. Cardholder Not Present fraud.
And why does my credit card (provided by the same bank) not require this extra level of security. It wouldn’t cost them any more to set up since I already have the compatible reader.
The method of generating “identify”ing 8-digit numbers doesn’t seem at all secure. Each time I put my card into the reader, a new 8-digit number is generated.
Presumably this doesn’t identify my card at all – it merely identifies that I’ve typed a number that my card could plausibly ever create.
How difficult is it to guess such a plausible number?
On my card reader, I generally only press the buttons that correspond to my PIN. Assuming you can identify these buttons that are significantly more frequently used on my card reader, you can easily guess my PIN.
I won’t, therefore, keep my card reader with my card.
BUT The worst sin of banking security is when they call me up and then ask ME to confirm my security details! You just called me! Therefore you have reason to trust me but I have no reason to trust you are who you say you are – if this is genuinely for security purposes, it should be me asking the questions.
And still I am supposed to give away my private info to someone who calls up and claims to be from the Bank? That’s the worst security system ever.
September 25, 2010 at 3:39 pm
Wow. Just wow. I cannot believe you didn’t research just a tiny bit into OTP (One Time Passwords). It uses you card and an algorithm to identify that you are the card owner. The algorithm is know to the banks, too, so they can generate, at the same time, whether this is identifiable or not. It’s not just a plausible 8 digit number, its a number derived from the encrypted patterns on the card. You would still login normally, but you would be able to verify your identity with transactions that seem unusual to your bank account
September 26, 2010 at 5:43 pm
Wow. You totally blew away each of my points, by pointing out something that I clearly already knew. Well done.
If you had done your own research, you’d have found that since I made this comment almost a year ago, CAP has been shown to offer no security at all. Oh well.