Computer Crime Research Center


Internet banking: security

Date: May 21, 2007
By: Ali Hussain

MILLIONS of customers will from this summer be required to use hand-held chip-and-pin readers to make online transactions at home as banks gear up to tackle the rapid rise in internet fraud.

All the big four high-street banks except HSBC are to demand that online customers use “chip-and-pin at home” devices to identify themselves before moving money out of their accounts.

Up to 6m of the calculator-style devices will be sent, free of charge, to customers over the next six months, in what is seen as the biggest change to personal banking since chip and pin replaced signatures at checkouts in February 2006.

Banks hope the devices will add an extra layer of security because they will generate an additional log-in without connecting to a computer or the internet.

This will make it harder for fraudsters to perpertrate scams such as “key logging”, where virus software records every key stroke, including access codes.

Online banking fraud rose by 44% last year to £33.5m, according to the payment association Apacs. Internet shopping fraud amounted to £155m.

With most banks, users will need to insert their debit or credit cards into the devices to generate the additional log in. Lloyds TSB, however, will introduce a different device.

Here we answer your questions.

When will I get one?

Account holders at Barclays, NatWest and Nationwide are likely to be the first to receive the devices starting from this summer. Other banks are likely to follow suit before the end of the year.

Small-business customers will be the first to be offered the devices and then those who make frequent online payments. Other internet-account holders will receive the devices before the end of the year. Customers will be informed in the next few weeks about the plans.

Nationwide said it had already started sending out the devices to its most loyal internet customers who make regular online payments.

Barclays said it would post 500,000 machines to customers in its initial roll-out, but added that it would issue the device to anyone who requests one.

How will it work?

You will log on to your bank’s website in the usual way, and key in your identification number and password as normal.

To make certain internet transactions, however, users will then need to insert their credit or debit card into the device, and then enter their pin number. The device will generate a random, eight-digit number, which will have to be typed in before the transaction is authorised. The device will create a new number for each transaction.

The bank knows from its central computer which numbers will be produced, and the order in which they will be generated, so there is no need for the device to connect to the internet.

Will I need to use it for every transaction?

No. Balance inquiries, and payments to “known and trusted” big firms, will still be possible without using the devices during the first stages of the roll-out.

However, if you set up a new payment or a direct debit to a third party, you will have to use the device.

Your bank’s website will tell you if a particular transaction requires the additional authorisation.

Is it safe?

The system’s designers say the big security breakthrough is that the device generates a new random number for every transaction with no contact between your computer and the card reader.

Currently you need a mix of passwords and user-identification numbers to get into your account. Fraudsters can read them when you type them in using a method known as “key logging”. This traces each stroke made on a keyboard if the PC is linked to the internet.

Because your passwords and numbers stay the same all the time, criminals are therefore able to use them fraudulently once they have read your keys.

The home chip-and-pin machine is set up to avoid this.

Fraudsters will still be able to read your keys when you input the new eight-digit number, but they would have to use it in the split second before your transaction was authorised because your next payment would require a different number.

Are the devices portable?

They are powered by a small watch-style battery that should last for five to seven years, so you won’t have to plug it in or recharge it. Replacements will be available, free of charge, from the banks.

Which banks won’t be introducing it?

As there is no statutory requirement for banks to introduce the devices, many, such as Abbey and Halifax Bank of Scotland, have decided to wait and see how the new technology will affect online fraud before making any definite plans to introduce the devices.

An HBOS spokesman said the banking group may introduce a “more mobile and unobtrusive” system in the autumn.

HSBC and its sister bank First Direct have no current plans to introduce the devices.

Will fraud liability shift if a device is not used?

Transactions that do not require the chip-and-pin device will continue to be covered by the Banking Code, which states that a victim is not liable unless the bank can prove they were involved in the fraud.

What about the Lloyds device?

Lloyds TSB customers will be sent a key-ring style device with an inbuilt chip. This will produce a random number without the need to insert a chip-and-pin card. Lloyds said it had tested its device for the past 18 months with 23,500 customers, and that nobody using the device had experienced fraud. It added that 95% of customers rated it as easy to use.

Will the new devices make online transactions any faster?

The introduction of chip and pin at home will coincide later this year with an industry-wide “faster payments” scheme. This will reduce the current payment clearing times of between three to five days to almost instantaneous transfers.
Original article

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2007-11-28 13:22:49 - wat up peeps zac
2007-11-28 13:21:12 - hahahahahahahahahhhaa very funny i dont... assfucker
Total 2 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo