Skip to main content

Barclays hops on to the two-factor authentication bandwagon

Barclays has announced plans to offer a PINsentry card reader and two-factor authentication device to its retail banking customers in the UK.

This is the first wide-scale launch of two-factor authentication to consumer customers of a UK retail bank and, I'll wager, will be followed by other banks in the months ahead.

And now I'm going to be cynical (well, you know me) and say that, once most Barclays punters have a reader system, Barclays will turn round and say that phishing is no longer possible, and that any customer that gets ripped online has released their details themselves.

Graham Cluley, Sophos senior technology consultant (fx: doffs cap in the presence of IT security royalty -Ed), also appears a bit skeptical about Barclays' move, as he points out that the PINsentry units will not prevent all forms of identity theft.

Spyware, he cautions, can still steal screenshots of what bank customers are doing online, and can capture account information to use for fraudulent purposes.

"More sophisticated hackers can even develop 'man-in-the-middle' attacks that sit in between users and their banks, automatically capturing information in real-time and sending unauthorised instructions to the bank posing as the customer," he said.

Cluley also warns about different sites using different two-factor authentication devices.

"It may not be long before desks are covered in a mountain of chip-and-pin devices, one for every site you log onto" he said, adding that, ideally you would only need one authentication device to access all of your favourite sites, but that would be a huge logistical problem for online businesses to manage....