The announcement came in an interview between director of online
banking Barnaby Davis and Computing magazine last week. Barclays is
expected to be the first bank to apply a new standard from UK
payments association Apacs.
Last year, Apacs issued guidance to banks that called for
stronger security. "In view of the growing incidence of Trojans and
phishing attacks directed at internet users, banks are recommended
to move towards stronger authentication for their online banking
customers," it said.
The association worked with a number of banks to develop a
standard for devices that can read chip and PIN cards to better
secure online banking and e-commerce. The customer inserts his card
to a reader (which is not connected to his PC). The device will
generate a unique 12-digit number that the customer enters on his
keyboard.
Barclays spokesperson Elizabeth Holloway told OUT-LAW that its
plans are at an early stage: while the intention is to follow the
Apacs standard, the date of deployment in 2007 is undecided, as is
the supplier of the card readers. Customers will not be charged for
the supply of readers.
Holloway said Barclays already offers free anti-virus software
to its online banking customers. It also sends SMS text messages to
a customer's mobile phones when a third party payment is set up on
his account. If the customer did not authorise the payment it
suggests a fraudster has compromised his account – and he can
contact Barclays immediately – as opposed to the common practice of
only identifying and reporting suspicious activity when it appears
on end-of-month statements.
A customer report received the same day or the following day in
response to an SMS alert may be quick enough for the bank to block
the transfer – although transfer times will depend on the
destination account – but it also facilitates faster
investigation.
Barclays will refund customers who lose money from their
accounts through no fault of their own. Asked if the bank refunds
victims of phishing attacks who revealed their security details to
a fraudster, Holloway indicated that the professionalism of a
particular attack will be relevant and each instance would be
judged on a "case by case" basis. Barclays does not disclose how
many of its customers have suffered such attacks.
Apacs spokesman Mark Bowerman said the Barclays card reader
could be the first solution to market that conforms to its
standard. Apacs does not know of any other banks currently
deploying its standard. He noted that Lloyds TSB introduced a
password generating token device for 30,000 online banking
customers last October and that Alliance & Leicester account
holders register an image that is displayed on subsequent visits to
reassure users they are on the right site; but neither solution
uses bank cards.
Bowerman said the advantage of the Apacs solution is that any
card reader conforming to the standard will work with any card. "We
have four cards each on average," he said, "so we didn't want
people to have to carry four different readers."
However, many existing cards will not be compatible with the
Apacs standard. It requires a particular script on the chip in the
bank card, meaning some banks will need to issue new cards if they
adopt the standard. Barclays was unable to confirm at the time of
writing whether its customers will need new chip and PIN cards to
use the new technology.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
