Nationwide, the veteran high-street building society, is to join the ranks of retail banking organisations rolling out handheld chip and PIN two-factor authentication devices to its online customers in a bid to improve security controls.
The building society has signed a contract with French hardware vendor Xiring for one million pocket-size XiSign 4000 Apacs smartcard readers, Xiring has announced. Nationwide told Information Age that the move forms part of a wider strategy to add additional layers to its online security controls in order to protect customers against online fraud.
Nationwide’s current online authentication process requires customers to enter a series of memorised passwords. Using the Xiring device, users will be forced to generate a one-time password by inserting their Visa card into the card reader and entering their PIN. The code will then be used to authenticate the user and allow them access to their account. Many customers will not welcome the move to two-factor authentication for fear it will reduce the ‘frictionless’ experience they currently enjoy. Other banks, in particular Barclays – which began rolling out half a million handheld chip and PIN card readers, developed by smart-card giant Gemalto, in Summer 2007 – have suffered a backlash from many customers who resent the inconvenience and have found the authentication process over-complicated.
Nationwide told Information Age: “We are introducing card readers to protect our members’ money and identities, something that Nationwide takes very seriously. We believe it is in our members’ best interests to invest in robust security measures. “Yes, if customers are planning to use the Internet bank from a location that is unusual for them they will need to take the card reader with them. However, Nationwide does not recommend that customers carry out online banking from internet cafés or places they are unfamiliar with as they may be more susceptible to fraud.”
It will be compulsory for all customers to use the device if they wish to bank online, Information Age has learnt.
The building society has remained tight-lipped as to how the device functions and would not confirm that it will protect against so-called ‘man-in-the-middle’ attacks whereby the hacker intercepts the transaction, creating a two-way ‘secure’ session with both the user and the bank.
‘Man-in-the-middle’ attacks are able to compromise some two-factor authentication systems, security experts claim.
Added security ‘layers’ also create further opportunity for social engineering because they complicate the authentication process, meaning that the user can be more easily confused.
Social engineering, during which the user is effectively duped into performing a bogus process or task, is far and away the most frequently successful tactic by which fraud of all kinds is perpetrated.
Further reading