Wednesday, 23 January 2008

More on Card and Reader

Bloggers among UK Barclays Bank's customers went ballistic last year after the bank rolled out a Card and Reader solution similar to Tatrabanka's I ranted about yesterday.

I griped about the new security device - a card and reader issued to me involuntarily to use with internet banking transactions. My main gripe: the poor, poor user experience. I would need to carry the bulky device, which won't fit in my wallet, with me to log in to Internet banking. The branch office refused to issue me with a second one (even though I offered to pay for it).

An anonymous but kind reader pointed out in the discussion on my blog post that Barclays Bank in the UK introduced a similar solution in 2007 (on different hardware from another manufacturer). In the Slovak blogosphere the response has been largely favourable, orchestrated by Tatra Banka's PR. Bloggers who previewed the card reader seemed to like it. Unlike me, though, they probably don't make tens of online payments from numerous locations.

I have now had a chance to read up a little on the response of Barclays's customers (anger and a petition against the new device) as well as on actual security reasons for introducing the card and reader solution in general.

So let's look at the positives. Masabi, a company, which offers a security solution for transactions explains incredibly well what the key vulnerabilities in internet banking are. Simply having a password of some form (e.g. a pin and perhaps a code from a grid card) is easy to compromise: someone finds out your passwords and can transfer funds out of your account easily.

A stronger standard is a two-factor protection solution (also known as 2FP), which combines something you know (e.g. a password) with something you have (e.g. a card reader and credit card or a SecurID). The problem is these can be compromised too with something called a man in the middle (MITM) attack - someone inserts themselves in the internet connection between you and your bank (e.g. by hacking into your wireless router or running a compromised wireless router), serves you a page pretending to be your bank's, lets you enter the one-time password generated from the SecurID or card reader with card and uses it to authorise another transaction (not the one you intended). If I have lost you here, do read the Masabi blog entry linked to above.

A card and reader solution as employed by Tatra Banka addresses this vulnerability by making you enter the account details and amount for each transaction into the card reader, which then generates a unique code for this very transaction. Pretty damn secure and pretty damn clunky.

What then? How does this security/usability trade-off resolve? Here are my thoughts:
1. Even some of the weaker solutions are good enough for most situations. Tatra Banka presently uses a code sent to my mobile phone for me to sign in to the internet banking application (a form of two channel protection). This can be compromised only if someone simultaneously knows my password and gains access to my mobile phone.
2. Barclays uses the device to sign in and authorise payments to new recipients - i.e. if you have paid into an account number before, tha banks does not require you to authenticate the transaction. This seems as a pretty sensible key to sort higher risk transactions from lower risk.
3. You must recognise that in as much as bank fraud online has costs, making hundreds of thousands of people (clients) carry an undesirable device and punch in numbers in has costs too in terms of their time and convenience. You can transfer some of the risk onto the client and let him or her decide how much security they desire. You can do this either by letting them take some of the fraud risk if they opt to use online channels or, even better, in my opinion, simply charging them more if they refuse to use the clunky, secure solution (or rather giving a discount to clients who agree to carry around the calculator and punch in all account numbers and amounts twice).
4. You can build a statistically acceptable (i.e. less secure than the extreme version but secure enough on average to keep bank online fraud losses bearable) solutions by combining the existing elements judiciously and only requiring high security on selected transactions. Like with (much less secure) credit card payments, if something seems fishy, you can simply call up the client on the phone and check. Also, in Tatra Banka's case, you can reduce some of the costs of using the device e.g. by allowing clients to have multiple devices - if I have one for my home and one for the office, I at least don't have to carry it around every day.
5. Let the device actually be usable as a calculator, if it looks like one, it may make it more worthwhile for some people to carry around (if I was the smooth type in a suit with a briefcase, I guess I wouldn't mind as much but I don't always carry a bag around).

If you do this the Tatra Banka or Barclays way do not be surprised there will be many clients frustrated and pissed off (UK's Independent newspaper column predicts Barclays may lose customers to banks which will skip this technology and wait around for the more usable next generation). Barclays has been clever about letting its users not use the device if they get too upset (see the comment by VW). Some clever guy in the UK hooked up the reader to an SMS board, stuck his credit card in permanently and can now receive the required code by SMS.

P.S. I read lots of discussions in various UK forums. Here are a few additional points to consider. What happens when you a. lose your card, b. lose your reader when travelling? What about visually impaired users?