Page last updated at 10:53 GMT, Monday, 1 September 2008 11:53 UK

The endless search for security

Online bank login screen, BBC
Many thieves target people who bank online to get at funds

We can't rely on one device, however effective, to keep us secure online, says Bill Thompson

Amidst all the tales of stolen laptops, lost CDs and errant USB sticks packed full of people's private information it's nice to have a good news security story to mark the end of the summer.

Barclays Bank has just announced that not one customer who uses its PINsentry security has been a victim of online fraud since it started issuing them last July.

And it even won the Best Security Initiative category in a 2008 competition run by Nominet, the people who manage the .uk domain.

Bill Thompson
Security is not a matter of fixing something and then ignoring it.

Bill Thompson
The PINsentry looks like a small calculator. It has a slot in one end for a bank card, and an LCD display, and customers use it to log on and to authenticate some online banking transactions like setting up a new customer.

You insert your bank card, enter your PIN and generate an 8-digit code that you then type into the website.

It's an example of two-factor authentication, and is theoretically a lot more secure than simply having a password, or even several passwords.

Instead of just relying on something that users know, like a PIN or secret word, the system also relies on you having a physical object in your possession - in this case two objects, as you need both your card and the device.

And it seems to work, at least for the third of their online banking customers who use it on their accounts.

The system has been criticised, partly because Barclays was quite aggressive about persuading people to sign up, and the web is filled with tales of customers who feel they were pressurised into getting one.

Another major problem is that you have to have it with you, so unless you fork out 6 to buy a second card reader to keep at the office you will have to limit your online banking to evenings at home.

Personal customers can look at their accounts without authenticating with PINsentry, but business customers are completely locked out.

Middle man

PINsentry and other two-factor devices are a useful backstop, blocking those who steal account details from being able to transfer funds or set up new payments, and they seem to do a decent job.

Other banks, like RBS/Natwest and Lloyd's are following suit, although there is no standardisation so it isn't possible to use a single device for different banks.

But they aren't a perfect solution to the problems of online fraud, and it would be dangerous to overstate their value.

For one thing, devices like this may induce a false sense of security which makes customers more likely to fall for scams.

ABN Amro Bank in the Netherlands has used a two-factor device for some time, but in April 2007 customers had money stolen from their accounts after their computers were infected with malware that redirected them to a fake bank website.

When they tried to log in to the fake site it passed on all the details - including the security code generated by a bank-provided keyfob, which provides a simpler form of two-factor authentication than the PINsentry.

The hackers could log in to the real bank site while this number was still valid and move money from accounts.

And lot of online fraud these days comes from poor security at the vendor end of the transaction, not the customer end.

The appalling theft of over 45 million customer details from TJX, owners of the retailer TK Maxx, was possible because the firm's wireless networks were insecure, not because customers didn't take care.

Security is not a matter of fixing something and then ignoring it. We know this is the case with software, partly because we all keep getting security patches and alerts on our computers, but it's true of every area of activity.

Authenticating access to bank accounts with something other than a password is a very good idea, and those banks who have introduced two-factor systems seem to be seeing the benefits, but it has to be part of a broader, systemic approach to online security, or we will find that we have barred the virtual windows and left the front door wide open.

Bill Thompson is an independent journalist and regular commentator on the BBC World Service programme Digital Planet.

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific