Barclays PINsentry Device

Discussion in 'other security issues & news' started by anon_private, Jan 23, 2015.

  1. anon_private

    anon_private Registered Member

    Joined:
    Feb 28, 2010
    Posts:
    58
    Location:
    UK
    I will be using Barclays online banking (UK).

    They use a device called PINsentry.

    Suppose my card is stolen, or, somehow, my card is cloned. Can the fraudster not login as me?

    Thanks

    PS. Does anyone know if I can use Barclays online banking to make payments to all companies that accept electronic transfers?
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    No they can't, because they need your pin-code. This system is mainly meant to be a better alternative to the standard user-name/password system that most websites use. Now criminals need to have your card + PIN, opposed to only your password. Of course, keep in mind that it won't protect you against advanced banking trojans that run on your own (or other) PC, they can bypass this system.
     
  3. anon_private

    anon_private Registered Member

    Joined:
    Feb 28, 2010
    Posts:
    58
    Location:
    UK
    Can fraudsters not break PIN's?
    I use Linux which I believe the be safer since trojans tend to be designed to attack Windows systems
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    They can always try to guess PIN's? Now that I think about it, this system would be even more safe if your card was actually tied to only certain card-readers, the ones that you own.
     
  5. anon_private

    anon_private Registered Member

    Joined:
    Feb 28, 2010
    Posts:
    58
    Location:
    UK
    I expect there are electronic devices that could easily break PINs.

    Do you know if Barclays charge for supplying the PINsentry devices?
     
  6. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Mine were a free issue - it is in their interests to provide them.

    I have found that readers provided by other banks can read the cards.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I have been thinking, and I'm a bit confused. What exactly is the advantage of such a card reader? Let's say that someone steals your PIN-card and also knows your PIN code, then what's the use of generating a one-time password? I mean, it can be used on any PC, with every card reader. Wouldn't it be more logical for banks to also require a user-name and password?
     
  8. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    The PINsentry card reader is an additional layer of security to mitigate banking trojans/hackers transferring money.

    After you login to your online banking account or app, (using your Barclays login details), PINsentry is required to set-up new payees (as banking trojans/hackers will normally set up their accounts as new payees prior to transferring money to themselves).
    PINsentry is a security layer which means you also need your card and pin number to setup a payee.

    I'm not sure how he app works, guess that's used in case you don't have the card reader device.

    I think it blocks your card if you enter the incorrect pin-number too many times to prevent anyone brute-forcing it, but I'm not 100% sure.

    I know in the UK, Natwest and Nationwide also do this.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    So it's only meant to stop banking trojans? If I'm correct, most trojans can already bypass 2FA. But to clarify, I was just brainstorming a bit about the current system that my bank has been using for the last 15 years. It's starting to get on my nerves, that they are asking for the one-time password for every transaction that I make.
     
  10. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    This type of 2FA made it a lot harder for banking Trojans to be effective.

    Now Trojans are getting a bit better at it, but you'll still need 2FA, only that the Trojans dupe you to entering 2FA at different stage of the process, i.e. it asks for authentication when you didn't expect it to ask, or the Trojan has to wait till you legitimately need to add a new payee, which can be days, weeks or months - hopefully AVs start detecting it by then!

    Normally 2FA is only needed when adding new payees, not each transaction. This make it a lot less cumbersome.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    The way it works with my bank is that you have to input the one-time password for every transaction, this is probably to make it harder for banking trojans to wreak havoc. But like I said before, it's annoying as hell, and trojans can already bypass 2FA.

    Also, if someone stole your PIN-card and knows your PIN-code, they can use it on any PC, since the card-reader is not tied to a certain card or machine, and my current bank doesn't require a user-name and password to log in. It would be more logical to me to use the one-time password only to log in, with that you have already proven that you own (or possess) the PIN-card. After that they shouldn't bother you anymore.

    https://www.vasco.com/glossary/factors_of_authentication.aspx
     
Loading...