WWith the most registered online banking users in the U.K. (6 million) and a growing online fraud epidemic, London-based Barclays Bank knew it had a problem. Fortunately, it found a solution in Gemalto, an Amsterdam-based provider of digital security, smart cards and readers.
Since Barclays (US$2.027 trillion) deployed smart card readers to authenticate online customers, "Phishing attacks decreased dramatically against Barclays whilst increasing to an all-time high for the U.K. banking industry," reports Sean Gilchrist, the bank's digital banking director. Fraud on bank card payments made online and in other cases in which the cardholder is not present rose 298 percent nationwide between 2000 and 2007, according to London-based APACS, the U.K. payments association.
According to Gilchrist, Barclays losses from online fraud had prompted the bank to cut the amount of money customers could move online. "We had to ... reduce the limit because of fraud and, honestly, to reduce the bank's losses," he says. "We have since been able to move that back up with confidence." The maximum amount for personal online transactions has risen to 10,000 pounds (about US$15,000) from 1,000 pounds.
As a result of the enhanced security, Barclays' customers are happier. The latest monthly surveys, Gilchrist relates, show that 87 percent of online banking customers are "satisfied" or "completely satisfied" with the security offered online.
For each banking session, customers are provided a one-time access number, which is generated by the chip on their bank cards and displayed on the card reader, known as PINsentry. Once a customer enters his or her permanent PIN, the system generates a one-time password that serves as a digital signature.
Barclays has given away the readers, which were designed specifically for the bank, to any online banking customer who has requested one, at a cost of about US$9 per reader. According to Gilchrist, more than 2 million customers, far more than the initial target group, currently use them. Barclays initially offered PINsentry in August 2007 to 800,000 customers who regularly made payments online. Other online customers then began to request the portable readers, Gilchrist explains.
Gilchrist declines to detail how much the implementation cost. Other than the readers, he says, "No new hardware was required, but we had to write code to enable the [proprietary] online banking infrastructure to effectively talk to the card infrastructure."
Before the card readers were implemented, the static nature of customers' login information presented a major security problem, Gilchrist comments. Previously Barclays used a combination of PINs and pass codes -- including customer surnames, membership numbers and memorable words -- but, "Because they are all static, they are vulnerable to being phished," he adds.
The same was true of some of the alternative security systems Barclays considered, such as transactional access number (TAN) lists, which, Gilchrist notes, are commonly used in Europe. With TAN lists, the bank mails a customer a list of passwords, each of which is to be used once, crossed off and so on. Yet consumers still can be tricked into giving these passwords away, Gilchrist notes.
During a three-month search, Barclays also considered suppliers of security tokens and SMS text message passwords, and evaluated "five or six" other card readers, according to Gilchrist. He says Gemalto emerged as one of the few suppliers that could meet all of the technical requirements: "the generation of one-time pass codes, the ability to [digitally] sign payments, and a challenge-and-response capability" to verify the customer's identity.
Case Study SnapshotInstitution: Barclays Bank (London).
Assets: $2.027 trillion.
Business Challenge: Improve authentication to reduce online fraud.
Solution: Gemalto's (Amsterdam) smart card readers.