Barclays bank seems to think that if chip-and-pin good enough for retail business, it’s good enough for online business. They are sending Pinsentry machines to 500,000 customers – machines that look like calculators and read chip-and-pin cards – generating one-time-passwords (OTPs). (Full article here)

So, here is the current multi-layered approach at Barclays:

• Debit Card (2nd factor)
• PIN number (1st factor)
• Pinsentry device (second 2nd factor)
• 8-digit one time password generated by the machine

Is this really a good design? The logistical support for this kind of system must be insane. How much does it cost to manage this operation? How long will the batteries last in those readers? Can I have one for my home and one for my office?

Besides, haven’t those guys heard of the Citibank phishing attack on their 2nd factor. Just look at this article in the Washington Post Blog.

Last year Bruce Schneier commented on Shell suspending Chip & Pin payments at their gas stations after losing £1m when fraudsters inserted little devices into the readers, which copied the cards’ magnetic strips and recorded customers’ pin numbers. Also, another article on hacking chip & pin here.

So, Chip & Pin is not safe, and hardware OTP systems are also vulnerable and costly. Why keep implementing these? Marketing perhaps? I am sure lots of people will feel better by having a bigger authentication device in their hands . . . size matters . Isn’t that the same argument that the MIT/Harvard study said about BofA implementation – “Sometimes the appearance of security is more important than security itself.”