Barclays Bank Fights Back Against Phishing Scams 2

A major international bank aimed at phishers and hackers last week with a plan to issue hand-held identity authentication devices to a half million of its online banking customers this year.

Barclays, which is based in the United Kingdom but operates in more than 50 countries, is sending the free card readers to its customers, who will have to use the devices when accessing their online bank accounts to set up payments to new recipients.

The readers will replace users' passwords. Barclays customers will swipe their card through the PINsentry device, then enter their PIN, and the device generates a one-time, eight-digit passcode to enter alongside their logon.

Barclays is trying to stop scams in which crooks steal accounts and passwords using spyware or phishing scams and then use ill-gotten information to steal the victim's identity and rob their accounts. These device-generated passwords expire in two minutes, so even if a keylogger picked up one it would most likely have expired by the time the hacker got his hands on it. Barclays last year also offered free antivirus software in hopes of stopping the spyware often used in such scams, plus a service that sends text messages to confirm transactions.

To be really useful, though, more banks and organizations like PayPal and Amazon will have to adopt similar technology, says Graham Cluley, a senior technology consultant for security company Sophos. "Consumers may have to use multiple devices to better protect themselves when accessing a wide range of Web sites," he says.

Will customers accept the devices? Other banks use more portable authentication such as key-chain-sized one-time password generators. Since Barclays' units are only required to add new payees, mobility might not be a major concern.