Online banks could be pushed into replacing passwords with
secure electronic card readers following the appearance of a new
generation of sophisticated password-stealing Trojans on the
internet.
Trojans, which are almost impossible for banks to detect, could
undermine confidence in electronic commerce and force the banks to
act, a confidential industry-funded report has concluded.
Banks have rejected card readers and other forms of secure
authentication based on smart tokens because of their high cost
compared to passwords.
But the Association of Payment Clearing Services (Apacs), the trade
body for banks, said it was only a matter of time before online
banks rolled out two-factor authentication.
"There is quite a debate going on in the industry about two-factor
authentication. I do not think it is a question of if banks are
going to use it, but when," said an Apacs spokeswoman.
The report, by the Information Security Forum, a security group
funded by 270 banks and businesses, concluded that the appearance
of phishing Trojans could tip the economic balance in favour of
two-factor authentication.
The banks have been working with Barclaycard on a trial to test
user reaction to two-factor technology. Customers insert chip and
Pin cards into a portable card reader to generate a one-time
eight-digit passnumber to access banking and retail sites.
The Anti-Phishing Working Group, a coalition of banks, businesses
and IT suppliers, reported a 42% increase in phishing e-mails
between December and January, equivalent to a 30% average monthly
growth in its latest update at the end of February.
"There is no business case to introduce two-factor authentication
for consumers yet. But Trojans may change the cost equation. We may
see them in the next year for business accounts. The problem is we
do not know how bad it is going to be," said Colin Dixon, author of
the Information Security Forum report.
Although the cost of fraud caused by phishing is minimal compared
to credit card fraud, banks are concerned Trojans could damage
confidence in e-banking, the report said.
"With traditional e-mail phishing you know you are under attack
because you get e-mail bounce-back. This allows the banks to
prepare and put in a number of restrictions. With Trojans you are
not going to be prepared," said Dixon.
Phishing Trojans, which can infect users through websites or
e-mail, first started to appear on the internet towards the end of
last year. The most sophisticated wait until users visit their
online bank then create false screens asking for users' log-in
details and passwords.
Too high a cost?
Phishing e-mails cost banks an estimated £8.5m between September
2003 and June 2004. Costs for the second half of 2004, due to be
released shortly, are expected to show an increase, the Association
of Payment Clearing Services said.
Banks started looking at two-factor authentication five years ago
but rejected it because of its high cost. Barclaycard trials
brought the cost of readers down to £8 each, but this is still
regarded as too high by many banks.