UK banks are planning to introduce two-factor authentication for
business customers using online banking services by the end of the
year, banking industry trade body Apacs said last week.
The move, which is likely to be followed by the wider roll-out of
two-factor authentication for consumers using online banking
services, is part of the banks' fight against phishing - criminals
using spoof e-mails to obtain people's passwords and account
details - which they fear is eroding confidence in online
banking.
Apacs is co-ordinating the development of technical standards for
two-factor authentication, based on security standards developed by
Visa and MasterCard. But it will leave it to each bank to decide
how they deploy the technology.
"We are not looking at any requirements of timescales or
co-ordinated roll-out," said Tom Salmond, e-commerce consultant at
Apacs. "Each bank is looking at applicable time schedules and
applicable customer segments.
"Small business customers are likely to be the first. The first
deployment is likely by the end of the year."
UK banks are developing technical standards to offer two-factor
authentication using a combination of chip and Pin cards and
readers to generate one-time passwords.
Other security technologiesare also under consideration, including
a challenge response mechanism that would require the bank to
e-mail the customer a number to type into a card reader to generate
a one-time password.
Another option is a data signing function, which would require the
customer to confirm the account number and the amount of money to
be transferred when moving money between accounts.
The additional security measures are designed to prevent
"man-in-the-middle" attacks, in which a hacker intercepts a
one-time password and then uses it to access a customer's online
bank account.
"The aim is to define which elements of the MasterCard and Visa
authentication standards are most applicable in the UK," said
Salmond. "Several different options are being reviewed."
Apacs said it expects to complete the technical specifications for
the authentication system by early May. Banks are likely to pilot
the technology during the summer.