Alliance & Leicester's launch last week of a
two-factor technology to enhance the security of its online banking
service looks unlikely to prompt a rush of similar offerings from
its rivals.
Of all the UK banks on the high street, only HSBC has said it
will follow Alliance & Leicester's lead by rolling out its own
two-factor technology later this year. Even Lloyds TSB, which is
trialling a smart token solution from Vasco, has indicated that it
is far from convinced of the need for a full-scale rollout, despite
the clear security benefit it has seen so far.
Alliance & Leicester is using Passmark Security software to
offer another line of defence for its online banking customers. The
software works by identifying the customer's computer to the bank -
making it an effective hardware token - and authenticating the
website as legitimate to the customer.
But the need to introduce such additional security is still not
clear-cut for banks, as they balance their reputation and customer
convenience against the risk of fraud that is posed by their
existing security arrangements.
And, for now, the number of UK banks adopting a wait-and-see
approach far outstrips those taking decisive action, with Abbey,
Barclays, the Co-operative Bank, HBOS and Royal Bank of Scotland
(which includes Natwest) all cautiously looking on from the
sidelines.
Martha Bennett, research director at analyst Forrester, said
that the vulnerability of banks' existing systems will continue to
dictate whether or not stronger authentication is prioritised.
"Banks will consider the potential effect of security threats
and incidents on their reputation, and balance this with the cost
and complexity of rolling out new technology to the end
customer".
Alongside this, Bennett said banks will also be weighing up
whether a particular authentication technology fits with their
corporate image, what the likely level of customer acceptance will
be, and the costs and strategic potential of any offering.
Across the UK and Europe, Forrester has said that the move to
two-factor or strong authentication is likely to gather pace this
year without there being "a stampede".
"Banks ... will continue to combine tactical measures, such as
the introduction of virtual keypads, with a more strategic approach
to authentication.
"This includes a careful assessment not only of the criteria a
new system will have to meet, but also of the balance between the
impact on the customer of potentially inconvenient security
mechanisms, the bank's reputation, and the actual financial losses
incurred through direct online attacks."
In the UK, the other piece in the online security puzzle is the
card-reader standard that was settled on in January by the
Association of Payment and Clearing Services.
The UK card-reader standard is for an authentication device for
cardholder-not-present credit and debit card transactions,
conducted online or over the phone, and as such has e-commerce uses
beyond online banking. But it is still the banks that will develop
these readers for the commercial market.
The readers work by generating a unique authentication code for
a transaction when a card is inserted - and some banks are already
understood to have them in development.
Peter Sommer, a security expect at the London School of
Economics, said the security issues now faced by banks are "human
factor engineering problems rather than technical problems".
He said the ultimate test for banks was "not security per se,
but what works. In evaluating their options, they will be looking
for an appropriate combination of security effectiveness, and
weighing that up alongside the management costs and deployment
issues, including customer reaction."
Sommer said many banks were likely to be more interested in
improving their security behind the scenes before they engaged
customers with costly new systems.
What is two-factor authentication?
Two-factor authentication is any authentication protocol that
requires two independent ways to establish identity and privileges.
This contrasts with traditional password authentication, which
requires only one "factor" (knowledge of a password or passwords)
to gain access to a system.
Common implementations use "something you know" as one of the
two factors, and either "something you have" or "something you are"
as the other factor. Using more than one factor of authentication
is also called "strong authentication."
The most common form of two-factor authentication is a debit or
credit card that requires a Pin to activate it.
What is in the frame for banks
Virtual keypads
The most basic form of protection against keystroke loggers is a
virtual keypad where customers use the mouse to choose the required
characters on a keyboard displayed on the screen. Another variant
is the use of drop-down lists. BNP Paribas, Citibank and Deutsche
Bank have all used this system.
Random-factor generation
Many European banks have long used a combination of a Pin and a
transaction number to authenticate online transactions using a
unique code, with some German banks using this approach for more
than 20 years. But transaction numbers are now as likely to be
electronically generated as selected from a number sheet or grid.
Lloyds' trial of Vasco tokens is another random-factor offering,
generating one-time passwords for transactions.
Digital signature
In Sweden, banks and the government are developing BankID, a
digital signature system to verify transactions.
Two-way authentication
The Passmark Security system adopted by Alliance & Leicster
has been used by Bank of America's 15 million customers for nearly
a year.
Online banking security - what the high street banks are
doing
Abbey (and Cahoot)
Abbey has no explicit plans to introduce two-factor
authentication. The bank's main online security innovation is the
Cahoot webcard - a virtual card that allows a banking customer to
use a Cahoot debit or credit card when shopping online without
entering real card numbers over the web. It works by generating
one-off transaction numbers to substitute for the real card
details.
Alliance & Leicester
Alliance & Leicester is using two-way, two-factor software
on its website to beef-up security. The technology works by
identifying the bank's site as genuine to the customer and by using
the customer's registered computer as a hardware token to cut the
risk of phishing attacks.
Barclays
Barclays is currently assessing card-reader technology to verify
online transactions, but has no timescales for introducing this or
any other two-factor authentication security.
It has chosen instead to improve its security behind the scenes
with RSA Cyota transaction-monitoring software. Last week it also
cut the amount its online banking customer can transfer online to
external accounts to £1,000 in a bid to cut fraud levels.
Co-operative Bank
The Co-op is monitoring developments but has no current plans to
introduce two-factor authentication technology.
HBOS
Has no public plans to bring in two-factor authentication
technology, and has said that its push to reduce fraud is focused
on educating customers about the risks they face when banking
online.
It is, however, planning to roll out anti-fraud technology,
developed to identify suspicious credit card transactions on the
internet, to 10 million debit card holders.
HSBC
HSBC is actively working on a second-factor authentication
system for its business internet banking customers, which is to be
introduced later this year.
Lloyds TSB
Lloyds TSB is just over halfway through a six-month,
30,000-customer two-factor authentication trial of Vasco smart
tokens, which generate one-time passwords for transactions.
The bank said it has yet to decide whether there is a business
case for rolling out the technology to all its customers.
Royal Bank of Scotland/Natwest
Royal Bank of Scotland has no plans to change its traditional
password-based online security.