Feature

Banks tread warily over two-factor security

Alliance & Leicester's launch last week of a two-factor technology to enhance the security of its online banking service looks unlikely to prompt a rush of similar offerings from its rivals.

Of all the UK banks on the high street, only HSBC has said it will follow Alliance & Leicester's lead by rolling out its own two-factor technology later this year. Even Lloyds TSB, which is trialling a smart token solution from Vasco, has indicated that it is far from convinced of the need for a full-scale rollout, despite the clear security benefit it has seen so far.

Alliance & Leicester is using Passmark Security software to offer another line of defence for its online banking customers. The software works by identifying the customer's computer to the bank - making it an effective hardware token - and authenticating the website as legitimate to the customer.

But the need to introduce such additional security is still not clear-cut for banks, as they balance their reputation and customer convenience against the risk of fraud that is posed by their existing security arrangements.

And, for now, the number of UK banks adopting a wait-and-see approach far outstrips those taking decisive action, with Abbey, Barclays, the Co-operative Bank, HBOS and Royal Bank of Scotland (which includes Natwest) all cautiously looking on from the sidelines.

Martha Bennett, research director at analyst Forrester, said that the vulnerability of banks' existing systems will continue to dictate whether or not stronger authentication is prioritised.

"Banks will consider the potential effect of security threats and incidents on their reputation, and balance this with the cost and complexity of rolling out new technology to the end customer".

Alongside this, Bennett said banks will also be weighing up whether a particular authentication technology fits with their corporate image, what the likely level of customer acceptance will be, and the costs and strategic potential of any offering.

Across the UK and Europe, Forrester has said that the move to two-factor or strong authentication is likely to gather pace this year without there being "a stampede".

"Banks ... will continue to combine tactical measures, such as the introduction of virtual keypads, with a more strategic approach to authentication.

"This includes a careful assessment not only of the criteria a new system will have to meet, but also of the balance between the impact on the customer of potentially inconvenient security mechanisms, the bank's reputation, and the actual financial losses incurred through direct online attacks."

In the UK, the other piece in the online security puzzle is the card-reader standard that was settled on in January by the Association of Payment and Clearing Services.

The UK card-reader standard is for an authentication device for cardholder-not-present credit and debit card transactions, conducted online or over the phone, and as such has e-commerce uses beyond online banking. But it is still the banks that will develop these readers for the commercial market.

The readers work by generating a unique authentication code for a transaction when a card is inserted - and some banks are already understood to have them in development.

Peter Sommer, a security expect at the London School of Economics, said the security issues now faced by banks are "human factor engineering problems rather than technical problems".

He said the ultimate test for banks was "not security per se, but what works. In evaluating their options, they will be looking for an appropriate combination of security effectiveness, and weighing that up alongside the management costs and deployment issues, including customer reaction."

Sommer said many banks were likely to be more interested in improving their security behind the scenes before they engaged customers with costly new systems.

What is two-factor authentication?

Two-factor authentication is any authentication protocol that requires two independent ways to establish identity and privileges. This contrasts with traditional password authentication, which requires only one "factor" (knowledge of a password or passwords) to gain access to a system.

Common implementations use "something you know" as one of the two factors, and either "something you have" or "something you are" as the other factor. Using more than one factor of authentication is also called "strong authentication."

The most common form of two-factor authentication is a debit or credit card that requires a Pin to activate it.

What is in the frame for banks

Virtual keypads

The most basic form of protection against keystroke loggers is a virtual keypad where customers use the mouse to choose the required characters on a keyboard displayed on the screen. Another variant is the use of drop-down lists. BNP Paribas, Citibank and Deutsche Bank have all used this system.

Random-factor generation

Many European banks have long used a combination of a Pin and a transaction number to authenticate online transactions using a unique code, with some German banks using this approach for more than 20 years. But transaction numbers are now as likely to be electronically generated as selected from a number sheet or grid. Lloyds' trial of Vasco tokens is another random-factor offering, generating one-time passwords for transactions.

Digital signature

In Sweden, banks and the government are developing BankID, a digital signature system to verify transactions.

Two-way authentication

The Passmark Security system adopted by Alliance & Leicster has been used by Bank of America's 15 million customers for nearly a year.

Online banking security - what the high street banks are doing

Abbey (and Cahoot)

Abbey has no explicit plans to introduce two-factor authentication. The bank's main online security innovation is the Cahoot webcard - a virtual card that allows a banking customer to use a Cahoot debit or credit card when shopping online without entering real card numbers over the web. It works by generating one-off transaction numbers to substitute for the real card details.

Alliance & Leicester

Alliance & Leicester is using two-way, two-factor software on its website to beef-up security. The technology works by identifying the bank's site as genuine to the customer and by using the customer's registered computer as a hardware token to cut the risk of phishing attacks.

Barclays

Barclays is currently assessing card-reader technology to verify online transactions, but has no timescales for introducing this or any other two-factor authentication security.

It has chosen instead to improve its security behind the scenes with RSA Cyota transaction-monitoring software. Last week it also cut the amount its online banking customer can transfer online to external accounts to £1,000 in a bid to cut fraud levels.

Co-operative Bank

The Co-op is monitoring developments but has no current plans to introduce two-factor authentication technology.

HBOS

Has no public plans to bring in two-factor authentication technology, and has said that its push to reduce fraud is focused on educating customers about the risks they face when banking online.

It is, however, planning to roll out anti-fraud technology, developed to identify suspicious credit card transactions on the internet, to 10 million debit card holders.

HSBC

HSBC is actively working on a second-factor authentication system for its business internet banking customers, which is to be introduced later this year.

Lloyds TSB

Lloyds TSB is just over halfway through a six-month, 30,000-customer two-factor authentication trial of Vasco smart tokens, which generate one-time passwords for transactions.

The bank said it has yet to decide whether there is a business case for rolling out the technology to all its customers.

Royal Bank of Scotland/Natwest

Royal Bank of Scotland has no plans to change its traditional password-based online security.

 


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in March 2006

 

COMMENTS powered by Disqus  //  Commenting policy