Trojans, which are almost impossible for banks to detect, could undermine confidence in electronic commerce and force the banks to act, a confidential industry-funded report has concluded.
Banks have rejected card readers and other forms of secure authentication based on smart tokens because of their high cost compared to passwords.
But the Association of Payment Clearing Services (Apacs), the trade body for banks, said it was only a matter of time before online banks rolled out two-factor authentication.
"There is quite a debate going on in the industry about two-factor authentication. I do not think it is a question of if banks are going to use it, but when," said an Apacs spokeswoman.
The report, by the Information Security Forum, a security group funded by 270 banks and businesses, concluded that the appearance of phishing Trojans could tip the economic balance in favour of two-factor authentication.
The banks have been working with Barclaycard on a trial to test user reaction to two-factor technology. Customers insert chip and Pin cards into a portable card reader to generate a one-time eight-digit passnumber to access banking and retail sites.
The Anti-Phishing Working Group, a coalition of banks, businesses and IT suppliers, reported a 42% increase in phishing e-mails between December and January, equivalent to a 30% average monthly growth in its latest update at the end of February.
"There is no business case to introduce two-factor authentication for consumers yet. But Trojans may change the cost equation. We may see them in the next year for business accounts. The problem is we do not know how bad it is going to be," said Colin Dixon, author of the Information Security Forum report.
Although the cost of fraud caused by phishing is minimal compared to credit card fraud, banks are concerned Trojans could damage confidence in e-banking, the report said.
"With traditional e-mail phishing you know you are under attack because you get e-mail bounce-back. This allows the banks to prepare and put in a number of restrictions. With Trojans you are not going to be prepared," said Dixon.
Phishing Trojans, which can infect users through websites or e-mail, first started to appear on the internet towards the end of last year. The most sophisticated wait until users visit their online bank then create false screens asking for users' log-in details and passwords.
Too high a cost?
Phishing e-mails cost banks an estimated £8.5m between September 2003 and June 2004. Costs for the second half of 2004, due to be released shortly, are expected to show an increase, the Association of Payment Clearing Services said.
Banks started looking at two-factor authentication five years ago but rejected it because of its high cost. Barclaycard trials brought the cost of readers down to £8 each, but this is still regarded as too high by many banks.