Matching risk and security

Passwords, as we all know, are a poor way of securing a computer system.

Passwords, as we all know, are a poor way of securing a computer system.

A skilled hacker can crack them very quickly using programs freely available on the internet. People write them down on sticky notes on the back of their keyboard. And, more worryingly, hackers can harvest them remotely using phishing and Trojan attacks.

Barclays' decision to roll out chip and Pin readers to online banking customers to provide a second layer of security over and above passwords is a welcome step forward. The card readers will provide online banking customers with a one-time passcode that will offer improved protection against computer hackers.

Alliance and Leicester and Lloyds TSB are piloting similar technology, and others will surely follow. Their incentive is not the high cost of online fraud. Next to the overall costs of credit card fraud, losses through the internet are tiny and can be absorbed easily by the banks.

At stake is public confidence in e-commerce. Confidence is a fragile commodity which could easily be damaged by a few well-publicised hacking cases.

But two-factor authentication is not a panacea. As the use of card readers and smart tokens becomes more widespread, criminals will find more sophisticated methods of attack. Security guru Bruce Schneier says it is only a matter of time before hackers develop real-time attacks that can defeat one-time passwords.

As banks step up their security, the trade-off between ease of use and peace of mind becomes more acute.

Some might criticise Barclays' decision not to issue a card reader to every customer, instead offering them first to those that use their accounts to transfer money. But it makes sense to match the level of security use with the value and risk of the transaction.

Users call for tougher online security >>

Barclays introduces 'PINsentry' - pioneering new security for online banking >>

Comment on this article: e-mail [email protected]

Read more on IT risk management