Flaws have been found in the security devices used to authenticate online bank users.
Researchers at Cambridge University found weaknesses when they reverse engineered card readers from Barclays and NatWest.
Bank customers use the card readers in conjunction with a bank card to produce a one-time password. Banks introduced the readers to reduce losses from phishing scams and keylogger attacks.
Researchers Saar Drimer, Steven J Murdoch and Ross Anderson presented their paper, Optimised to Fail: Card readers for online banking, at the Financial Cryptography 2009 conference yesterday. "We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation," said the researchers.
They said that one-time passwords were vulnerable to real-time man-in-the middle attacks.
"Here, the malware or phishing website initiates a fraudulent transaction with the customer's bank at the same time as it prompts the customer for their password or one-time code," said the researchers. This process may be triggered when the customer attempts a transaction, rather than prompting them to do one.
The Association of Payments and Clearing Services (Apacs) said banks must consider factors such as usability when designing security systems.
"What the research does not take into consideration is the banking industry has to balance usability with fraud prevention," said an Apacs spokesman. "The banks that are most actively involved in these programmes have reported falls in the amount of fraud."
According to Apacs, 21 million people use online banking systems in the UK in the first six months of 2008. For the same period last year the organisation reported £21.4m in online banking losses to fraud. This compared to £7.5m in 2007 but is lower than the £22.4m losses in 2006.
The Apacs spokesman said that the specific weaknesses that have been identified by the researchers have never been used to commit fraud.
Barclays said in July that no online customer using its two-factor authentication security device has been hit by fraud.