Banks aiming to alleviate online banking fears

Barclays recently announced it is stepping up its fight against fraudsters by using technology to check that each customer's spending behaviour matches his or her profile.

Although other banks are already using similar anti-fraud techniques, the announcement shows how financial companies are now working hard to convince customers online banking is safe.

This was the latest in a spate of moves from high street banks to tackle fraud. Lloyds TSB is installing anti-skimming devices on all its UK ATMs, and last year issued two-factor authentication tokens to a sample of customers.

Several other banks, including Alliance and Leicester, are also planning to use two-factor authentication tokens and technology, the premise of which is to increase the security of online transactions with 'something you have' (such as a token or card) and 'something you know' (such as a password).

But will two-factor be a success? The technology has its strengths and weaknesses but as it has not yet been tested on a wide scale, it's too soon to tell.

Clive Longbottom, head of research for analyst Quocirca, said: "The bad guys are always one step ahead. What you have to do is narrow the number of people who can commit fraud but there are always those clever enough to do it.

"Some of the banks are seriously considering two-factor but I think a lot more thought needs to go into it. If you lose your token you don't want to have to have to phone someone to prove who you are. One issue that you will find is user acceptance - if people lose a token, they could soon start to fall out of love with online banking."

The need for two-factor authentication follows the rise of phishing email scams and card-not-present fraud.

After chip and PIN was introduced in 2005, fraud in the high street fell but clearly migrated to other areas, such as phone, mail and online transactions.

Last year internet, phone and mail order transactions - and card-not-present fraud - rose by 21 per cent to £183.2m. Online banking fraud losses also doubled in 2005, hitting £23.2m, due to the rise in email phishing scams.

An Apacs spokeswoman told silicon.com: "The issue on card transactions is a different one to banking online. Card-not-present is not just online. It's very clear where [banks] need to direct resources."

Apacs has recently developed a two-factor authentication standard for banks to adhere to, and testing of a two-factor system for purchases over the phone is set to begin at the end of this year. But some banks have yet to announce any security or publicity campaigns to reassure their customers.

Apacs added: "There's a different level of activity in different organisations. The [two-factor] framework is in place. It means we can move forward in a compliant basis but that doesn't mean everyone will."

A leading security expert in the US has criticised the use of two-factor authentication. Last year Bruce Schneier, CTO of Counterpane, said it fails to address today's problems today.

Fraudsters, he explained, will still be able to use the 'man in the middle attack', where phishers set up dummy websites to intercept single-use passcodes, or use malware to piggyback on a session once a user logs into their account. More than a year ago, security company MessageLabs encountered a piece of malware that did this.

Still, Paul Gribbon of LogicaCMG's electronic identity unit said two-factor authentication is an obvious step to take.

He said: "Banks are moving inevitably towards a two-factor authentication approach for [their] customers, although the timescales are not as pressing as the fraud department would hope.The unanswered question from the community remains quite how they will force their customers to use it and what methods they will employ.

"With the current options including an unattached token device, a USB token, a sleeved-reader using a chip card and a hosted-version, many banks are still playing the waiting game and seeing which one will either be mandated, or prove the most cost effective and simplest to use."