By Steve Ranger, 14 October 2005 13:05
NEWS Lloyds TSB is piloting a token-based security with 30,000 of its online banking customers in an attempt to crack down on phishing and other fraud attacks.
During the pilot, the customers will log into online banking with their username and password as usual but will also have to use a one-time six digit code generated by the token.
They will then have to enter another code generated by the token for certain types of transactions, such as bill payments, instead of their normal password.
Matthew Timms, Lloyds TSB internet banking director, told silicon.com: "This is the first large-scale pilot of its kind in the UK. Online is becoming an increasingly important area for customers and maintaining confidence in such an important channel is critical."
He added: "What we are looking at is putting barriers in the way and making it harder for fraudsters."
The Vasco tokens cost between £2 and £5 but Timms would not give the total cost of the trial.
The bank has almost two million active customers, who make 40 million transactions per month.
But there is a fear that as credit card anti-fraud plans are put in place, fraudsters may turn towards online banking: "If [fraudsters] see their revenue declining they will look at another area to make up their loses," said Timms, who said there has been a "significant increase" in fraud attempts this year.
Last year UK banks lost £12m to internet banking related fraud - small compared to £500m in credit card fraud but Timms said the idea is to develop a system that can squash both problems.
He said: "The journey we are on is towards something that will cover 'card not present' and internet banking fraud. The standard will be for something that will fix both."
Apacs is working with the banking industry to develop a standard for card readers so that chip and PIN cards can be used to authenticate online transactions.
Timms said: "We are working very closely with Apacs on the standard for 'card not present'. At that point the standard with Apacs hadn't been agreed so we decided to go ahead with this."
This trial is, then, less about the token technology than about seeing how customers respond to the additional security: "If they aren't adopting these then what do we have to do to get customers to adopt these new technologies," Timms said.
Comments
There are 4 comments. Join the discussion
1. Stephen de Vries
It is interesting that this is being touted as a solution to phishing, since it will be largely ineffective against these attacks.
Currently, phishing attacks are not performed in real time, in that the attackers put up a fake page and wait for victims to enter their usernames and passwords. All the fake sites do is record these details so that the attacker can come back at a later time and login to the compromised accounts. Token based authentication will foil these attacks, since the password (the number on the token) is constantly changing and is only valid once. But this does not mean that all types of phishing attacks are prevented. All the attacker has to do is create a slightly more complex fake page, that acts as a "Man in the middle" by accepting the user's authentication credentials and their one time secret number and passes this on to the real bank. Now the phisher acts as a middle man and translates the user's actions on the fake web site into real actions on the real site and communicates the response from the real site back to the user. So the user is none the wiser that they've contacted a fake site since all their operations work as expected. But the attacker has an open channel to the bank and can perform transactions without the user being aware of them (until they check their balance!). This form of attack will have the limitation that the attacker can only access the user's bank account when the user is logged in (through the attacker's site).
I'm not suggesting that two factor authentication isn't a good idea - it is, and it's better than the simple username,password,pin combination because the password isn't permanent. So it's an effective defence against attacks where there is a time lag between the user divulging the password and the attacker using it - e.g. emails, stolen piece of paper with the password on it, etc. But it is not an effective defence against attacks where the attacker can use the password immediately, such as a "man in the middle" phishing attack.
2. Simon
Deja vu ?
Didn't another bank do something similar not too long ago - what happened to that ?
I think this is a great idea, but with one proviso ! They need to get together and create a standard so that we can use one token for multiple services - otherwise some of us might end up with a drawful !
3. Peter Lewis
Lloyds TSB are to be applauded for this trial, and for it being more about human factors than about the technology. They could do worse than asking some of their Swiss customers about any experiences they might have had with the UBS Swiss e-banking system. This was already better than most (with 2 factor authentication based on a cross-out list of numbers) when it was upgraded about two years ago. At that point, small calculator devices were issued to all e-banking customers.
These use a challenge-response system where the response is based on an encryption algorithm held on an individual smart card in the calculator. (Access is PIN-protected, in case of loss.) There are clearly loads of human issues involved in this system, and it isn't proof against the site-in-the-middle fraud described by Steven de Vries, but Lloyds could learn plenty by taking a peek.
4. anonymous
I have just opened an account with ABN Amro in Netherlands. I was given a card reader / code generator device, plastic, inexpensive to produce and allowing one time code access to their accounts site. Seems they have nbeen using htis technology for some time. UK should do more of this, it inspires confidence in the transaction.