Last week the UK’s seventh largest bank, Alliance & Leicester, issued all of its one million online banking customers with extra security technology designed to stamp out internet phishing scams.

The two-factor technology is the firm’s response to banking-related online identity theft and fraud, which according to industry group Apacs, cost the UK £23.2m last year. The software identifies the customer’s computer and assures them they are not entering a phishing web site.

While Alliance & Leicester is adopting its own form of two-way, two-factor customer authentication from vendor PassMark , other UK banks are taking a different approach, using physical devices to identify customers.

Earlier this month, Lloyds TSB revealed that it has eliminated online banking fraud among some 23,500 customers who have been testing the key-ring sized devices over the past five months (Computing, 10 March).

HSBC is also working on developing two-factor authentication technology for internet banking customers, which it will issue to customers later this year. It is already rolling out passcode generating devices from supplier Vasco in the Asia-Pacific region.

‘The solution will provide extra protection against fraudulent activities such as phishing, keylogger trojans and remote hacking,’ said an HSBC spokesman.

The token devices generate a unique passcode for each user every 30 to 60 seconds.

Even if a criminal manages to intercept an online banker’s user ID and password via keystroke logging software, spoof sites or phishing emails, they would not be able to access the bank account or transfer money.

‘Fraud has adapted over time and spyware is more sophisticated. This is something we needed to tackle,’ said Matthew Timms, director of internet banking at Lloyds TSB.

‘Customers will use the device once to log in, and again to make transfers, standing orders or person-to-person payments.’

But because many people in the UK hold several bank accounts with various financial services organisations, a proliferation of different physical authentication devices could become inconvenient or confusing.

For this reason Apacs has developed an industry standard device to authenticate online transactions, and card-not-present purchases made online or by telephone (Computing, 5 January).

Alliance & Leicester and Lloyds TSB say they will move to this form of authentication device when they feel the time is right.

‘Tokens secure the transactions, but the Apacs industry standard covers a greater spectrum, including one-time, log-in passwords; card-not-present transactions; and person-to-person transfers,’ said Timms.

Martha Bennett, research director at analyst Forrester Research, agrees that a common approach within the banking industry will boost user acceptance. Lloyds TSB and Alliance & Leicester’s existing investments will be transferable, she says.

‘Lloyds TSB has chosen a back-end system that will work with the Apacs standard. The only non-reusable technology will be the tokens,’ she said. ‘And what Alliance & Leicester is doing is something that can be used in conjunction with it.’

But Bennett says rather than putting the responsibility on the customer to authenticate themselves, the bank should be investing more in back-end systems and transaction analysis databases to curb financial losses.

‘In the US they will do almost anything to avoid using two-factor authentication, so they are adding more sophistication to back-end systems.

‘Whereas in Europe financial services are taking the opposite approach of strengthening the front door,’ she said.

By using software to analyse where a customer is physically logged-in and by identifying behavioural usage patterns, banks should be able to detect anomalies and spot criminals trying to access accounts from other countries, she says.

Timms agrees: ‘The Access Code Device is one part of our overall strategy; we are also doing a lot with transaction monitoring and that has already been very successful for us.’

But online fraud is still less of a concern to the industry compared with the potential financial losses if worried internet customers switch back to more costly high-street and telephone banking services.

So long as this concern remains prevalent, banks are likely to stay focused on high-profile, public-facing security projects, rather than just behind the scenes intelligence systems.

Anti fraud ...in 30 seconds

How does two-factor authentication work?

*Banks are developing two-factor authentication technology to tackle identity theft and internet fraud.

*Although approaches vary from bank to bank, the technology relies on two things: something you know, such as a password or PIN, and something you have, such as a computer or token.

*Some 15 million Bank of America customers in the US authenticate themselves using the PassMark system adopted by Alliance & Leicester.

*In Brazil and the Asia-Pacific region, HSBC has been testing key-ring sized tokens that generate a unique code for users to enter when they log in.

*In Sweden, the government is working with the banking industry to develop BankID, a digital signature system to verify transactions. Thales’ SafeSign technology is currently used by nine banks and more than 600,000 people.

*In the UK, three technologies are being explored: Alliance & Leicester is using the computer as the authenticator; Lloyds TSB is testing key-ring sized tokens; and industry group Apacs is developing a card reader.

*In Finland, Nordea Bank issues customers with sheets of paper containing one-off passcodes that consumers scratch off each time they log on.