Banks seek a standard for beating online fraud

As public concerns about online security continue to rise, the banking industry in the UK is poised to fundamentally change the way it verifies the identity of online customers.

The sector wants to establish a method of ensuring that anyone logging on to a banking site or using a credit or debit card to shop is who they say they are.

Card-not-present fraud in the UK rose by nearly a quarter last year to £150.8m, making it the biggest category of fraud, according to the Association for Payment Clearing Services (Apacs).

Banks are now considering a variety of methods to tackle the problem, most of which involve using some kind of physical device to generate unique codes to certify online transactions.

The government is also becoming involved. Earlier this month, Whitehall outlined plans to establish the banking sector as a pioneer for online authentication, with the aim of creating a framework to increase confidence in the identity of online users, both in a transactional and social context.

Apacs told Computing this week that, early next month, it aims to establish a UK standard for a physical means of authenticating online transactions.

Tom Salmond, a consultant for Apacs' ecommerce group, says this will be a key element in moving the technology from a concept to a working reality.

'In the industry, people have said they need a lot of confidence about the standard, so we've been putting an awful lot of work into that,' he said.

'Now banks are starting to get beyond the discussion phase and come up with some prototypes, which will be increasingly followed by customer research over the next six months. We expect they will start deploying systems in certain customer segments in the next nine to 12 months.'

Alan Jebson, group chief operating officer at HSBC Holdings, says banks have to work hard and fast to catch up with the growing range of new internet scams designed to rob customers.

'It wasn't so long ago that criminals targeted single high-street banks,' says Jebson. 'These days they are people with PhDs using the internet to try to steal millions in seconds. They know that home computer users are the weakest link in the bank's security, and we need to encourage customers to secure their systems.'

But despite efforts to warn customers about threats such as spyware and phishing, a number of HSBC customers have been tricked into revealing confidential information and have lost money as a result, he says.

'Customers can no longer be certain that emails purporting to be from financial institutions are genuine,' said Jebson.

The industry may be forced to ban customers from accessing online banking, unless they take proper measures to protect themselves by installing adequate firewalls and anti-virus and anti-spyware software. It could also shift the financial liability of theft over to customers, he says.

But before such measures are considered, HSBC wants to investigate other physical ways of protecting willing online banking customers, including two-factor authentication or biometrics, such as fingerprints.

'When it comes to ecommerce, we face a dilemma,' he said. 'We want to encourage more and more customers to do business over the internet, but they will only do that if they are convinced it is secure.'

Issues of cost and ease of use must be addressed before HSBC commits to a full rollout, he adds.

'The harder we make it for online criminals, the more torturous it becomes for our customers,' he said.

Mark Snuggs, product manager for electronic banking at Coutts, which already has a physical authentication scheme in place (see box), says high-street banks will have to weigh up the pros and cons of such a system.

'When you look at the number of customers the high-street banks have, it's likely that there will be high costs involved,' he said. 'But that needs to be weighed up against how much they want to stop fraud, and the concerns their customers have about online banking.'

Such a system could also act as a way for firms to validate transactions made though call centres or even email, broadening its usefulness in combating fraud.

But for any system to be genuinely useful for consumers, widespread industry collaboration will be required.

'For this to work, we need retailers to put this system in place on their sites,' said a spokeswoman for Barclaycard. 'It has to be a complete circle.'

Two-factor authentication foils phishers

Coutts, the private banking arm of The Royal Bank of Scotland, has been using two-factor authentication to prevent identity theft and financial crime since it launched its internet service in September 1999.

The bank's 14,000 online banking customers were each sent a 'passcode calculator', a credit card-sized number generator, as part of their registration process.

When customers log on to the banking site, they enter the unique number displayed on the screen of the RSA SecurID token, which is then checked against the bank's servers for a correct match.

'Because of the type of customer we attract, and their high net worth, we need the best security that is out there,' said Mark Snuggs, product manager for electronic banking at Coutts.

Because the one-off unique number changes every 60 seconds and expires as soon as the customer enters it, the risk of key-logging software being used to steal usernames and passwords is reduced.

'Even if criminals managed to use key-logging software to intercept and catch the unique passcode it's no use, as it has already been used and can't be used again,' said Snuggs.

'We had a mixed reaction at the start but, nowadays, with all the media focus on phishing, customers are quite happy that we have this additional level of security.'