A sting in the e-banking security tale

I should have learned my lesson by now: in this business it’s never sensible to make big public predictions about developments in IT. But like the cocky young pup I am, a little while ago in my blog I wrote that although UK banks have now started to hand out free antivirus and anti-spyware software to online customers (well, just Barclays, recently), the chances of them following suit with two-factor authentication tools in the near future looked about as likely as Mel Gibson celebrating Hanukkah.

So up stepped Barclays, no doubt spurred on by my bank-bating words, and announced that next year it will issue such tools.

Two-factor authenticators for consumers have been on the cards for a while, and if you believe the hype about identity fraud in some of the more hysteria-inducing red-top newspapers you may think “about time too!”

Lloyds TSB is testing a keyring-based device that generates a one-time password, and Alliance & Leicester blazed the trail in March this year by issuing all its customers with the technology.

But are the profits of banks and e-vendors greatly threatened by the effects of fraud? According to a survey released by payments association body Apacs in March, the amount of money lost through internet fraud in the UK stayed the same last year, at £117m, while other forms of card-not-present (CNP) fraud increased by 21 percent – statistics that don’t justify a panicky rollout of two-factor devices. And even if they issue such technology, banks may still struggle against that crucial human factor: the people who continue to fall for the phishing scams that pepper our inboxes with increasing regularity and sophistication.

But consumers are fickle, as many online merchants are aware. Put too many security barriers in the way and your potential shopper gives up and goes elsewhere, where the payment process is easier. On the other hand, skimp on online security and they may be scared away from shopping at your web site.

Our beloved financial institutions are therefore looking to two-factor authentication systems as much to prove to their customers that they are taking security seriously, as to actually prevent lost revenue from fraud.

This strategy makes commercial sense: as Chris Voice of fraud detection specialist Entrust told me recently, if customers did decide to boycott online banking in favour of the high street, the costs for Barclays et al would surely make those lost in fraud each year pale by comparison.

But before we all start believing the hype about the benefits of Barclays’ system, let’s wait and see how the balance of responsibilities between consumer and service provider plays out. Far be it from me to make any kind of prediction about anything any more, but don’t be surprised if once our favourite high-street lenders offer these security measures, they then refuse to reimburse any defrauded customers who have not implemented them.

That would certainly be more typical behaviour from the bank that laughed at my loan request.