RBS begins two-factor authentication support

Bank will give customers card-reading devices to defend against phishing

Cassidy: Banks do not compete on security

Royal Bank of Scotland (RBS) is to issue two-factor authentication card readers to its online customers this week.

The devices will protect against phishing attacks by providing a different password every time a customer logs on.

‘We will initially supply this enhanced security to business and personal customers who use e-banking to make frequent transfers or payments,’ an RBS spokesman told Computing.

The bank will then assess the technology’s success and roll it out to other customers.

The card readers, from vendor Xiring, are the size of a calculator and will be free of charge for customers who want them.

Barclays announced last month that it will start issuing similar devices later this year, while Alliance & Leicester has its own picture-based, two-factor systems in place. Lloyds TSB is testing a keyring-based system, but has not ruled out card readers as an eventual solution.

UK banking association Apacs defined the card readers as the UK standard for securing e-banking and e-commerce, despite the reticence of some banks.

Brendan Pickering, head of fraud technology at HSBC, says the system is unlikely to resolve fraud and security problems.

And George Hazell, information security manager at Alliance & Leicester, says the bank is uncomfortable with the practicality of a card reader, but would follow suit if the devices are adopted as the industry standard.

Two-factor is considered an effective defence against phishing, but is vulnerable to more sophisticated hacking attacks. Last year, US bank Citibank had its two-factor model cracked by a man-in-the-middle attack where a criminal sits between the user and their bank.

Banks have been criticised for using two-factor authentication as nothing more than a marketing device. But Peter Cassidy, from industry body the Anti-Phishing Working Group, says this attitude is unhelpful.

‘Phishing is low-tech and putting anything between the phisher and his goal is useful,’ he said. ‘Banks all face the same adversaries and it is an unspoken rule that they do not compete on security technology.’