Banks wary of two-factor model

Egg and Alliance and Leicester voice concerns

More UK banks have expressed concerns over industry plans for a standard card reader to be used for authenticating online banking transactions.

Industry body Apacs is leading development of a standard model that could help to tackle identity theft by using a second means of proving customers are who they say they are.

But George Hazell, information security manager at Alliance & Leicester, says the bank is not entirely happy with the Apacs two-factor model.

‘We are uncomfortable with the practicality of a card reader,’ he said.

‘It is intrusive, it is easily lost, and there is an issue around when we are going to get the chip-and-PIN card in a position to adopt it.’

Pete Marsden, chief information officer at online bank Egg, says the bank is also wary of the card readers.

‘It’s a pretty expensive model, it is pretty clumsy from the customer perspective, and two-factor is not a complete defence against phishing,’ he said. ‘Citibank has already had its two-factor authentication model broken by a phishing attack.’

Marsden says Egg would ‘follow suit begrudgingly’ if all the other banks adopted the system.

Brendan Pickering, group head of fraud technology at HSBC, told the Gartner IT security summit two weeks ago the system was ‘unlikely to resolve fraud and security problems’.

Barclays is the only bank to have announced a full rollout of card readers for all their online banking customers.

Lloyds TSB is trialling a different two-factor system called Passmark, but a spokesman says it would adopt the Apacs standard model when finalised.

What do you think? Email us at [email protected]