Banks Tackle Two-Factor Challenge

Silicon reports a Barclays bank announcement that it is stepping up its fight against fraudsters by using technology to check that each customer's spending behaviour matches his or her profile.

Although other banks are already using similar anti-fraud techniques, the announcement shows how financial companies are now working hard to convince customers online banking is safe.

This was the latest in a spate of moves from high street banks to tackle fraud. Lloyds TSB is installing anti-skimming devices on all its UK ATMs, and last year issued two-factor authentication tokens to a sample of customers.

Several other banks, including Alliance and Leicester, are also planning to use two-factor authentication tokens and technology, the premise of which is to increase the security of online transactions with 'something you have' (such as a token or card) and 'something you know' (such as a password).

Clive Longbottom, head of research for analyst Quocirca, said: "The bad guys are always one step ahead. What you have to do is narrow the number of people who can commit fraud but there are always those clever enough to do it.

"Some of the banks are seriously considering two-factor but I think a lot more thought needs to go into it. If you lose your token you don't want to have to have to phone someone to prove who you are. One issue that you will find is user acceptance - if people lose a token, they could soon start to fall out of love with online banking."

The need for two-factor authentication follows the rise of phishing email scams and card-not-present fraud.

After chip and PIN was introduced in 2005, fraud in the high street fell but clearly migrated to other areas, such as phone, mail and online transactions.

Last year internet, phone and mail order transactions - and card-not-present fraud - rose by 21 per cent to £183.2m. Online banking fraud losses also doubled in 2005, hitting £23.2m, due to the rise in email phishing scams.

An Apacs spokeswoman told silicon.com: "The issue on card transactions is a different one to banking online. Card-not-present is not just online. It's very clear where [banks] need to direct resources."

Apacs has recently developed a two-factor authentication standard for banks to adhere to, and testing of a two-factor system for purchases over the phone is set to begin at the end of this year. But some banks have yet to announce any security or publicity campaigns to reassure their customers.

Apacs added: "There's a different level of activity in different organisations. The [two-factor] framework is in place. It means we can move forward in a compliant basis but that doesn't mean everyone will."