Key-fob fights online banking fraud

 

Gallery

Posted on 14 Oct 2005 at 12:25

Lloyds TSB is trialling a key-fob device that gives their online banking customers a unique one time code to help secure access and prevent fraud.

The trial is the biggest of its kind for the UK and, although banks are currently working towards standard device for all UK banks under the auspices of the APACS body, a spokesperson told us that Lloyds TSB wanted to get moving with it as soon as possible.

The trial will cover 30,000 randomly chosen customers to test the device. It generates a unique time-indexed code that must be entered (along with password or PIN) instead of having to enter additional personal information, such as your mother's maiden name.

Codes must be used to both log in and move money around, with the benefit being that even if a digital attack did reveal a victim's login details, the attacker would have to receive a code in 'real-time' in order to log in, before the code expires.

This could of course prove a barrier to perhaps the elderly who may find the pressure of having to enter the code quickly difficult to cope with. The spokesperson told us that hopefully the trial would unearth any such problems, and the bank could then look at using keyfobs with larger screens if necessary. 'The aim is to find a device for everyone,' we were told.

One of the attractions of online banking is not only the convenience of being able to access your account online, but also higher interest rates, made possible because of the lower maintenance needed by the banks themselves. But rolling out and managing a set of key-generating devices may become an overhead that would eat into these benefits.

The spokesperson told us that with £12m lost to online banking fraud last year, such costs would be considerably offset by the reduction expected in fraud.

Matthew Timms, Internet banking director for the bank, said: 'Fraudsters are becoming increasingly cunning with their tactics, and there's no hiding the fact that fraud is on the increase. The trial of the Access Code Device is one of a number of security initiatives we are introducing to address the concerns of customers and stay ahead in the battle against online fraudsters.'

Schemes of this type are not immune from attacks however. Earlier this month, security company F-Secure reported a phishing attack on a bank in Sweden, which uses a one-time password system.

The phish was sophisticated in that all the emails initially spammed out were in Swedish. Recipients who were duped into accessing the phishing site were asked to enter the one-time password (customers of the bank were asked to enter a one-time password generated on the website). Once the victim typed in the code, they were told there was a problem and that they should use the next available code.

The attackers were collecting the first codes generated, knowing they were 'unused', and hoping to subsequently use them in other future attempts to access and move money from accounts at the bank.

In response, the bank - Nordea Sweden, which is the largest bank in Nordic countries and boasts one of the largest Internet banks in the world - immediately shut its Internet banking operations.

Lloyds TSB has also introduced other initiatives to encourage its customers to secure their computers. It is offering free antivirus scans of PCs using ZoneAlarm, and a discount to customers buying the full application.

However, it doesn't block any customer found to have an infected computer through the use of these scans.

Author: Matt Whipp