Online banking security standard 'by the end of 2005'

Online banking security standard 'by the end of 2005'

Summary: The matter of who foots the bill for better security is yet to be decided

TOPICS: Security

A UK authentication standard for online and telephone banking will be launched before the end the year, the Association of Payment and Clearing Systems (APACS) said on Monday.

The UK standard will take the form of a small device in which you insert a chip and PIN card, according to an APACS spokesperson. After the four-digit PIN is entered, a numeric, one-time-only password is generated according to an algorithm and displayed on the screen of the device. This password is then used to authenticate the users so that they may then access online or telephone banking.

All members and schemes signed up to APACS will use the general standard. These include all of the major UK banks, as well as credit card firms Visa and MasterCard.

The technological template will be a "platform for interoperability", and will mean users should not need "half a dozen different devices" if they use more than one bank or credit card, the spokesperson said.

Trial versions of the device will be tested "over the next couple of years" by banks. Exactly when they will be tested will be a competitive issue for individual banks, the spokesperson said.

Lloyds TSB announced a trial for 30,000 online customers on Friday for a one-time-only password generation device, although the new general standard device will be "slightly different," according to APACS.

Who foots the bill for the devices — consumers or the banks themselves — will also be a competitive issue between banks, according to APACS.

Banks will also need to take consumer reluctance to adopt this technology, as well as a more general fear of online banking into account, according to Unisys, which supplies IT systems to many UK banks.

"Despite the fact that banks issue communications about security, the view from consumers is that they don't know enough about it. Firewalls make consumers nervous," Paul Leckie, a partner in Unisys global financial services, said.

Leckie welcomed the Lloyds TSB one-time-only password device trial, as he believes it would address both consumer's worries and the overall question of security.

"We welcome the Lloyds TSB trial as it will give answers to questions such as: what if a consumer is [banks with different banks]? How can you ensure safe distribution of the devices? What if the device breaks, or is lost or stolen? How will making banking online more difficult affect consumers — will they be driven away?," Leckie said.

Banks, according to Unisys, should be aware that two-factor authentication by itself would not be a guarantee against fraud.

"Banks need to be aware that two-factor authentication makes fraud harder to perpetrate, but it's not a total solution. Banks have to monitor all of their customer interactions, not just transactions. Fraudsters might request an address change and a credit check before perpetrating a fraud," Leckie said.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is such tosh, only yesterday the Gov were tooting a
  • Online banking has a new option.... We are the first and only company to leverage online banking to make instant online debit payments. Online banking is the fastest growing activity on the internet today. Our company, UseMyBank Services, revolutionized the payment industry for online Sellers and Buyers. Consumers with online banking can now make "Instant Online Debit Payments" to Sellers with UseMyBank. At the Seller's checkout, a Buyer selects their financial institution and makes an instant debit payment from their online bank.

    This is great news for the 30-40% of consumers without credit cards and those who do not feel comfortable giving online merchants their credit card number.
    Millions of Americans and Europeans now have the same choices. Sellers want that buying power and consumers love the new choices and control they have to make online purchases.

    Almost every retailer offers debit payments in stores and the majority now pay that way. For any online seller to lose a customer because they are unable to process a transaction is costly and preventable. UseMyBank
  • If I have one thing to say to the Banking industry it is "Please, please do NOT use biometrics" .. secure connection or not.

    I have one set of fingerprints and one pair of eyes. It is even now, relatively simple to spoof fingerprints and a little harder (but not impossible) to reproduce iris patterns. What is my bank going to do then? Send me a new body?

    If someone came up to you in the street, shoved a knife to your throat and demanded your banking PIN, what would you do? I know that I for one would give it up. In the brave new biometric future they wouldn't bother doing this. They'll just bring an axe. Whack whack! 10 bits of loverly biometric data coming right up.

    Biometric identification is an inherently flawed idea that is only being propped up by it's own hot air.