UK banks failing the security challenge

UK banks failing the security challenge

Summary: A security company claims that online banking customers are at the mercy of cybercriminals because UK banks aren't offering robust enough security

TOPICS: Security

Internet banks are failing to offer their customers secure online transaction facilities, despite the growing threat of cybercrime.

That is the finding of a study published on Friday that tested 18 UK online banks and found that none were providing customers with supplementary authentication tools on top of usernames and passwords. Thirteen of those banks were susceptible to long-term hacking attacks through the use of password-stealing programs and identity theft scams — sometimes known as phishing attacks.

"The time is right for the FSA [Financial Services Authority] to use its regulatory power to mandate standardised authentication mechanisms for online financial services," said Phil Robinson, chief technology officer at Information Risk Management (IRM), the company behind the study.

"The UK is falling behind the rest of the world and it is the users who are suffering financial loss as well as a growing lack of confidence. The government should consider plans to implement extra factors of authentication as part of the UK national identity scheme," Robinson added.

Online identity theft has become a serious problem for banks and their customers. Last month, it was reported that banks lost £12m last year through online identity theft scams.

IRM said the remaining five banks employed the use of "selective passwords", which ask a customer for only a section of their access code.

"It's not that [those banks] aren't vulnerable, it's that they aren't as vulnerable," said Robinson, warning that selective passwords don't offer complete security. "Some attacks are pretty opportunistic. If the same information is used each time the customer goes into an account, the moment that is logged, that information is immediately exposed."

The FSA's Hong Kong counterpart has issued guidelines that all online banks there must supply customers with two-factor authentication, such as fingerprint readers, smart cards, or one-time password tags.

IRM did not disclose which banks were less secure than others, but tested the following organisations: Abbey National, Alliance and Leicester, American Express, Barclays Bank, Barclaycard, Barclays International, Capital One, Direct Line, Egg, Goldfish, HSBC, Legal and General Pensions, Lloyds TSB, MBNA Europe, Nationwide, Natwest, Norwich and Peterborough Building Society and Yorkshire Bank.

UK banks are preparing to agree on a form of two-factor authentication, according to banking industry body the Association for Payment and Clearing Systems.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • As I posted before in the last link it's all about Biometrics, this authentification system is goign to be in Mobiles for wireless payments so why not storred in my card and then beamed over the net, info could go over SSL or something - I'm sure a safe delivery and wuthentification method can be devised.

    These tight arse banks are to blame, record profits into Billions this year and they still squabble trying to find cheaper alternatives to the enevitable, pathetic.
  • It's not the hackers that are causing all of the misery in the online consumer banking circle, it's the PIRATE banks themselves.
    My CAHOOT account accepted, 12 small online transactions, all on the same day (though they were made at different times). These 12 transactions totaled
  • Hsbc should have done a charge back and reversed any charges, that's how we do it.

    Ken you must have gone across to the wrong person or you may have argued and not explained, even then they should have guided.

    Hsbc is all talk of world class service and I read recently where a guy detected some major system flaws, however his managers refused to look into it even after 2 months, they wanted credit, in India ..who are useless at managing things with their corrupt minds. What does Ken expect...