Online banking security standard 'by the end of 2005'

The matter of who foots the bill for better security is yet to be decided

A UK authentication standard for online and telephone banking will be launched before the end the year, the Association of Payment and Clearing Systems (APACS) said on Monday.

The UK standard will take the form of a small device in which you insert a chip and PIN card, according to an APACS spokesperson. After the four-digit PIN is entered, a numeric, one-time-only password is generated according to an algorithm and displayed on the screen of the device. This password is then used to authenticate the users so that they may then access online or telephone banking.

All members and schemes signed up to APACS will use the general standard. These include all of the major UK banks, as well as credit card firms Visa and MasterCard.

The technological template will be a "platform for interoperability", and will mean users should not need "half a dozen different devices" if they use more than one bank or credit card, the spokesperson said.

Trial versions of the device will be tested "over the next couple of years" by banks. Exactly when they will be tested will be a competitive issue for individual banks, the spokesperson said.

Lloyds TSB announced a trial for 30,000 online customers on Friday for a one-time-only password generation device, although the new general standard device will be "slightly different," according to APACS.

Who foots the bill for the devices — consumers or the banks themselves — will also be a competitive issue between banks, according to APACS.

Banks will also need to take consumer reluctance to adopt this technology, as well as a more general fear of online banking into account, according to Unisys, which supplies IT systems to many UK banks.

"Despite the fact that banks issue communications about security, the view from consumers is that they don't know enough about it. Firewalls make consumers nervous," Paul Leckie, a partner in Unisys global financial services, said.

Leckie welcomed the Lloyds TSB one-time-only password device trial, as he believes it would address both consumer's worries and the overall question of security.

"We welcome the Lloyds TSB trial as it will give answers to questions such as: what if a consumer is [banks with different banks]? How can you ensure safe distribution of the devices? What if the device breaks, or is lost or stolen? How will making banking online more difficult affect consumers — will they be driven away?," Leckie said.

Banks, according to Unisys, should be aware that two-factor authentication by itself would not be a guarantee against fraud.

"Banks need to be aware that two-factor authentication makes fraud harder to perpetrate, but it's not a total solution. Banks have to monitor all of their customer interactions, not just transactions. Fraudsters might request an address change and a credit check before perpetrating a fraud," Leckie said.