UK banks failing the security challenge

A security company claims that online banking customers are at the mercy of cybercriminals because UK banks aren't offering robust enough security
Written by Dan Ilett, Contributor

Internet banks are failing to offer their customers secure online transaction facilities, despite the growing threat of cybercrime.

That is the finding of a study published on Friday that tested 18 UK online banks and found that none were providing customers with supplementary authentication tools on top of usernames and passwords. Thirteen of those banks were susceptible to long-term hacking attacks through the use of password-stealing programs and identity theft scams — sometimes known as phishing attacks.

"The time is right for the FSA [Financial Services Authority] to use its regulatory power to mandate standardised authentication mechanisms for online financial services," said Phil Robinson, chief technology officer at Information Risk Management (IRM), the company behind the study.

"The UK is falling behind the rest of the world and it is the users who are suffering financial loss as well as a growing lack of confidence. The government should consider plans to implement extra factors of authentication as part of the UK national identity scheme," Robinson added.

Online identity theft has become a serious problem for banks and their customers. Last month, it was reported that banks lost £12m last year through online identity theft scams.

IRM said the remaining five banks employed the use of "selective passwords", which ask a customer for only a section of their access code.

"It's not that [those banks] aren't vulnerable, it's that they aren't as vulnerable," said Robinson, warning that selective passwords don't offer complete security. "Some attacks are pretty opportunistic. If the same information is used each time the customer goes into an account, the moment that is logged, that information is immediately exposed."

The FSA's Hong Kong counterpart has issued guidelines that all online banks there must supply customers with two-factor authentication, such as fingerprint readers, smart cards, or one-time password tags.

IRM did not disclose which banks were less secure than others, but tested the following organisations: Abbey National, Alliance and Leicester, American Express, Barclays Bank, Barclaycard, Barclays International, Capital One, Direct Line, Egg, Goldfish, HSBC, Legal and General Pensions, Lloyds TSB, MBNA Europe, Nationwide, Natwest, Norwich and Peterborough Building Society and Yorkshire Bank.

UK banks are preparing to agree on a form of two-factor authentication, according to banking industry body the Association for Payment and Clearing Systems.

Editorial standards