UK banks are being urged to introduce two-factor authentication based around the Chip and PIN system to head off the increasing threat to online security from Internet-based phishing scams.
UK consultancy outfit Consult Hyperion is promoting national uptake of token authentication, in which consumers tap their PINs into a personal card reader and receive a one-time Web log-in code by return. The system could also be used to authenticate card holders to merchants when shopping via the PC, TV or phone.
The increasing sophistication of Web spoofing scams, and growing evidence of their success in siphoning off consumer funds, is forcing banks to look beyond pure customer education remedies.
"The sophistication of the attacks is high and growing all the time" comments Dave Birch, director of Consult Hyperion. "In some cases, victims are directed to the real bank Web site while a pop-up window is overlaid to capture their details. In other cases, the surfer's toolbar is taken over."
According to Birch, banks should cash in on the million of pounds being spent to introduce Chip and PIN at the point-of-sale and extend the system to cover the phishing menace. If token authentication were implemented, he says, "phishing would cease to be a threat because the phishers would need to break in and steal the card itself and the PIN - having an account number alone would not help them."
In the UK, Barclaycard has been experimenting with a pocket authentication system designed around MasterCard specifications for preventing card not present fraud.
Alternatives to card reader systems include secure SMS messaging to mobile phones - currently used by ASB Bank in New Zealand - and the US-based PassMark security system, which entails the exchange of personalised digital images between banks and consumers online.