Barclays and Lloyds lead online banking security drive
UK banks plan to send hardware to customers

S A Mathieson

Barclays will be joined by several other UK banks in providing customers with security hardware for online banking, while Lloyds TSB is already involved in trials.

On 18 April, Barclays said it will send more than 500,000 customers PINsentry card-readers during the second half of 2007, to use with debit cards and personal identification numbers (PINs). (press release)

Barclays will require use of the card-readers for establishing a new, external payment through online banking – the most attractive type of transaction to criminals – but not for repeat payments.

Lloyds TSB started issuing one-time use random number generators to customers in October 2005, as a trial. 23,500 of the 30,000 customers approached by the bank accepted the devices, and to date “it has been 100% successful” in preventing fraud, according to a spokesperson for the bank.

Other institutions are following Barclays in issuing card and PIN readers to personal banking customers: Royal Bank of Scotland Group, which includes NatWest, plans to do so from this summer, and as with Barclays the device will only be required for new, third-party payments. Nationwide building society will do likewise, again only for new external payments, but does not have an exact date.

However, HSBC does not currently plan to provide home users with hardware. “For personal customers, HSBC’s record for online security is second to none and we can see no compelling case for giving two-factor devices to all customers,” the bank said in a statement. The bank issues such technology in some circumstances, however: “For example, we offer it to business customers who may want to allow multiple staff to access their bank accounts during the day but do not want to let them go home with all the details they need to access a firm’s online banking services.”

The drive towards end-user hardware is being co-ordinated by UK payments association Apacs (http://www.apacs.org.uk/). Sandra Quinn, director of communications, said that banks are developing faster payments during this year, and this is likely to boost demand for online banking: “To make things even more attractive, they will make sure their security is top-notch,” she said. Apacs has produced a standard for such hardware, with which Barclays’ device complies.

Quinn added that some banks are personalising their web-site security questions, with the aim of foiling phishing attacks aimed at gathering commonly-used factual information. First Direct, a division of HSBC, recently started asking customers to choose from a range of security questions such as favourite film or hairdresser, while Alliance & Leicester allows users to upload personal pictures – such as of their dogs – which they then identify to log-on.