Samport

Some customers are left exposed because their sites don't have the latest security. Our correspondent asks if your bank is really safe.

Some of Britain's biggest banks are leaving their customers at risk of fraud because they are being slow to adopt new technology, experts said last week.

The warning came after the information commissioner and Scotland Yard launched an investigation into how banking details, including Pin numbers and security codes, had appeared for sale on black-market websites.

Experts said it was the first time that such detailed information about bank customers had been available online.

Several banks, including Barclays, NatWest and Alliance & Leicester, have introduced technology known as "two-factor authentication", which offers a second layer of protection on top of the traditional Pin numbers and passcodes. This makes it more difficult for fraudsters to read your Pin using a process known as "key-logging".

However, even though Apacs, the UK payments authority, thinks the new technology is "top notch", Lloyds is only testing it and Halifax and Nation-wide say they will start to roll it out between the start of next year and the spring of 2008 - potentially leaving some customers more exposed to fraud.

Richard Clayton, a security expert at Cambridge University, said: "Banks that don't offer two-tier authentication will potentially be an easier target for fraudsters."

Halifax admitted as much last week. "Any system that uses just a set password is potentially insecure against fraudsters using spy-ware and key-logging techniques," a spokesman said.

Banks may even fall foul of the law. Stuart Robinson of the law firm OutLaw, which advises a number of high-street banks, said they were obliged to keep up with the latest measures.

"The law demands that best practice is followed," he said. "The risk for any bank is in falling behind the level of security that its competitors apply."

NatWest and Barclays customers who sign up to the ‘two-tier' service have to insert their card into a calculator-like reader which then produces a random number. This number has to be used in addition to the normal Pin numbers to access the account. The number changes each time the customer wants to log in, making it difficult for fraudsters to use key-logging to gain access to your account.

Alliance & Leicester has adopted a different approach. The IT security firm RSA, which works with the majority of high-street banks in Britain, has developed its system, which "finger-prints" the computer a customer uses to access his or her account.

Read more here>>

Source: The Sunday Times, December 9, 2007