Lloyds TSB tests password-generators

OUT-LAW News, 17/10/2005

Around 30,000 customers of Lloyds TSB are being issued with a password-generating device that will add an extra layer of security when they do their online banking. But while it makes customers less vulnerable to internet fraud, the bank says its device is "not the end solution".

The Access Code Device generates a unique, one time only, six digit number that customers enter when they log on to the banking site.

The trial of the key ring-sized Access Code Device is the largest of its kind in the UK. Similar devices are already in use in corporate environments and AOL offers them to its US consumers for a small fee. Some banks in the Netherlands and Sweden have been using two-factor authentication for several years.

OUT-LAW spoke to Jason Bacon, Lloyds TSB's head of new business and customer development for internet banking, about the bank's latest move to combat phishing and other forms of internet fraud.

Customers taking part in the trial will log on to Lloyds TSB internet banking as normal using their user ID and password, but instead of entering their memorable information they will be asked to press the button on the Access Code Device to generate a unique code.

The customer then types in this code, which the bank verifies. Customers taking part in the trial will also be asked to use the Access Code Device to generate a new code to authorise some online transactions such as bill payments instead of their normal password.

If the code is intercepted, perhaps by someone running a website that purports to be Lloyds TSB's, the attacker has only 30 seconds to access the user's real account before the code becomes invalid. If the criminal gets this far and attempts a money transfer, the request for a second code should foil all but the most sophisticated attacks.

Bacon said the trial participants have been selected at random and represent a large cross-section of the bank's online customers. They will not pay to participate in the trial and Bacon did not disclose the costs to the bank of supplying the devices, although he pointed out that their costs are being driven down by competition and economies of scale.

He acknowledged that the devices are not without their drawbacks. An obvious one is that if they become ubiquitous for online authentication, customers with several internet accounts could face the inconvenience of carrying several devices.

Another drawback is accessibility: the devices do not work for visually impaired users. However, Bacon said that the manufacturers are working on a version that comes with a loudspeaker. If the Access Code Device is ever rolled out as a firm-wide solution, it will be compliant with the Disability Discrimination Act, he said.

But it may never be rolled-out firm-wide. "Partly we want to see how customers react to two-factor authentication," he said of the trial. "Two factor authentication is inevitable – it's just a question of what and when." Running the trial gives Lloyds TSB valuable feedback on how its customers will react to added layers of security.

The move to two-factor authentication is consistent with guidance published in July by US banking industry watchdog the Federal Deposit Insurance Corporation (FDIC) which said banks should look at implementing multi-factor authentication methods. In the UK, the Association of Payment And Clearing Services (APACS) has also encouraged banks to move in this direction.

Bacon indicated that a longer-term security solution for online banking could be card readers. Chip and PIN has been rolled out in the UK as a means of reducing point of sale card fraud. The readers are found in shops but not in cardholders' homes – so they offer no protection against card-not-present (CNP) fraud.

According to Bacon, it's feasible that this will change to a card and card-reader solution, allowing consumers to use new chip and PIN credit and debit cards for secure CNP transactions and internet banking. Lloyds TSB will be monitoring these developments closely.

APACS has developed a standard for card-readers that is in "a very mature draft form," according to Richard Martin who facilitates APACS' e-banking fraud liaison group. The standard addresses details of cryptography and, for example, the buttons that will feature on the readers. Vendors are working on devices that will adhere to the standard and banks will be able to buy these for deployment to customers. Some vendors are working on readers that will be accessible to disabled users, according to Martin.

"We don't think anything is the end solution," said Bacon of the different anti-fraud solutions available and under development. "It's all part of a journey."

Of course, the journey changes direction when criminals find new means of attack – Trojans are on the increase, he says – but the bank offers one online banking guarantee that applies to all forms of attack.

The guarantee states: "We protect you against fraud on Lloyds TSB Internet banking. We use industry-standard levels of security. Of course, you must be careful, for example, take reasonable steps to keep your security information secret at all times. If you do, we will refund your money in the unlikely event of fraud."

We asked Bacon whether customers who fall for obvious phishing scams – those with email lures written in terrible English – are considered not to be taking "reasonable steps" to keep their security information secret. Bacon replied that "a very small number" of Lloyds TSB customers have been victims of phishing and added that refunds "will be considered on a case-by-case basis."

He said that the bank has a policy of educating its customers which is perhaps why few of them fall for phishing scams. He said the bank does not differentiate between the quality of scams. "We don't say 'you should have spotted that one as a scam' and only forgive those who fall for high quality phishing attacks."

As for the new card readers, Bacon said: "We think that it's a sensible cross-bank solution that will be there eventually."

The bank still stresses the need for customers to protect themselves by keeping their account details private. In addition to its online guarantee it is offering customers a free PC security scan to identify spyware; a 20% discount on firewall software from Zone Labs; and a security learning centre at lloydstsb.com, providing customers with hints and tips on what internet scams look like, how to protect their PCs and what to do if they think they might have been the victim of fraud.

APACS' Richard Martin is among the speakers at the OUT-LAW's Phishing Conference in London on 27th October 2005. See full details.

See also: Banking regulator warns of spyware on public computers, OUT-LAW News, 27/07/2005

Feedback | Printer-friendly page | Latest news | | All news feeds | Ask a lawyer