UK law will demand better authentication for online banking

When I log on to my internet bank I am first asked to enter two ID numbers. I didn't pick them, they don't change without reason and they're printed on a little card that my bank sent me for easy reference. I can also save these numbers to my computer to skip this step on future visits. Then I'm asked for three characters from my chosen password – today it was the 1st, 2nd and 6th characters. I cannot skip this step. Then my account info appears and, if I choose, I can make a money transfer to a stranger.

Soon, it will be unlawful for my bank to rely upon this security system – yet no legislation or court rulings are needed to change the law. It will just happen.

My bank is using single-factor authentication, in effect it is only using one means of checking who I am by asking me to provide details of something that I know (my password). When I try to take money from a cash machine, my bank demands more: something that I know (my PIN) and something that I have (my card). This is two-factor authentication and it's the direction the industry is already taking. But in doing so, it changes how the law must be applied.

The reason is found in the Data Protection Act. It has a security principle that says: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

So when a bank holds account data, it has a duty to protect it against theft. The Act tells banks to do this "having regard to the state of technological development and the cost of implementing any measures".

There is no mention of phishing, pharming or Trojans in the legislation; but banks have to keep up with best practices in security otherwise they fall foul of the Act. The penalty for non-compliance is not horrific. However, it would be open to the Information Commissioner to act on a complaint or to undertake a review of the whole sector. And if an account holder loses money in a phishing attack, that individual could take action.

The bank may offer to reimburse those losses in exchange for the customer's discretion; but the savvy customer might seek to humiliate the bank. He can sue for damages to recover his loss as well as compensation for any distress suffered (the Act provides for this); he can seek to recover his legal costs; and he can ask his favourite journalists to broadcast his battle. No bank wants that.

There is a general duty under the FSA's Senior Management Arrangements, Systems and Controls sourcebook (12-page / 164KB PDF) to take "reasonable care to establish and maintain appropriate systems and controls" to address, among other things, the risk of financial crime. Failing to keep up to date with what is "appropriate" could result in hefty fines from the FSA.

As for what is appropriate, there is recent evidence of change. Last Wednesday, US banks were sent a letter from the Federal Reserve, telling them that they have until year-end 2006 to conform to authentication guidance (14-page / 167KB PDF) published the previous day by the Federal Financial Institutions Examination Council (FFIEC), a consortium of US financial agencies.

The Council wrote: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties."

The FFIEC guidance examined various technologies. It looked at smart cards; password-generating tokens; biometrics; out-of-band authentication (any technique that verifies a customer's identity through a channel other than the one the customer is using to initiate the transaction – e.g. using text messaging to confirm a transfer instruction received from a computer); IP address location and geo-location services.

In the UK, APACS issued similar guidance recently: "In view of the growing incidence of Trojans and phishing attacks directed at internet users, banks are recommended to move towards stronger authentication for their online banking customers."

Of course, customer lawsuits are very unlikely because banks generally will keep up to date with the best solutions available.

US banks are currently working together on a standardised fob for account access, according to Michael Jackson, associate director of technology supervision at the Federal Deposit Insurance Corp. UK banks are working together on a card reader for account access, according to APACS, with a standard likely to be agreed by the end of 2005. And last week, Lloyds TSB began trialling two-factor authentication among 30,000 customers, the largest trial of its kind in the UK.

There are many technologies on the market and the FFIEC is not picking its favourite. Likewise, APACS is not saying that card readers are the only way forward. The point is that if money transfers can be made online, security that transcends a username and password will be necessary. The law will evolve to recognise that and the lawmaker is neither judge nor politician – it's the banks and their security suppliers.

By Struan Robertson, Editor of OUT-LAW. These are the personal views of the author and do not necessarily represent the views of Pinsent Masons.

Struan will be speaking at OUT-LAW's Phishing Conference in London on 27th October 2005.