Security threats Toolkit

Banks lash out at security study

Tags:
Banks,
Apacs

Dan Ilet ZDNet.co.uk

Published: 19 Apr 2005 15:20 BST

The UK's online banking industry has hit back at a security company that accused them of failing to protect customers.

The Association of Payment and Clearing Systems (APACS) rejected comments made by security company Information Risk Management (IRM) over a study which claimed that the security standards practiced by online banks are too low.

"We do not agree that the UK has a 'low standard in online banking security' and feel that the IRM survey takes a very narrow view of the issue, as well as containing a number of inaccuracies," claimed Tom Salmond, APACS consultant, in an email to ZDNet UK.

"Unfortunately they seemed to be determined to generate some PR for themselves around a scare story which doesn't help anyone. There are some fundamental underlying issues which were not covered at all," Salmond added.

IRM said that the 18 banks it tested failed to provide customers with supplementary authentication tools beyond usernames and passwords. It said 13 of those banks were susceptible to long-term hacking attacks through the use of password-stealing programs and identity theft scams — sometimes known as phishing attacks. Although APACS did not deny this, Salmond said that it was working with the Financial Services Association to protect customers.

"There are a range of controls which have been introduced and constantly refined to meet this goal. It is important to remember that fraud prevention systems have been deployed behind the scenes to detect and prevent fraud and a raft of initiatives are in hand to reduce the impact of financial crime overall. Banks are also actively examining a range of authentication solutions which can be deployed to enhance the controls already in place, but the IRM survey did not cover any of this, " wrote Salmond.

IRM highlighted that the FSA's Hong Kong counterpart had issued guidelines to force online banks there to supply customers with two-factor authentication, such as fingerprint readers, smart cards, or one-time password tags.

"What works over there may not necessarily suit the UK," added Salmond. "IRM are also wrong to state that 'it is the users who are suffering financial loss', as all banks will protect customers from Internet fraud in line with their published guarantees."

IRM had not responded to requests for comment at the time of writing.