Banks must pay up for security

The phenomenal rise of the Internet has created more than its fair share of fortunes, from day-traders and domain-name grabbers to dot-com pioneers and the engineers and coders who make the whole thing possible. But one of the biggest winners has been the banking sector.

Thanks to home PCs, the Web and broadband, banks have been given the chance to revolutionise their business model. Rather than employ an army of well turned-out staff in branch offices across the land, banks now encourage their customers to visit them online. Online transactions cost a tiny fraction of those conducted over a counter, or even on the telephone, and have undoubtedly helped raise profits.

But the smell of the money has attracted a new generation of criminals in the shape of phishers who try to trick the unwary into handing over their personal details, or fool them with fake sites.

The latest trick is to attack the servers running the Internet's domain name system. This lets the criminals redirect bank customers to their own fake sites. This technique, called pharming, is particularly devious because users don't even need to click on an email link to get to the fraudulent site. It is a massive blow to trust online — users can't tell which site they're on just by looking at their browser's address bar.

Savvy users already know that clicking on a URL in an email does not necessarily take them where they think they are going. But most people have a comfortable level of trust in the fact that if they type a URL in themselves, they know where they will end up. Pharming destroys that level of trust.

The solution is for the banks — and major e-commerce sites too — to stop relying just on passwords. No longer is it enough for banks to verify their users online; they need to start now providing a mechanism by which users can verify the banks online.

This demands a shift away from simple passwords and towards stronger authentication methods. Nordic banks are leading the way with the use of devices that create single-use passwords. Crucially, these do in many cases allow the user to verify that the site they are on does indeed belong to the bank they think they are talking to.

In the UK, Citibank is tackling keystroke loggers by making users use an onscreen keyboard, but it still does not prove to a user that what lies behind that onscreen keyboard really is Citibank.

Latest figures show that online fraud cost the UK banking sector £12m last year — which should concentrate a few minds. If it doesn’t, then the government should fill the vacuum of responsibility.

Windfall taxes have been levied in the past against prosperous businesses and used for the greater good — as in 1997 when the incoming Labour government took billions from the likes of BT and BAA to fund its welfare-to-work programme. If banks can't see the sense in making their online services more secure, then those in Westminster should consider doing the job for them. For a fee, of course.