[Clips] Lloyds steps up online security (SecureID)
R.A. Hettinga
rah at shipwright.com
Fri Oct 14 11:53:38 EDT 2005
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Fri, 14 Oct 2005 10:44:32 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Lloyds steps up online security (SecureID)
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://news.bbc.co.uk/1/low/business/4340898.stm>
The BBC
Friday, 14 October 2005, 10:46 GMT 11:46 UK
Lloyds steps up online security
Lloyds TSB is to trial a new security system for online banking customers,
in an attempt to beat internet fraud.
About 30,000 customers will receive keyring-sized security devices, which
generate a six-digit code to be used alongside usernames and passwords.
The code, which changes every 30 seconds, could help fight fraudsters who
hack people's PCs or use "phishing" emails to steal login details.
Similar systems are already in use in Asia, Scandinavia and Australia.
Password sniffers
Until now, Lloyds TSB has used a two-stage system for identifying its
customers.
First, users must enter a username and password. Then, on a second screen,
they are asked to use drop-down menus to choose three letters from a
self-chosen memorable piece of information.
The aim of using menus rather than the keyboard has been to defeat
so-called "keyloggers", tiny bits of software which can be used by hackers
who have breached a PC's security to read every key pressed and thus sniff
out passwords.
"There's no hiding the fact that fraud is on the increase"
Matthew Timms, Lloyds TSB
But newer keyloggers now also take screenshots, which can reveal the entire
memorable word after the bank's website has been used just a few times.
Alternatively, fraudsters use "phishing" emails, which tempt customers to
log onto a fake banking website and enter their details.
Lloyds says that about £12m was lost to this kind of scam in 2004 - but it
warns that attacks are multiplying fast.
One-time deal
The bank says it is guaranteeing that they will not suffer from losses even
if their PCs are compromised, as long as they have not - for instance -
given their password away intentionally.
This stance contrasts with warnings from some other banks - notably HSBC -
that in future customers could be held responsible if they do not keep
security up to date on their machines.
But Lloyds also hopes that its trial system could effectively toughen up
customer access - regardless of the state of their computer.
The customers testing Lloyds TSB's new system will press a button on their
device to generate a new six-digit number every time they log on.
They will do the same every time they need to confirm a transaction,
instead of simply repeating their password.
Lloyds TSB hopes the move will mean keyloggers and phishing emails will not
have time to use any details they collect.
"Fraudsters are becoming increasingly cunning with their tactics, and
there's no hiding the fact that fraud is on the increase," said Matthew
Timms, Lloyds TSB's internet banking director.
Other banks are trying different devices, and Mr Timms acknowledged that
the keyring-style token would probably not be the final format.
"The journey we're on will probably end up as a card which can do both
internet banking and card-not-present (credit card) transactions," he said.
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list