Lloyds steps up online security

Lloyds is following in the footsteps of banks elsewhere

Lloyds TSB is to trial a new security system for online banking customers, in an attempt to beat internet fraud.

About 30,000 customers will receive keyring-sized security devices, which generate a six-digit code to be used alongside usernames and passwords.

The code, which changes every 30 seconds, could help fight fraudsters who hack people's PCs or use "phishing" emails to steal login details.

Similar systems are already in use in Asia, Scandinavia and Australia.

Password sniffers

Until now, Lloyds TSB has used a two-stage system for identifying its customers.

First, users must enter a username and password. Then, on a second screen, they are asked to use drop-down menus to choose three letters from a self-chosen memorable piece of information.

The aim of using menus rather than the keyboard has been to defeat so-called "keyloggers", tiny bits of software which can be used by hackers who have breached a PC's security to read every key pressed and thus sniff out passwords.

There's no hiding the fact that fraud is on the increase Matthew Timms, Lloyds TSB

But newer keyloggers now also take screenshots, which can reveal the entire memorable word after the bank's website has been used just a few times.

Alternatively, fraudsters use "phishing" emails, which tempt customers to log onto a fake banking website and enter their details.

Lloyds says that about £12m was lost to this kind of scam in 2004 - but it warns that attacks are multiplying fast.

One-time deal

The bank says it is guaranteeing that they will not suffer from losses even if their PCs are compromised, as long as they have not - for instance - given their password away intentionally.

This stance contrasts with warnings from some other banks - notably HSBC - that in future customers could be held responsible if they do not keep security up to date on their machines.

But Lloyds also hopes that its trial system could effectively toughen up customer access - regardless of the state of their computer.

The customers testing Lloyds TSB's new system will press a button on their device to generate a new six-digit number every time they log on.

They will do the same every time they need to confirm a transaction, instead of simply repeating their password.

Lloyds TSB hopes the move will mean keyloggers and phishing emails will not have time to use any details they collect.

"Fraudsters are becoming increasingly cunning with their tactics, and there's no hiding the fact that fraud is on the increase," said Matthew Timms, Lloyds TSB's internet banking director.

Other banks are trying different devices, and Mr Timms acknowledged that the keyring-style token would probably not be the final format.

"The journey we're on will probably end up as a card which can do both internet banking and card-not-present (credit card) transactions," he said.

---

Have you been affected by issues covered in this story?

This debate is now closed. Thank you for your comments.

Banks should do more to protect their customer accounts Kerry, London, UK

I have several online bank accounts and it would be very impractical to carry a dozen or so key fobs around. If the banks could organise themselves so that their customers would only require one key fob to login, then that would be more appealing to everyone. Even better, they could integrate the online security with mobile phones or pagers by sending the security code via text message. Banks should do more to protect their customer accounts.
Kerry, London, UK

I'm sorry Mr Barclays & Mr Lloyds banks. It's all fine and good saying that your systems are secure and not hackable. I'm sure they are as secure as can be. But for the humble home user, who is not aware of the hazards of the internet and all its untold secrets, Internet banking is not safe or secure! It really is as simple as that.
David Street, Bridlington, East Yorkshire

As a person who is visually impaired, this device is completely useless to me. Has the bank not thought of this?
Felicity Crane, London, UK

How about if we all start to use cheques and go into our banks? Wouldn't this end ALL online fraud?
Zorba Eisenhower, UK

I will probably stop using online banking if they decide to introduce these across the board. It's a good way to stop other people gaining access to my account, but the trouble is it also makes it more likely that I won't be able to access it either. All it needs is for the device to get stepped on and it's game over. It also means I can't access my account if I don't have the thing with me, which could be very annoying. I think this could work IF they built the functionality into my debit card, which I am used to keeping with me anyway, rather than making me take something else everywhere with me.
Tom Kermode, London, UK

Congratulations Britain on finally getting access to technology available over ten years ago in Sweden. Having actually been actively involved in selling SecureID tokens to the British financial markets for several years, including presenting to the actual CEOs of the banks, I can say that the major banks all categorically stated that this technology was nothing they wanted, their customers didn't want it, and it would cost too much to implement in any case. In the meanwhile, online criminals have literally been siphoning British bank accounts for millions of pounds. The banks have chosen to quietly pay up rather than face the problem.
Michael, Sweden

The best defence against bank fraud is for customers to be extremely vigilant Nick, Soton, UK

I used to work for one of the largest banks out of the top five high street banks. Every so often I would have to deal with a distraught customer who had their entire salary for the month stolen out of their account by an online fraudster. Even staff of the bank, who had staff bank accounts, would get phishing e-mails purporting to be from the bank asking us to reply with sensitive information. However, it would be naive to think that online fraud is 100% preventable - if it is possible to con 'human intelligence' in the form of bank staff, who have been educated in preventing bank fraud, then it is certainly possible for fraudsters to succeed in online bank cons. In view of this, the best defence against bank fraud is for customers to be extremely vigilant against possible cons.
Nick, Soton, UK

As a Lloyds TSB customer, I currently have to take the following steps:

Enter an impossible to remember 9 numerical code

Enter my password

Select one character from my second password three times over from a drop down list.

Now I'll have to carry around a keyfob and have a maximum of 30 seconds to enter it properly. It'll be quicker to go down to the bank!
Bill Williams, London, UK

I am a Lloyds customer who exclusively uses internet banking. I check my account everyday and noticed that a large transaction appeared on my online statement which could not be accounted for other than electronic fraud. The bank dealt with it quickly but it is extremely worrying to know that despite protecting accounts with passwords and other security measures this could be futile in addressing the increasing sophistication of fraudsters.
James, Milton Keynes

My debit card details were cloned and my account was used to buy several hundred pounds worth of goods etc. It took the bank several days to find out about it and put a stop to it.
Mark Griffin, London, UK

I work in e-commerce in wholesale investment banking, where this kind of user authentication has been in place since online trading first started five years ago. It has only been a matter of time before this technology would spread to mass market retail banking, where phishing and other fraud is an ever increasing problem.
Nicholas Hodder, London, UK

My wife and I have a number of bank and building society accounts which we access online, having to use one of these devices to access them would be a nightmare, particularly if they all had to be taken when on holiday, or if going for an extended holiday. Presumably the banks are aware of this and see it as a means of tying customers to their own products rather than choosing the best from the market.
Trevor Williams, Norley, Cheshire