UK banks have insisted that the security of their online bank accounts is sufficient despite HMRC's loss last week of 25 million child benefit records, including millions of bank accounts details.
All the banks contacted by Computerworld UK said that their current security arrangements were adequate. Some rely solely on password protection for online banking access, while others have introduced two-factor authentication to secure customers when accessing their accounts online or performing certain transactions.
Last week’s breach was particularly significant because bank account data is highly prized by criminals, according to Gartner analyst Avivah Litan.
Litan said that on the black market bank account data sells for the highest price – between £15 and £200 – whereas credit card data is typically only worth between 25 pence and £2.50. This is because the likely gains from getting into an account are that much higher, and the likelihood of the account having been disabled that much lower.
UK banks are, however, publicly sanguine about the risk posed by the HMRC breach.
Alliance & Leicester, which introduced Passmark two-factor authentication in March last year, said its security systems were “well-established and effective” and applied to all of its internet bank accounts. It said that, like all banks, it was watching affected accounts more closely but had so far seen nothing untoward.
Andrew McDougall at Barclays said that the bank was pressing ahead with its plan to roll out 500,00 Pinsentry chip-and-PIN card readers to those among its 2 million banking customers who have used their accounts to set up payments to third parties.
He said the bank had no plans to extend its use of the card readers to its remaining customers, but said anyone who wanted to start using their accounts to make payments to anyone other than trusted third parties would need to request a reader.
Where they are used, the Pinsentry devices require customers to insert their debit card and input their PIN, both to authenticate their identity at log in and to make certain payments. The authentication process replaces the need for passcodes and memorable words.