SOME of Britain’s biggest banks are leaving their customers at risk of fraud because they are being slow to adopt new technology, experts said last week.

The warning came after the information commissioner and Scotland Yard launched an investigation into how banking details, including Pin numbers and security codes, had appeared for sale on black-market websites.

Experts said it was the first time that such detailed information about bank customers had been available online.

Several banks, including Barclays, NatWest and Alliance & Leicester, have introduced technology known as “two-factor authentication”, which offers a second layer of protection on top of the traditional Pin numbers and passcodes. This makes it more difficult for fraudsters to read your Pin using a process known as “key-logging”.

However, even though Apacs, the UK payments authority, thinks the new technology is “top notch”, Lloyds is only testing it and Halifax and Nation-wide say they will start to roll it out between the start of next year and the spring of 2008 – potentially leaving some customers more exposed to fraud.

Richard Clayton, a security expert at Cambridge University, said: “Banks that don’t offer two-tier authentication will potentially be an easier target for fraudsters.”

Halifax admitted as much last week. “Any system that uses just a set password is potentially insecure against fraudsters using spy-ware and key-logging techniques,” a spokesman said.

Banks may even fall foul of the law. Stuart Robinson of the law firm OutLaw, which advises a number of high-street banks, said they were obliged to keep up with the latest measures.

“The law demands that best practice is followed,” he said. “The risk for any bank is in falling behind the level of security that its competitors apply.”

NatWest and Barclays customers who sign up to the ‘two-tier’ service have to insert their card into a calculator-like reader which then produces a random number. This number has to be used in addition to the normal Pin numbers to access the account. The number changes each time the customer wants to log in, making it difficult for fraudsters to use key-logging to gain access to your account.

Alliance & Leicester has adopted a different approach. The IT security firm RSA, which works with the majority of high-street banks in Britain, has developed its system, which “finger-prints” the computer a customer uses to access his or her account.

If an attempt is made to get in through another computer, additional questions are asked.

Alliance & Leicester credits this system with a 25% increase in online transactions as consumers become more confident. The bank says it is also considering adopting a text-message alert system which will send a text every time a transaction is made over a certain amount. Barclays already offers such a service.

Lloyds TSB has already issued about 23,000 key-ring-sized two-tier authentication devices, but there is no date for when the system will be rolled out to other customers.

Apacs is working to produce an industry standard for the devices so consumers will eventually need only one device to use with different banks.

HSBC said there were no firm plans yet to adopt the new technology, although it did offer the added protection for commercial customers.

A spokesman said: “We have among the lowest levels of ID fraud in the industry, and because of this we don’t feel it is currently necessary for us to adopt this approach.

“Our existing monitoring procedures and customer-education initiatives are already effective in detecting and preventing fraud.”

Existing security systems like MasterCard SecureCode and Verified by Visa require customers to enter a code before allowing an online transaction to go through at participating retailers.

Halifax has its own version, Halifax Secure, which was designed to protect online shoppers. However, there is growing evidence that fraudsters are bypassing such “static” passwords.

Brian Ingham, 77, from Co Durham, said fraudsters were able to carry out transactions on his account despite him using Halifax Secure.

“Someone managed to get hold of my code and change it. I was only alerted about it when I received a letter from Halifax asking if I had made the change.” He added he would no longer make online purchases. “Halifax Secure is now Halifax Insecure,” he said.

Halifax admitted that a fraudster could find out someone’s Halifax Secure pass. “If your computer-security software is not up to date, you will always be subject to potential attacks by fraudsters,” a spokesman said.

With “key-logging” a hacker is able to record every keystroke made after installing a virus on your PC. These viruses are sent as e-mails that automatically activate when you open them.

Most banks employ drop-down menus which allow you to enter a pass code without having to type them in. This makes it more difficult for key-loggers to record what you type.

There are also “phishing” internet pages and e-mails that appear as though they are from your bank asking you to confirm your details.

If a fraudster is able to get hold of some of your personal details such as date of birth, name and address, the bogus web page appears more genuine. Another method of gaining personal information is through bin raiding for sensitive documents.

HOW THEY COMPARE

High protection

Customers are offered two-tier authentication, for example, ‘fingerprinting’ PCs or a card reader that generates a different number every time you log on, in addition to your normal passcodes. Banks operating this system: Alliance & Leicester, Barclays and NatWest

Above-standard protection

Banks that require three or more passcodes: Lloyds TSB, HSBC and Halifax

Standard protection

Banks that require at least two passcodes: Abbey and First Direct