Meridea has produced a mobile phone security product it claims will make man-in-the-middle attacks against online banks impossible.

"Intelligent authentication", as the company calls it, downloads a 50k Java application to a customer’s mobile phone on a one-off basis, when the system is first being set up.

When a customer logs on to an online bank - or attempts to carry out a financial transaction within an online service - the user is given a one-time code by the online banking software, generated from details of the transaction itself.

This code is entered into the phone application, which validates it as genuine, and shows the user a summary of the transaction for added security. The application then generates a final validation code for entry into the online bank once the customer has entered their original banking PIN code into the phone.

The design should make man-in-the-middle phishing impossible as only genuine sites can present the challenge codes in a legitimate way. If used on accounts where other authentication systems such as tokens are already in place, it makes it impossible for thieves to remove money from hacked accounts without having the phone itself.

Drawbacks of the system are that roughly one in five mobile phones in the European market don’t yet support Java, and it also assumes that online banking customers will have mobile phones.

As with many token-based systems, banks are bound to worry that customers will find the challenge-response security burdensome.

Customers who lacked mobile phones, or who had non-Java handsets, could use established token-based system, said Justin McAuley of Meridea. The advantage of the Meridea system was that is was much cheaper than hardware-based tokens, which typically cost around €10 per token.

Intelligent authentication would cost from 3 to 4 euros per customer, though the company carried out a total cost-of-ownership assessment of each client in order to scale costs precisely.

He emphasised that unlike conventional out-of-band systems, no SMS downloads were required, other than the initial loading of the software on to the phone - overcoming the problems of phones not being able to receive SMS messages because of reception or network problems.

The first sales of Intelligent authentication were expected to be in Germany, and possibly the Far East. McAuley wasn’t able to confirm specific customers. "UK and US banks are poor [in terms of security investment] which makes them more of a target," said McAuley. In these countries, banks were still reluctant to spend money if it could be avoided.