UK bank Lloyds TSB has reacted to a marked increase in attempted online banking fraud by embarking on a large-scale trial of token-based security.

The trial is one of the biggest of its kind yet announced in the UK, and will involve 30,000 of the bank’s customers being offered the option to log on to their accounts using a number-generating key-fob.

At the point they log on, customers will press a button on the device to generate a time-defined access code to complement their usual ID and password. Once in the system, this device is also able to generate further codes to authorise specific transactions.

The trial is expected to last six months, at the end of which the bank will assess its success at stopping fraud, and popularity with customers. If successful, it is likely to be rolled out to the bank’s entire customer base of 3.5 million.

The new scheme is part of the company’s BankSecure initiative, which also involves offering customers detailed advice on how to secure their PCs, and discounted subscriptions to anti-virus and other security software.

“We’ve been seeing increasing levels of fraud in the last 18 months,” admitted Lloyds TSB Internet banking director, Matthew Timms. “We want to maintain customer confidence.”

According to Timms, the 2005 set of figures from APACS (the Association for Payment Clearing Services), the UK institution tasked by the industry with monitoring online fraud, would show significant increases in fraud over last year’s numbers.

The security would be free to customers, with each key fob costing the bank between £3 and £5 a go, depending on the number purchased. This suggests the trial investment is in the low hundreds of thousands of pounds, which is a tiny capital cost for the banks as against the potential for fraud losses.

The bigger cost is likely to be that of supporting the system, which Timms said the bank would monitor closely. People are bound to lose the devices, and inevitably some will malfunction. The company supplying the trial system is Vasco Data Security, which won the contract for an undisclosed sum.

As to alternative token systems such as using mobile phones, Timms was sceptical that these would be as simple to use from the customer’s perspective. There was also the issue of a phone being out of range to receive the security code, and the fact that SMS messaging could not yet provide a delivery guarantee.

One of the problems with token-based authentication is that it doesn’t deal with the issue of card not present fraud (CNP), relevant for Internet transactions. To this end, Timms said the bank was teaming up with APACS to look into card-reader systems. These could also double-up as authentication systems, but simple token-based systems were likely to fill the security gap until such systems became affordable in the longer term.