Though a government agency lost 25 million child benefit records, many with banking details, banks in the UK are insisting online accounts are secure.
All the banks contacted by Computerworld UK said that their current security arrangements were adequate. Some rely solely on password protection for online banking access, while others have introduced two-factor authentication to secure customers when accessing their accounts online or performing certain transactions.
Last week's breach was particularly significant because bank account data is highly prized by criminals, according to Gartner analyst Avivah Litan.
Litan said that on the black market bank account data sells for the highest price -- between £15 (US$32) and £200 -- whereas credit card data is typically only worth between 25 pence and £2.50. This is because the likely gains from getting into an account are that much higher, and the likelihood of the account having been disabled that much lower.
UK banks are, however, publicly sanguine about the risk posed by the Her Majesty's Revenue & Customs breach.
Alliance & Leicester, which introduced Passmark two-factor authentication in March last year, said its security systems were "well-established and effective" and applied to all of its internet bank accounts. It said that, like all banks, it was watching affected accounts more closely but had so far seen nothing untoward.
Andrew McDougall at Barclays said that the bank was pressing ahead with its plan to roll out 500,00 Pinsentry chip-and-PIN card readers to those among its two million banking customers who have used their accounts to set up payments to third parties.
He said the bank had no plans to extend its use of the card readers to its remaining customers, but said anyone who wanted to start using their accounts to make payments to anyone other than trusted third parties would need to request a reader.
Where they are used, the Pinsentry devices require customers to insert their debit card and input their PIN, both to authenticate their identity at log in and to make certain payments. The authentication process replaces the need for passcodes and memorable words.
McDougall added that the bank was monitoring accounts affected by the HMRC breach but said the main focus was on maintaining staff vigilance, particularly by reminding branch staff to insist on checking the correct forms of customer identification when making account-related in-branch requests.
Lloyds TSB is one bank that does not have any two-factor authentication systems in place for internet banking, although it undertook a trials of Vasco tokens in 2005, but it too said it saw no need to review its security provisions in light of the breach.
A spokesperson said the bank had extra surveillance and monitoring in place, and if suspicious transactions were identified than customers would immediately be contacted.
It has also offered customers potentially impacted by the HMRC loss two months of free identity theft protection using its Privacy Guard service. The service alerts customers whenever their personal details are used to apply for credit and ordinarily costs £6.99 a month, but if customers do not explicitly say they want to pay for the product when the free period expires it will be switched off.
To date Lloyds TSB said its fraud-monitoring systems had recorded no spikes in suspicious activity.
Earlier this week security supplier F-Secure warned that hackers are infected PCs with malware that is only triggered when they access their bank accounts.
The hack is being call a 'man in the browser' attack because it intercepts HTML code in the web browser. Once a user's PC is infected, the malicious code is only triggered when the user visits an online bank. The malware they retrieves information, such as logins and passwords, entered on a legitimate bank site and the data is sent directly to an FTP site to be stored.