For millions of people, banking has moved from the highstreet to the home PC thanks to an explosion in online banking, but are these cyber-customers putting themselves at greater risk from fraud than those using traditional forms of banking?

The issue of online security looks set to grow as banks encourage customers to go online. The research company Datamonitor forecasts that there will 120m online banking customers in the US and Western Europe by the end of 2005.

The reason for this growth is simple, says Tim Pickard, strategic marketing manager for RSA Security, an encryption technology company. "For people with little time, it's a fantastic way of doing your banking." Banks like the online approach because the transaction costs are lower, it reduces the size of queues in bank branches, and it frees up their staff to sell value-added products.

But despite these benefits, many consumers remain wary about online banking - and security is often cited as the main reason. "There's a feeling that everything on the internet is open, but banks have invested a lot in security because it would be a huge PR nightmare if they were hacked," says Sal Viveros, director of marketing of Network Associates, an internet security service.

A question of trust

Paul Galwas, director of security at nCipher, which makes secure web servers, says: "The problem is one of trust. We don't have evidence on how secure online banking is, but my feeling is that the security aspect has been overblown."

Peter Marsden, chief technology of Egg, the UK's largest standalone online bank, says: "Hacking is a serious issue, but many of the so-called reports on hacking are not cases of hacking. Instead, it's someone making a fraudulent mortgage application on the internet."

However, when some of Barclays Bank online customers were able to access other customers' data, fears grew, even though Barclays says it was a software glitch that affected only seven of its then 1m customers (today, it has more than 2.2m online users).

Online banking security is the concern of anyone who banks, says Christopher Klaus, chief technology officer of ISS, a security management company. "Even if you don't bank online you could still be at risk. Many banks and financial services companies have jumped on to the internet and this means that their entire customer database could be accessed from the web."

Colin Wyatt, vice president and managing director for Europe at Entrust, adds: "In 20 years time, it will be hard for any business to operate without these systems."

Egg's Mr Marsden says: "Online banking presents different challenges. No online bank has ever been ram-raided or attacked by an armed robber. There have always been people who want to steal from banks."

Online banks use a variety of security systems. These include Secure Sockets Layer and secure HTTP (shttp) links between the customer's web browser software and the bank's web server. The system encrypts the data and uses keys or complex strings of numbers to identify the customer. And when a customer logs on to a bank's website, passwords, pin codes and personal questions are also used for identification purposes.

All online bank websites use firewalls, the electronic equivalent of a strong room, to keep hackers at bay, and intrusion detection systems are the online version of CCTV cameras in a bank branch. Most banks use ethical hackers to test their security systems or technologies from companies such as ProCheckUp, which mimic the activities of hackers.

But Iain Franklin, vice president of Entercept, a developer of server security products, says: "People tend to focus on firewalls, but the weakest link is often the server. Hackers are interested in getting hold of the data on it." Isolating servers from other parts of a network, encrypting the data on them or making it almost impossible for a hacker to match data to a specific customer can further protect them.

Steve Baxendale, a product manager at eFunds International, says: "Technology is only one element of security - how you manage and control the processes when using it are just as important."

Peter Dorrington, business solutions marketing manager of security software company SAS, notes: "Employees are often behind the biggest cases of fraud." Royal Hansen, practice director for Europe at @stake, a digital security consultancy, says that some banks are outsourcing their IT systems: "It means they don't have control over their security. This raises many issues."

Sam Curry, security architect for McAfee, adds: "Companies have done a lot to improve their website security, but the weakest link is the customer's PC." Hackers can send rogue programs called Trojans to home PCs and gain access to passwords stored on the hard drive or even control a computer remotely. Many online banks are educating their customers on security and offering free personal firewalls and virus scanning software.

Technology evaluations

Banks are also evaluating other forms of security technology such as digital signatures, digital tokens (Credit Suisse is using a token system from RSA), smart cards (Lloyds TSB is testing a smart card system from Entrust with 750,000 business customers), and biometric systems such as fingerprint identification. However, these raise many issues - "there are lots of gizmos about, but what is the cost? And until every computer has a smart card reader, it's difficult to deploy," says David Morgan, Barclays Bank head of security.

New security challenges are arriving such as account aggregation, which allows customers to have data collected from a variety of sources (such as an online bank, broker and loyalty programme) and view them on the same screen. Steve Gibson, director of international marketing at Yodlee, an aggregation service provider whose clients include Citibank, Wells Fargo and Chase Manhattan banks, says: "We cover all aspects of security - employees, network and the applications."

David Weymouth, Barclays Bank chief information officer, says: "The reality is that more and more people are using our online banking services and doing more things more regularly - a good indication that people are becoming more confident about using these online services."