1. UP653689 | PJS40
Page | 1
Acknowledgements
I would like to take this opportunity to express my sincere
appreciation to family and friends who have supported me
throughout the course of this project and my time at University.
Without your kind, motivational words of encouragement,
completing this project would have been much more stressful
than it already was!
My gratitude extends to everyone who was kind enough to give
up their valuable time to complete the questionnaire. Without
your help, the project most certainly would not have been
successful.
Finally, thank you to my project supervisor, Dr. Bryan
Carpenter, whose knowledge and direction aided the research in
staying focused and on track.

2. UP653689 | PJS40
Page | 2
Abstract
The facility of Online Banking is not a new concept. In fact, internet banking was first
introduced in the UK as early as 1997 (BBC, 2009). And with the advances in technology and
the constant growth in internet use, it has continued to develop ever since. However, even 18
years since its inception, it is still common to hear news stories about Online Banking security
breaches and attacks on a fairly regular basis.
Additionally, past experiences with several Online Banking websites have proven to be
increasingly frustrating as the time it takes to complete the logging in process appears to be
taking longer, and longer, and longer, and longer……
These reasons have proven to be the motivation and inspiration for the birth of this project,
which seeks to explore whether the security and the convenience of Online Banking
authentication systems are at a sufficient standard. Furthermore, the project investigates the
effectiveness and the possibility of the biometric technology improving these vital
authentication characteristics.

3. UP653689 | PJS40
Page | 3
Table of Contents
Acknowledgements....................................................................................................................1
Abstract......................................................................................................................................2
Chapter 1 - Introduction .........................................................................................................9
1.1 – Project Aim and Objectives...........................................................................................9
1.2 – Research Questions .......................................................................................................9
1.3 - Methodology................................................................................................................11
1.3.1 – Secondary Research..............................................................................................11
1.3.2 – Primary Research..................................................................................................12
1.4 – Project Constraints ......................................................................................................12
1.5 – Chapter Summary........................................................................................................13
Chapter 2 - Literature Review..............................................................................................15
2.1 – Current authentication techniques used for Online Banking services.........................15
2.1.1 – Single Factor Authentication................................................................................16
2.1.2 – Two Factor Authentication...................................................................................16
2.1.3 – Multi Factor Authentication .................................................................................17
2.2 – Issues...........................................................................................................................18
2.2.1 – Types of Attacks...................................................................................................20
2.3 – “Something the user IS”..............................................................................................21
2.3.1 – Biometrics and Security........................................................................................22
2.3.2 – Biometrics and Convenience................................................................................24
2.3.3 – Biometrics within Online Banking and Banking Industry ...................................25
2.4 – Chapter Summary........................................................................................................26
Chapter 3 - Methodology.......................................................................................................28

4. UP653689 | PJS40
Page | 4
3.1 – Research Methods and Research Design ....................................................................28
3.1.1 – Analysis of Online Banking Websites Authentication Systems...........................28
3.1.2 – Public Questionnaire.............................................................................................29
3.2 – Public Questionnaire Sample ......................................................................................30
3.3 – Public Questionnaire Pilot Study ................................................................................31
3.3.1 – Pilot Study Findings .............................................................................................32
3.4 – Distribution of Public Questionnaire...........................................................................33
3.5 – Analysing Primary Research Results..........................................................................36
3.6 – Ethical Considerations.................................................................................................37
3.7 – Chapter Summary........................................................................................................37
Chapter 4 - Primary Research Results ................................................................................39
4.1 – Analysis of UK Online Banking Websites..................................................................39
4.1.1 – Data Collection.....................................................................................................39
4.1.2 – Data Analysis........................................................................................................41
4.2 – Public Questionnaire ...................................................................................................43
4.2.1 – Data Collection.....................................................................................................43
4.2.2 – Data Analysis........................................................................................................45
4.3 – Chapter Summary........................................................................................................70
Chapter 5 – Discussion ..........................................................................................................72
5.1 – What are the authentication techniques that are available to Online Banking websites?
..............................................................................................................................................72
5.2 – What security and convenience issues arise from the use of these authentication
techniques?...........................................................................................................................73
5.3 – How does a biometric authentication system work and how can security and
convenience levels be improved using one? ........................................................................74

5. UP653689 | PJS40
Page | 5
5.4 – Are there currently any implementations and/or developments of biometric
authentication systems within Online Banking or the Banking industry in general? ..........75
5.5 – How are the authentication systems of some of the UK’s Online Banking websites
currently implemented and what security and convenience issues arise from them?..........76
5.6 – Is there a demand amongst Online Banking users and non-users for the security and
convenience of authentication systems to be improved, and what are their perceptions
towards the prospect of biometrics being able to do so?......................................................78
5.7 – Chapter Summary........................................................................................................79
Chapter 6 – Conclusion .........................................................................................................81
6.1 – Project’s Conclusion ...................................................................................................81
6.2 – Project Evaluation .......................................................................................................82
6.2.1 – Review of Secondary Research ............................................................................83
6.2.2 – Review of Primary Research ................................................................................83
6.2.3 – Review of Project Management and Planning .....................................................85
6.2.4 – Personal Reflection...............................................................................................86
6.3 – Areas for Further Research .........................................................................................86
6.4 – Chapter Summary........................................................................................................87
Bibliography ............................................................................................................................88
Appendices...............................................................................................................................94
Appendix A: Project Initiation Document ...........................................................................94
Appendix B: Ethical Examination Certificate....................................................................107
Appendix C: Pilot Study Questionnaire.............................................................................109
Appendix D: Final Public Questionnaire ...........................................................................115

6. UP653689 | PJS40
Page | 6
Table of Figures
Figure 1 - Single Factor Authentication...................................................................................16
Figure 2 - Two Factor Authentication .....................................................................................17
Figure 3 - Multi Factor Authentication....................................................................................18
Figure 4 - Using Facebook to distribute survey.......................................................................34
Figure 5 - Using Twitter to distribute survey...........................................................................35
Figure 6 - Using University mass email to distribute survey...................................................35
Figure 7 - Using mass email at author's place of employment as distribution method ...........36
Figure 8 - Notes of Observations made for analysis of UK Online Banking sites..................41
Figure 9 - Pie chart showing gender split of total respondents................................................45
Figure 10 - Pie chart showing total amount of respondents from each age bracket ................46
Figure 11 - Bar chart showing number of respondent's occupational statuses ........................47
Figure 12 - Pie chart showing the amount of respondents who do and do not use Online
Banking....................................................................................................................................48
Figure 13 - Bar chart showing the percentage of Users and Non-Users compared by gender 48
Figure 14 - Bar chart showing the single most important reason respondents don't use Online
Banking....................................................................................................................................50
Figure 15 - Bar chart showing previous Online Banking User's level of satisfaction with
Security and Convenience........................................................................................................51
Figure 16 - Pie chart showing percentage of Non-Users believing Security can be improved
using Biometrics ......................................................................................................................52
Figure 17 - Pie chart showing percentage of Non-Users believing Convenience can be
improved using Biometrics......................................................................................................52
Figure 18 - Pie chart showing how many Non-Users would consider using Online Banking if
Biometrics were introduced .....................................................................................................54

7. UP653689 | PJS40
Page | 7
Figure 19 - Pie chart showing which attribute of Online Banking Users believe is most
significant.................................................................................................................................55
Figure 20 - Bar chart showing the levels of User satisfaction with Security and Convenience
..................................................................................................................................................56
Figure 21 - Bar chart displaying how difficult Users find it to remember a variety of
knowledge-based factors..........................................................................................................57
Figure 22 - Pie chart showing how many respondents do and do not make insecure notes of
their login credentials...............................................................................................................58
Figure 23 - Bar chart showing how many respondents do and do not make insecure notes of
their login credentials compared by age brackets....................................................................59
Figure 24 - Bar chart showing how many respondents do and do not make insecure notes of
their login credentials compared by students and employed people........................................60
Figure 25 - Pie chart showing amount of Users believing Security can be improved using
Biometrics................................................................................................................................61
Figure 26 - Pie chart showing amount of Users believing Convenience and Ease of Use can
be improved using Biometrics .................................................................................................61
Figure 27 - Bar chart showing amount of users believing Security can be improved using
Biometrics compared by age....................................................................................................63
Figure 28 - Bar chart showing amount of Users believing Convenience can be improved
using Biometrics compared by age..........................................................................................64
Figure 29 - Bar chart showing amount of Users believing Security can be improved using
Biometrics compared by gender ..............................................................................................65
Figure 30 - Bar chart showing amount of Users believing Convenience can be improved
using Biometrics compared by gender.....................................................................................66
Figure 31 - Bar chart showing amount of Users for different Online Banking providers.......67
Figure 32 - Bar chart showing percentage of Natwest user satisfaction with Security and
Convenience.............................................................................................................................68

8. UP653689 | PJS40
Page | 8
Figure 33 - Bar chart showing percentage of Barclays user satisfaction with Security and
Convenience.............................................................................................................................68
Figure 34 - Bar chart showing percentage of Nationwide user satisfaction with Security and
Convenience.............................................................................................................................69
Figure 35 - Public questionnaire omitted questions from analysis and reasoning...................85

9. UP653689 | PJS40
Page | 9
Chapter 1 - Introduction
1.1 – Project Aim and Objectives
The fundamental aim of this project is to produce a structured report, comprising several
research methodologies, which elaborates on the overarching project research question –
“Is there a need for the security and convenience levels of Online Banking
authentication systems to be improved, and could this be met by implementing
biometric technologies?”
Meeting the following objectives will be critical for successfully achieving this project aim:
 Secondary research of relevant literature will be carried out and will form the basis of
the report in a literature review chapter.
(see 1.4.1).
 Primary research will be performed in order to gather both quantitative and qualitative
data, through the use of a distributed questionnaire and an analysis of different
present-day Online Banking authentication systems.
(see 1.4.2).
 An analysis and discussion of the findings from both the secondary and primary
research will be carried out in order to answer the project’s underlying research question
and its supporting research questions.
1.2 – Research Questions
The overall research question of, “Is there a need for the security and convenience levels of
Online Banking authentication systems to be improved, and could this be met by implementing
biometric technologies?” has been set for the project. In order to explore this question in more
depth whilst keeping the project focused and within scope, six supporting research questions
have been identified. These research questions will be addressed throughout the course of the
project through both the secondary and primary research and they will be significant for
answering the project’s main research question.
 What are the authentication techniques that are available to Online Banking
websites?
This will involve the secondary research of the methods/techniques for how current

10. UP653689 | PJS40
Page | 10
Online Banking websites can implement their authentication. This will be vital in
order to understand key terms and concepts that are associated with authentication
methods, which will be needed throughout the course of the project such as when
answering other research questions and designing/carrying out primary research.
 What security and convenience issues arise from the use of these authentication
techniques?
This is an immensely significant research question. It will be achieved through
secondary research that highlights a variety of security and convenience issues related
to the authentication techniques that are available for Online Banking websites to use.
The answer to this research question will prove to be vital in helping to justify
whether there is a need for security and convenience levels to be improved.
 How does a biometric authentication system work and how can security and
convenience levels be improved using one?
Again, this will be achieved through secondary research that highlights whether and
how the security and convenience levels of an authentication system in general can be
improved using biometrics. There are likely to be many examples of where biometrics
have been implemented in other industries and so understanding how successful their
use has been will help in determining whether their use can have a positive effect
within the Online Banking industry.
 Are there currently any implementations and/or developments of biometric
authentication systems within Online Banking or the Banking industry in
general?
In order to understand whether the biometric technology is a viable authentication
method, it will be important to find out whether it has already been successfully
implemented for an Online Banking service somewhere. It will be important to find
out whether the use of biometrics has improved the security and convenience of the
authentication system and whether it is likely that its use will become increasingly
popular within Online Banking.
 How are the authentication systems of some of the UK’s Online Banking
websites currently implemented and what security and convenience issues arise
from them?
This will be achieved through primary research. An analysis of ten Online Banking
websites will be undertaken in order to see the similarities and differences in terms of

11. UP653689 | PJS40
Page | 11
how their authentication systems work. From this analysis, security and convenience
issues can be identified which may or may not agree with findings from secondary
research.
 Is there a demand amongst Online Banking users and non-users for the security
and convenience of authentication systems to be improved, and what are their
perceptions towards the prospect of biometrics being able to do so?
This is one of the fundamental research questions for the project and will be achieved
through a distributed public questionnaire, in order to understand how users and non-
users feel about the security and convenience levels of their Online Banking website’s
authentication. The results will be able to demonstrate whether there is a need
amongst the users and non-users of Online Banking for these characteristics to be
improved. It will also be important to understand how they feel about biometrics
being introduced in order to achieve these improvements.
1.3 - Methodology
This project is large in scale compared to other coursework and commitments that the author
has throughout this project’s lifecycle. The author must consider personal time management
and will therefore follow a structured framework comprising a Project Initiation Document
(PID – see Appendix A), time-scaled plans/milestones (Gantt chart) and regular project
meetings with the author’s project supervisor in order to remain on schedule.
In order to obtain qualitative and quantitative data, research will involve carrying out both
secondary and primary research in the form of a literature review, a distributed survey and an
analysis of current user facing Online Banking authentication. It is anticipated that these
research methods could contain similar goals and findings. This will therefore provide several
different perspectives and improve the validity and reliability of the project’s conclusions.
Also, triangulation – which is a commonly used research technique that cross-references data
from two or more research methods in order to improve the validity and credibility of the results
- will be performed on these research methods.
1.3.1 – Secondary Research
Secondary research will be in the form of a structured literature review comprising a
wide variety of secondary data from several sources such as academic journals/papers,
dissertations, books, news articles and references from web pages. The literature review

12. UP653689 | PJS40
Page | 12
will predominantly aim to answer the first four research questions aforementioned and
so will include in depth information about different types of authentication techniques
available to Online Banks, the drawbacks concerned with how Online Banking
providers implement their authentication, how biometric systems can improve security
and convenience levels, and examples where biometrics have been adopted by Online
Banking websites already.
1.3.2 – Primary Research
Primary research is essential to the success of this project as it can be tailored and
designed according to the project’s scope and to gather data/information that was
unavailable through the secondary research. The primary research will be carried out
using two different methods which will collect qualitative and quantitative data. Firstly,
an analysis of ten UK bank’s Online Banking authentication systems will be carried
out. The purpose of this is to answer the fifth research question aforementioned and to
therefore understand how Online Banking authentication is actually implemented in
practice and to identify any associated security or convenience weaknesses with them.
The other primary research method aims to address the last research question and will
be carried out through a distributed public questionnaire in order to gather user and non-
user perceptions towards Online Banking authentication. These primary research
methods will collect data which is both related and unrelated to the secondary research
findings. Therefore, comparisons will be made between the secondary research and
both primary research methods through triangulation of the results.
1.4 – Project Constraints
There are a number of potential constraints associated with the success of this project which
have to be mitigated. The primary constraint for the project is in terms of time, as a deadline
of 24th
April 2015 has been set. This project is being undertaken in parallel with four other
challenging course units and so the author will need to ensure that enough time is devoted to
this research as well as other assignments. Other time constraints include the time dedicated to
the author’s part time employment and their search for a graduate job. In order to manage time
as efficiently as possible, a project plan has been created by the author which allocates different
milestones to specific project tasks. This can be seen within Appendix A.

13. UP653689 | PJS40
Page | 13
Another projected constraint is the potential for a lack of available academic literature that can
be used for secondary research within the project. References will therefore come from as much
academic literature as possible but will also be made up of information from other sources such
as news articles, banking/financial websites and system security or biometric websites. The
author expects to find a vast amount of information relating to areas such as the ways in which
authentication systems function, but they believe that other information such as the use of
biometrics within Online Banking to be covered less by the available academic literature.
The main limitation in regards to the primary research is the potential for the questionnaire not
gathering a large enough amount of responses. This can consequently have a detrimental effect
on the analysis of the results as well as the reliability and validity of any conclusions made.
Additionally, some respondents could view the information that they are sharing in the
questionnaire as sensitive. In order to alleviate this limitation, all responses to the primary
research survey will be treated as anonymous.
For the completion of the project, it is anticipated that only a computer with access to the
internet and Microsoft Office will be necessary. The author will therefore make use of their
own laptop but they will mostly use the resources within the University Library. A constraint
then arises in terms of the amount of facilities available to the author in the University Library,
especially during peak periods such as project deadline dates and examination periods.
Excluding the costs connected to the printing and binding of the project report, which will be
covered by the author, there are no monetary constraints foreseen for the completion of the
project.
1.5 – Chapter Summary
The overall aim of the project is to produce a structured report which expands on
the research question of “Is there a need for the security and convenience levels of
Online Banking authentication systems to be improved, and could this be met by
implementing biometric technologies?”
 Objectives have been set which must be completed in order to meet this aim.
 Six supporting research questions have been identified for in depth research
and to allow for the project to remain focused and within scope.

14. UP653689 | PJS40
Page | 14
 The methodologies which will be used to meet the project’s aims and
objectives have been introduced.
 Triangulation will be performed on the results of methodologies to improve
validity and reliability.
 Various project constraints have been highlighted along with mitigating
actions.

15. UP653689 | PJS40
Page | 15
Chapter 2 - Literature Review
The literature review is aimed at answering four out of the six research questions outlined in
the introduction chapter:
 What are the authentication techniques that are available to Online Banking
websites?
 What security and convenience issues arise from the use of these authentication
techniques?
 How does a biometric authentication system work and how can security and
convenience levels be improved using one?
 Are there currently any implementations and/or developments of biometric
authentication systems within Online Banking or the Banking industry in general?
The secondary data used for this literature review mostly derives from academic
journals/papers obtained from the internet by performing strategic key word searches on the
Google Scholar facility, the University of Portsmouth’s “Discovery” database and search
engines like Google and Bing. Some secondary data will also come from other online sources
such as news articles, banking/financial websites, system security or biometric websites and
online blogs, as these can often contain some of the most up to date and relevant information.
The use of Online Banking websites is not a new concept and therefore the author is aware that
many aspects, characteristics, perceptions, etc. have changed drastically since its introduction.
Bearing this in mind, and as this project is only focused on the current and future states of
Online Banking authentication systems, the author has chosen to only include secondary data
from sources that are as up to date as possible.
2.1 – Current authentication techniques used for Online Banking
services.
Authentication is the process of an entity confirming that another entity is who he or she claims
to be (Thigpen, n.d). Within computer systems, this process can be achieved through the
verification of various user authentication factors. These authentication factors can be
categorised as:

16. UP653689 | PJS40
Page | 16
 Something the user KNOWS –
with options such as passwords, PINs, user ID’s, secret questions/answers, bank
card details, etc.
 Something the user HAS –
with options such as USB tokens, one-time passwords or codes, SMS tokens, smart
codes, swipe cards, etc.
 Something the user IS –
with options such as fingerprints, vein patterns, iris patterns, voice characteristics,
etc.
(Thigpen, n.d).
Authentication systems are designed by applying these user factors mentioned above, to one
of three authentication mechanisms known as single-factor, two-factor and multi-factor
authentication mechanisms (Prasad & Kumar, n.d).
2.1.1 – Single Factor Authentication
Single-factor authentication is the most commonly used mechanism across the internet,
where users are typically verified based on their knowledge of usernames, passwords,
PINs, etc. (Holbl, 2007). As the name suggests, this mechanism only utilizes one of the
authentication factors, which is nearly always “something the user knows” (Prasad &
Kumar, n.d). A key advantage of this mechanism is that it is easy and quick to use for the
user.
Figure 1 - Single Factor Authentication
2.1.2 – Two Factor Authentication
Some Online Banking systems do still opt to implement the single factor authentication
mechanism, whereby the security of the system is enhanced by incorporating a wide

17. UP653689 | PJS40
Page | 17
range of “knowledge factor” options such as passwords, user ID’s/usernames, secret
answers/questions. However, most banks nowadays implement the two-factor
authentication approach (Holbl, 2007). Two-factor authentication utilizes a second
authentication factor, which adds another layer of protection and increases security
(O’Reilly, 2013). Nearly all Online Banking services that use the two-factor
authentication mechanism do so by employing both the “knowledge factor” (through
passwords, user ID’s, etc.) and the “possession factor” (through one time
passwords/tokens obtained through SMS, email or hardware devices such as USB’s)
(twofactorauth.org, n.d).
Figure 2 - Two Factor Authentication
2.1.3 – Multi Factor Authentication
Multi factor authentication provides users with higher levels of security and protection
against online banking fraud (Prasad & Kumar, n.d). This mechanism utilizes two or more
of the authentication factors, but where “something the user is” (ie. biometrics) is one
of them (Prasad & Kumar, n.d). The purpose of this multi-factor mechanism is to make it
even harder for an unauthorised user to gain access to a system (Rouse, n.d). In other
words, someone could gain access to “something you have” (eg. USB stick, smart card)
in addition to “something you know” (eg. passwords, usernames, etc.), but they would
still be unable to gain access to a system as they will find it extremely difficult to
replicate “something you are” such as a fingerprint or iris pattern (Goriawala, 2013).

18. UP653689 | PJS40
Page | 18
Figure 3 - Multi Factor Authentication
2.2 – Issues
Single-factor authentication is less secure than two-factor authentication, whilst two-factor
authentication is less secure than multi-factor authentication (PCIGuru, 2010). With single-factor,
somebody only needs to gain access to one authentication factor - which is nearly always the
knowledge based factor – in order to gain access to an Online Banking account. The issue that
arises with this is that knowledge based factors can prove to be somewhat the easiest for
unauthorised users to gain access to. One of the biggest problems is that users do not understand
how to create strong, secure and memorable passwords (Rouse, n.d). As a result, the task of
cracking passwords through guessing, brute force or dictionary attacks can be relatively simple
for attackers (Rouse, n.d). These knowledge based factors are also vulnerable to being accessed
through social engineering, or if the unauthorised person knows the user very well then the
techniques of answering personalised questions or identifying images for example can be
simple for them (French, 2012).
If an Online Banking service implements a single-factor authentication system using
knowledge based factors efficiently, then this does not mean that it is necessarily ineffective
against security breaches (PCIGuru, 2010). However, even this prompts another issue to arise. If
an Online Banking system was to employ too many or too complex authentication factors, then
not only does this affect the convenience of the authentication process for the user in the fact
that it will now be more time consuming and possibly more confusing to log in, but the security
of the system can still be vulnerable, even though the whole purpose of the additional
knowledge factors was to improve it. As French explains, “creating questions that are too
complicated might result in the user not remembering the answers and leave them unable to
access their account” (French, 2012). Users could then revert to making notes of the answers to
these knowledge based factor questions in an unprotected form such as a scrap piece of paper
(French, 2012). The security of the user’s Online Banking account is therefore still vulnerable to

19. UP653689 | PJS40
Page | 19
unauthorised access as someone could easily gain physical access to the notes that they have
made.
With two-factor authentication, an unauthorised user would need to gain access to both the
user’s knowledge factors and the user’s possession factors in order access their Online Banking
account. Although there is this added layer of protection, two-factor authentication is still not
a full proof mechanism to secure Online Banking accounts. The vulnerabilities with the
knowledge factors explained previously still exist, in addition to security related vulnerabilities
and convenience related drawbacks with the possession based factors as well.
Most two-factor authentication mechanisms require some sort of “user participation” such as
issuing tokens, cryptographic keys or one-time passwords in user devices (Fenton, 2013). Users
must therefore ensure that their phone/device is always with them each time they wish to use
their Online Banking services (FRSecure, 2013). In systems that implement two-factor
authentication as an optional mechanism for users, it has been found that most users do not use
it as “the security is not worth the pain of the experience” (Fenton, 2013). This requirement for
“user participation”, as well as the additional time it takes to complete the logging in process
and the inevitability of errors, has an effect on the level of convenience that users experience
and suggests that the level of user acceptance is low (Nolte, 2014).
Non-technical problems concerned with the use of two-factor authentication include the fact
that it is costly to implement for Online Banking, as well as the obvious fact there is the risk
that users can lose or damage the “thing that they possess”, or have it stolen (Yegulalp, 2006).
Thus, not only could genuine users be unable to access their Online Banking accounts, but it
can also be made possible for unauthorised users to gain access.
One of the most widely used “possession factor” options used by Online Banking systems for
implementing two-factor authentication, is the use of one-time passwords/codes sent through
SMS to user’s mobile phones (Kirk, 2013). These codes are to be entered into the authenticating
web-based form by the user before they expire within a few minutes (Kirk, 2013). However, these
one-time passwords/codes can be easily compromised by cybercriminals who can infect mobile
devices and desktop PC’s with malware suites and Trojan horses, which are capable of
intercepting/re-directing the SMS messages (Kirk, 2013; Fenton, 2013). Also, as this method relies
on the security of the mobile network provider, it can be vulnerable to several of the telecom
provider practices such as the reassignment of phone numbers or the security of messages
(Fenton, 2013).

20. UP653689 | PJS40
Page | 20
2.2.1 – Types of Attacks
Possibly the main issue with the Online Banking two-factor authentication systems -
especially ones which implement the “one-time password” - is the fact that they are
vulnerable to man-in-the-middle, phishing and man-in-the-browser attacks (Wisniewski,
2014; Adham et al, n.d; Paganini, 2013). These can all leave user’s accounts helpless against
unauthorised access. These type of attacks against Online Banking websites are
surprisingly common with real life examples of them happening on a weekly,
sometimes daily basis. “Zeus”, “SilentBanker” and “URLZone1” are all examples of
famous Trojans which successfully stole millions of dollars from user’s Online Banking
accounts (Adham et al, n.d). Trojans like these work by stealing data such as user’s login
credentials, card numbers and security codes and then sending these to a “command
and control server” that is managed by an attacker (Adham et al, n.d). These attackers are
then able to use the stolen details to manually log into victim’s Online Banking accounts
(Adham et al, n.d).
The main ways in which these type of Trojans actually manage to steal the log in
credentials of users is by exploiting the vulnerabilities connected with man-in-the-
middle, phishing and man-in-the-browser attacks. Malicious-software and Trojans have
“become the method of choice to attack financial institutions” thanks to the capability
of performing these attacks easily and covertly (Cain, 2014).
Man-in-the-middle attacks occur when attackers “nestle themselves in the
communication flow between the customer and the bank with the aim of manipulating
the transaction data to their own advantage, leaving the bank and the customer
unaware” (Mennes, 2009). As Cain explains, man-in-the-middle attacks implement a
“proxy” between two systems which can be then used to trick users into providing
information such as their login credentials, bank card details or one-time passwords to
an attacker (Cain, 2014). Tricking users like this is often achieved through the use of
phishing, whereby users enter their details into a fake website managed by an attacker,
which they believe to be the genuine website for their Online Banking (Mennes, 2009).
Because of the use of the “proxy” between the two authenticating systems, these are
known as “remote man-in-the-middle attacks” (Mennes, 2009).
An example for where a remote man-in-the-middle attack was successful through the
use of phishing techniques came in 2007, when the online bank accounts of customers
of Dutch bank ABN Amro were compromised (The Register, 2007). The attack succeeded

21. UP653689 | PJS40
Page | 21
even though the bank had implemented two-factor authentication. Attackers had sent
bogus emails to customers containing an attachment that, when opened, installed some
malware on the victim’s computer. The purpose of the malware was to redirect
customers to a fake Online Banking website controlled by the attackers (ie. the “proxy”
between the two authenticating systems), which then gathered their credentials (The
Register, 2007).
Man-in-the-browser attacks on the other hand can be classified under the “local man-
in-the-middle attacks” category. This means that the attack is performed by malicious
software or trojans installed locally on a victim’s computer, hence making it difficult
for anti-fraud technologies to detect an attack on an Online Banking system (Mennes,
2009; Cain, 2014). Daniel Brett mentions that man-in-the-browser attacks are “specifically
focused against banking” (Kelly, 2012). Additionally, Paganini explains that “the majority
of financial services professionals consider man-in-the-browser attacks as the greatest
threat to Online Banking (Paganini, 2013). A man-in-the-browser attack works through
a covertly installed Trojan on the victim’s computer that takes advantage of
vulnerabilities in web browser security (Infosec, 2012; Arcot, 2010; Entrust, n.d). These
Trojans are typically installed in the form of browser helper objects (BHO’s), user
scripts or browser extensions/plug ins (Infosec, 2012; Entrust, n.d). The Trojan is activated
once a user visits a genuine Online Banking website (Entrust, n.d). However, they do not
intervene with the user’s bank accounts until users have genuinely authenticated
themselves with their bank using any authentication mechanism (Arcot, 2010; Entrust, n.d).
This makes it extremely difficult for users to be aware that they are a victim of a man-
in-the-browser attack. Once an authentication session between the user and the bank
has been established, the Trojan is capable of intercepting and altering “all
communication between the user’s browser and the destination web server” (Ram, 2010;
Arcot, 2010). It is therefore possible for attackers to use these Trojans to modify
transaction details for their own benefit, such as destination account numbers or the
values of transactions, without the user or the bank noticing (Ram, 2010; Entrust, n.d).
Some well-known examples of man-in-the-browser attacks include Zeus, Gozi,
URLZone, Sinowal, SpyEye and SilentBanker (Bar-Yosef, 2010).
2.3 – “Something the user IS”
Biometrics can be defined as “the process by which a person’s unique physiological and
behavioural characteristics are detected, recorded and analysed by an electronic device or

22. UP653689 | PJS40
Page | 22
system as a means of confirming identity” (Collins English Dictionary, 2012; Dictionary.com, n.d).
There are a wide range of human biological characteristics that can be used for this process
such as the patterns of the fingerprint, iris, retina, voice, face, veins and hands (Rouse, 2008).
Biometrics can be implemented as an authentication technique for a variety of purposes such
as for physical access control to buildings or assets, identification of wanted or known
individuals and - more importantly for the purpose of this project - the digital access to
computers, devices, systems or websites (Wayman et al, n.d; SearchSecurity.com, 2008).
Generally speaking, all biometric authentication systems work in the same way and consist of
three stages: enrolment, verification and identification (Umanick, n.d; BSI, n.d). The enrolment
phases describes the process by which an individual first submits their biometric information
to the system for it to analyse and then record it (Umanick, n.d; BSI, n.d). The analysis involves the
system placing several “reference points” at key locations of the biometric image and then
taking measurements between them all (Reference for Business, n.d). An algorithm is applied to
these measurements which converts them into a “very large alphanumeric key” called a
“template” which is then stored in a central database, for use as a future reference for
identification (Reference for Business, n.d). This process is comparable to traditional authentication
systems when a user first submits their password.
The verification and identification stages are similar. Verification is the process by which a
system confirms that someone is who they say they are. The user submits another biometric
image to the system which is then compared against the “template” images in the database
(Umanick, n.d; Reference for Business, n.d). If these two alphanumeric keys match closely enough
then the user is authenticated. The identification stage is slightly different in the fact that there
is no “claim of identity” and instead the system determines an identity by searching the
database of templates for the matching biometric image (Umanick, n.d; BSI, n.d).
2.3.1 – Biometrics and Security
Nearly all banking institutions implement the one-factor or two-factor authentication
mechanisms. The use of the “something you are” authentication factor (ie. biometrics)
and the multi-factor authentication mechanism is yet to be widely adopted within
Online Banking authentication systems (Ahman & Hariri, 2012). As mentioned previously,
there are a wide range of weaknesses concerned with one- and two-factor
authentication. It is almost a general consensus that these traditional authentication
techniques which use knowledge and possession based factors are not adequate enough
to combat identity theft or ensure the security of digital assets such as Online Banking

23. UP653689 | PJS40
Page | 23
accounts (Jain & Nandakumar, 2012; Entrust, 2013; Burrus, 2014). It is also believed by many
that the use of biometrics and the “something you are” authentication factor is the
answer to providing increased security levels (Rubens, 2012).
The key word in the definition mentioned before is “unique”. Everyone has their own
unique biological characteristics and, because of this, biometric authentication systems
prove to be very secure - biometric systems can increase the levels of prevention against
identity theft for example (Penny, 2002). Probably the main reason for the biometric
authentication factor being more secure is because some of the weaknesses associated
with the knowledge and possession based factor systems are eradicated. For instance,
Daniel Burrus considers there to be a need for biometric systems to take over from
password based systems, which are “easy for hackers” due to “terrible” password
management displayed by the majority of people (Burrus, 2014).
As biometric data is unique and specific to individuals, it is not as vulnerable to being
duplicated, forged, faked or guessed and so unauthorised access becomes considerably
more difficult for attackers (Penny, 2002). Additionally, the vulnerability concerned with
knowledge or possession based factor information being lost or stolen and falling in the
wrong hands is eradicated, as the biometric data required for users to authenticate
themselves is on their own human body – thus it goes where they go and is always with
them (Penny, 2002). Attacks involving reproduction would require a substantial amount
of resources with advanced expertise, technology and processes, as well as access to
individual’s biometric data in the first place. However, it can be possible for attackers
to access user’s biometric data - which can then be used for unauthorised access -
through “back-end attacks” on central databases of biometric templates (Alaswad et al,
2014). Nevertheless, these attacks can be prevented by applying “common database
security methodologies” and encryption and hashing methodologies (Alaswad et al, 2014).
The amount of reference points that are placed on a captured biometric image depends
on the type of biometric technique being used. As an example, fingerprint recognition
places 60-70 reference points, whereas iris scanning and retinal scanning use 200-240
and approximately 400 reference points respectively (Essilor, n.d; Carlos, 2011).
The Crossover Error Rate (CER), is a way of measuring how accurate a biometric
technique is – the smaller the percentage then the more accurate the technique (Walker,
2002). The CER is calculated using the “False Rejection Rate”, which is a measurement

24. UP653689 | PJS40
Page | 24
of authorised users denied authentication, and then also the “False Acceptance Rate”,
which is a measurement of unauthorised users granted authentication (Walker, 2002). The
CER’s of fingerprints is 0.2%, iris scanning 0.000763% and retinal scanning
0.0000001% (Walker, 2002). When these CER’s are compared with the amount of
reference points each technique uses (fingerprint 60-70, iris scanning 200-240, retinal
scanning 400), an assumption arises that there could be a direct correlation between the
amount of reference points a technique uses, and the accuracy of a biometric system.
2.3.2 – Biometrics and Convenience
The use of biometrics for the identification/authentication of individuals has already
been successful in other industries. The use of iris recognition for example has been
successfully implemented within UK Airport Immigration Control with a system called
the “Iris Recognition Immigration System” (Daugman, n.d), and also within a University
in North Carolina, USA, where iris recognition has been used as an access control
method instead of identification cards (Winthrop University, 2013). The airport immigration
system allowed passengers to pass through Immigration Control within approximately
20 seconds, thus drastically reducing queues and speeding up the checking-in process
for passengers (Emirates, n.d). Whilst the University’s system mitigated the risk of lost,
stolen or forged identity cards and also alleviated the need for students to remember to
carry ID cards with them in the first place (Winthrop University, n.d). These examples
demonstrate that biometrics can be used in different industries for different purposes
and, more importantly, that their use can have significantly positive effects on user
convenience.
The theory that biometrics can improve convenience levels is one that is shared amongst
many individuals with close links to the security industry. For example, the Chief
Executive of a fingerprint technology provider mentions that “most security is
inconvenient, but using your finger is convenient” (Banking Tech, 2011). A security analyst
at Google Intelligence also adds that “biometric systems can be much more convenient
than tokens and other systems” (Rubens, 2012). Additionally, a project named
BIOVISION highlighted that one of the key factors which leads to user acceptance is
the fact that a “biometric system is more convenient to use than previous/alternative
systems” (Sasse, n.d).

25. UP653689 | PJS40
Page | 25
By taking these examples and quotes into consideration, it would appear safe to assume
that by implementing biometrics into Online Banking authentication systems, the user
experience can be improved. The log in process could:
 Become much less time consuming for the user to complete (Sarma & Singh, 2010).
 Involve less user participation in terms of the amount of user input that is
required, such as typing in user passwords or one-time-passwords sent to mobile
devices (Sarma & Singh, 2010).
 Relieve the requirement to carry around “possession factors” such as PIN
generating devices, USB tokens, mobile devices, etc.
 Minimise the demand for users to remember a range of “knowledge factors”
and reduce the risk of users forgetting them (Patrick, n.d).
2.3.3 – Biometrics within Online Banking and Banking Industry
As previously mentioned, the use of biometrics as an authentication mechanism has
significant security and convenience benefits when contrasted with the current
authentication mechanisms used for Online Banking. As Sarma and Singh explain,
“utilising biometrics for internet banking is becoming convenient and considerably
more accurate than current methods” (Sarma & Singh, 2010). And many believe that
biometric authentication is the answer for combatting Online Banking authentication
issues such as unauthorised access, identify theft, bank fraud and user inconveniences
(Cook, 2013). Some, like Dr. Costigan, also believe that biometrics will cause the “death
of the password” and PIN generating devices (Belton, 2015).
The use of biometric authentication however is yet to be widely rolled out as the
standard authentication mechanism for Online Banking. Although there are instances
where their use has already been successful within the banking industry. Vein scanning
technology has been widely used to verify ATM customers in Japan and Poland for
example (Collinson, 2014; Thornhill, 2012; Mayhew, 2014). Additionally, Danske Bank in
Denmark have introduced behavioural biometrics into their authentication systems
(Belton, 2015; BehavioSec, n.d). During its trial, this system was able to distinguish between
authorised users and unauthorised users (with the correct login credentials), in 99.7%
of cases – thus demonstrating that the security of the Online Banking service was vastly
improved (BehavioSec, n.d).

26. UP653689 | PJS40
Page | 26
Many developments for biometric authentication within the UK are motivated by the
introduction of the fingerprint scanner on Apple iPhones. Natwest and RBS for example
have announced plans for integrating their mobile banking services with the iPhone’s
fingerprint capabilities (Belton, 2015). St. George Bank in Australia on the other hand
have already given their mobile banking users this functionality (Head, 2014). However,
as a variety of vulnerabilities exist with fingerprint recognition in general, and more
specifically with the iPhone’s Touch ID, it is believed that more accurate and robust
biometric options such as iris or vein scanning would be necessary for Online Banking
(Belton, 2015).
Barclays have become one of the earliest adopters of biometric authentication for home
users in the UK with the introduction of a scanning device that authenticates users based
on the vein pattern in their finger (Higgins, 2014; Tassabehji, 2014). The device, known as
“VeinID”, is currently only available for wealthy corporate banking customers but it is
believed that it will soon be made available to a wider audience (Higgins, 2014). The use
of the “vein pattern” biometric option also makes the device’s use as an authentication
mechanism more secure than fingerprint recognition. The VeinID system has a false
acceptance rate of 1 in 1,000,000 and a false rejection rate of 1 in 10,000 (Higgins, 2014).
Interestingly, the Barclays VeinID system has been specifically designed to mitigate a
couple of vulnerabilities concerned with biometric systems which were highlighted
previously. In contrast to some fingerprint recognition devices which can occasionally
be spoofed by inorganic fingerprints, VeinID will only successfully authenticate a user
if it recognises that their finger is attached to a “living, blood-pumping body” (Higgins,
2014). Furthermore, the recorded vein pattern image is cryptographically stored locally
on a SIM-card provided by Barclays, and hence is not stored in a central database
(Higgins, 2014). Therefore, the recorded biometric data is not susceptible to being stolen
through the “back-end attacks” aforementioned.
2.4 – Chapter Summary
 The process of authentication works by verifying identifiable pieces of
information known as authentication factors. These authentication factors
can be classified under three categories known as “something the user
knows”, “something the user has” and “something the user is”.

27. UP653689 | PJS40
Page | 27
Authentication systems are then designed by applying these factors into one
of three mechanisms known as “single-factor”, “two-factor” and “multi-
factor” authentication mechanisms.
 Single-factor uses one authentication factor, two-factor uses two and multi-
factor uses two or more but where one of them is “something the user is. It is
believed that single-factor authentication is less secure than two-factor,
whilst two-factor is less secure than multi-factor.
 Single-factor and two-factor are the two most widely used mechanisms within
Online Banking and other systems in general. A variety of security issues and
some convenience issues have therefore been explained within 2.2 for both of
these authentication mechanisms and the knowledge and possession based
authentication factors which they implement.
 Common attacks which the single- and two-factor mechanisms are vulnerable
to include password cracking, social engineering attacks, man-in-the-middle,
phishing and man-in-the-browser attacks. These have been thoroughly
explained using examples within 2.2.1.
 The process of how a biometric authentication system works has been
explained technically within section 2.3. And the ways in which security and
convenience levels of an authentication system can be improved have been
exhaustively explained, using real world examples, within section 2.3.1 and
2.3.2.
 It is believed that the use of biometrics within Online Banking can
significantly increase the security and convenience of the authentication
process. However, the use of biometrics and therefore the multi-factor
authentication mechanism is yet to be widely adopted by Online Banking
providers.
 Examples of where the use of biometrics have successfully been implemented
within the Banking industry have been explained in section 2.3.3.
Developments of biometric authentication systems for Online Banking have
already begun with a key example being from Barclays with a system called
VeinID.

28. UP653689 | PJS40
Page | 28
Chapter 3 - Methodology
Moving on from the secondary research (the literature review), the project now becomes
focused on the primary research, which is to be carried out with the intention of answering the
following research questions:
 How are the authentication systems of some of the UK’s Online Banking websites
currently implemented and what security and convenience issues arise from them?
 Is there a demand amongst Online Banking users and non-users for the security and
convenience of authentication systems to be improved, and what are their perceptions
towards the prospect of biometrics being able to do so?
For the primary research to be successful in answering these research questions, it is significant
that an overall research methodology is taken on board by the author in order for it to remain
structured and focused. This chapter is concerned with highlighting and explaining the
different methodological approaches which have been adopted for the completion of the
primary research. These approaches will be responsible for gathering both qualitative and
quantitative data which will be used to answer the aforementioned research questions, as well
as to perform triangulation between the findings of these primary research methodologies and
the findings of the secondary research.
3.1 – Research Methods and Research Design
3.1.1 – Analysis of Online Banking Websites Authentication Systems
The qualitative research approach will be in the form of an analysis of 10 UK Online
Banking website’s authentication systems. This method is concerned with answering
the first research question mentioned previously. The motivation for this methodology
derives from the literature review findings concerning the drawbacks of Online Banking
authentication systems. The author therefore felt that it would be beneficial to determine
whether any of these drawbacks were evident in any of the Online Banking
authentication systems in use today, as well as assessing the different levels of
convenience and security that are apparent in each. The analysis involves the author
opening up a total of 10 different Online Banking accounts and then logging into each
one individually, making observations about the various authentication steps which are
required. By exploring these observations, the author can identify whether any of the

29. UP653689 | PJS40
Page | 29
drawbacks outlined in the literature review are present. Also, the levels of convenience
and security for each can be scrutinized by assessing the time it takes to log into each
online account, as well as determining whether the authentication systems could be
using too few, too many or too complex authentication methods (eg. user ID’s, secret
questions/answers, passwords, security tokens/codes, PIN generating devices, etc.).
The findings for each Online Banking account will then be used in conjunction with the
findings of the quantitative research method which will find out whether users are
satisfied with the levels of convenience and security that their Online Banking service
provides. The author will then be able to perform triangulation between these results by
seeing if there are correlations between the levels of user satisfaction with convenience
and security, and the levels of convenience and security that the author experienced
during this 10 Online Banking websites analysis.
3.1.2 – Public Questionnaire
The other primary research methodology, which is concerned with answering the
second research question mentioned previously, is a distributed public questionnaire.
In contrast to the analysis of the Online Banking authentication systems methodology,
this is a quantitative research approach which will allow the author to easily perform
statistical analysis on the results in order to identify trends, correlations, differences,
etc. As Robson explains, the use of questionnaires/surveys mostly “produce
quantitative data which can easily be subject to statistical analysis using straightforward
computer-based techniques”, (Robson, 2014, p. 30).
The associated research question is aimed at identifying the user and non-user
perceptions and attitudes towards Online Banking security and convenience. In order
to answer this as accurately as possible, and in a way which is representative of the
perceptions and attitudes of users and non-users from society as a whole, the author
understands that data needs to be gathered from as many people as possible. Through
the use of the public questionnaire methodology this requirement can be achieved as it
is possible to reach a considerably large sample of respondents whilst using inexpensive
and available resources such as the internet (Robson, 2014, p. 41-42).
Google Forms is a free internet application which will be used by the author for the
design of the questionnaire. This application provides a web page link to the
questionnaire which can be distributed to audiences, and is also capable of

30. UP653689 | PJS40
Page | 30
automatically and securely recording all respondent’s answers in a spreadsheet in
preparation for data analysis.
Some of the findings from the literature review will have an influence on how the
questionnaire is designed and the types of questions that will be included. As an
example, secondary research highlighted that a problem with banks incorporating a lot
of authentication questions is that users tend to forget them. Because of this, questions
will be included that ask respondents how difficult they find it to remember log in
credentials and whether they do make notes of them.
Whilst designing the questionnaire it is also vital that the author considers the length of
time that it takes for a respondent to complete it. A survey which is too time consuming
for people to answer will put them off and have a very negative effect on the level of
response. The author consequently decided that the questionnaire should take no longer
than 5 minutes to complete. Additionally, it is important that the questionnaire is made
up of questions that are clear, concise and easy to understand by participants. Questions
which are biased, misleading or vague will cause respondents to provide answers that
are not accurate or relevant to the true purpose/meaning of the questions.
Lastly, the questionnaire will mostly be made up of closed questions which force the
participant to choose an answer from a given list such as “Definitely”, “Possibly”,
“Definitely not”, etc. These type of questions allow for results to be easily analysed
using a quantifiable or statistical approach and also allow the questionnaire to be easier
and quicker to complete for respondents (Leung, 2001). However, sometimes these closed
questions may not include enough options for respondents to give an accurate answer.
This problem will be solved within the public questionnaire by also incorporating an
open answer format through the use of “Other” options, where respondents can provide
alternative answers (Leung, 2001).
3.2 – Public Questionnaire Sample
There are no specific criteria set for the sample of participants for which the public
questionnaire is aimed towards. The purpose of the questionnaire is to gather the perceptions
of Online Banking amongst users and non-users and the questionnaire aims to gather as an
accurate representation of society as possible. Therefore, participants are not required to be
from a specific age range, have a specific occupation or even be a regular internet user for

31. UP653689 | PJS40
Page | 31
example. To achieve the most accurate representation, the author understands that the
questionnaire needs to be completed by as many people as possible. The author also
understands how vital it is that the results of the questionnaire are not biased to a particular
demographic of society such as a particular age group. Biased results such as these would have
a detrimental effect on the accuracy and the integrity of the results, and a true representation of
society would not be achieved. The only criteria that the author has placed upon respondents,
which is for ethical reasons, is that they are aged 18 and over.
3.3 – Public Questionnaire Pilot Study
Running a pilot study is a vital part of designing a research questionnaire and is achieved by
“trying out all aspects of the data collection on a small scale” (Robson, 2014, p. 97). In other words,
a pilot study is an initial trial of the data collection method with only a small proportion of
respondents from the target audience, with the purpose being to ensure that everything runs
smoothly and according to plan (Robson, 2014, p. 97). Through feedback made from the small
sample of respondents, necessary modifications can be made to the data collection method
before it is performed for real.
The author believed that it was very important to carry out a pilot study of the public
questionnaire. The author needed to ensure that respondents were able to successfully access
and answer the set of questions through the link provided to them, and also that their responses
were successfully recorded and populated within Google Forms and the corresponding
“responses” spreadsheet. It was also imperative for the author to understand whether
respondents found any questions to be ambiguous, biased or incomplete in any way and
whether they felt that any other improvements could be made to questions.
The pilot study of the public questionnaire was designed and then distributed using the Google
Forms facility on Google Drive. This pilot study can be seen within Appendix C. A total of
three respondents were then specifically chosen to complete this pilot study online through the
link provided by the Google Forms application. In order to obtain feedback which is
representative of as many of the target audience as possible, these respondents were selected
based on their age and their computer literacy, (ie. one aged 18-23 & extremely computer
literature, one aged 31-40 & moderately computer literature and one aged 51-60 & not so
computer literate).

32. UP653689 | PJS40
Page | 32
3.3.1 – Pilot Study Findings
There were no major issues highlighted by the three respondents in terms of actually
completing the questionnaire as all three were able to successfully open it through the
Google Forms link, complete all the questions and submit their responses. Also, all of
the participant’s responses to the individual questions were successfully recorded and
populated within the Google Forms application and the “responses” Google
spreadsheet. From viewing these responses the author could see that the respondents
appeared to understand what was meant by the majority of the questions as their
answers were appropriate.
The three pilot survey respondents provided constructive feedback about various
aspects of the questions which was then used to further develop the public questionnaire
before launching it for real. The feedback which was received by the sample audience
and which was acted upon by making modifications to the questionnaire are shown
below:
 It was noted that the question which asked for the topic/subject that the
respondent was studying was not very relevant as there could be a huge range
of different answers given and so it would be difficult to make any strong
correlations with other answers. The author agreed and thus removed this
question.
 All three respondents noticed that the scales used throughout the questionnaire
were inconsistent, ie. one question used a scale of 1-5 whilst others used a scale
of 1-10. This could make it confusing for some respondents and have an effect
on the integrity of answers given by them. The author also believed that using
a scale of 1-10 was not necessary as there would be too many options available
to each respondent, making it harder to analyse results and make strong
correlations. Consequently, the author changed all scales to 1-5.
 All three respondents also mentioned that they did not use or hear the phrase
“E-Banking” and instead only used and heard people use the phrase “Online
Banking” to describe the facility. The author therefore chose to remove the
phrase “E-Banking” from the questionnaire in order to make questions easier to
read and understand for people and to avoid any confusion (ie. people could
have assumed that E-Banking and Online Banking meant different things).

33. UP653689 | PJS40
Page | 33
 It was highlighted that it would be beneficial to add some form of introduction
to the questionnaire in order to help people understand the purpose behind the
survey, as well as making the questionnaire more “friendly”. The author
consequently added a brief introduction to the questionnaire explaining that it
is being used as research for a dissertation and that all responses remained
anonymous.
 All three participants identified that question 5 was a bit vague and didn’t give
them much indication in terms of what exactly was meant by “security”,
therefore they were left slightly confused on how they should answer. To rectify
this, the author chose to add some “help” text to the question in order to tell
respondents to consider all aspects of security such as security of buildings,
assets, finances, computer systems/programs etc.
 Lastly, 2 out of the three respondents (aged 31-40 & 51-60) were not aware of
what was meant by a “biometric system” and so they felt that their answer could
not be completely accurate. The author agreed that this was an issue and
assumed that this would be the case for a lot of people, especially those slightly
older or less computer literature/familiar with technologies. To mitigate this
problem the author added a brief explanation for what is meant by a biometric
system in terms which should be familiar to most people, eg. the author assumes
that most people will be familiar with terms such as “fingerprint scanners”, “eye
scanners”, “facial recognition” etc.
3.4 – Distribution of Public Questionnaire
It was vital that the questionnaire gathered an effective amount of responses in order for
analysis, conclusions and correlations between results to be as robust, reliable and accurate as
possible. The author understood that a small amount of responses to the questionnaire would
make it extremely difficult to make any of the analysis worthwhile or useful. In order to
distribute the questionnaire to as many people as possible, the author chose to use a variety of
methodologies including social networking sites, email and word of mouth between friends,
family and acquaintances.
The author’s personal Facebook account proved to be a useful resource in order to promote the
questionnaire to a collection of at least 500 people (Facebook friends). Figure 4 below displays
the Facebook post along with the questionnaire link, made to the author’s personal Facebook

34. UP653689 | PJS40
Page | 34
page. The author also ensured that this post was not limited to their own Facebook friends but
was also viewable by all users of the social networking site.
Figure 4 - Using Facebook to distribute survey
The author also made use of their personal Twitter account and promoted the questionnaire to
their own followers and also to the followers of “@portsmouthuni” and “@UOPTECHSPEC”.
The tweet that the author published is shown in Figure 5 below.

35. UP653689 | PJS40
Page | 35
Figure 5 - Using Twitter to distribute survey
The author was capable of distributing the questionnaire to a considerably large audience by
requesting for an email, containing the questionnaire link, to be forwarded to all final year
University of Portsmouth students. The email which was forwarded can be seen in Figure 6
below.
Figure 6 - Using University mass email to distribute survey
Although the three methodologies aforementioned are capable of reaching large audiences,
these audiences are predominantly made up of people from younger age groups (ie. author’s
friends/followers & final year University of Portsmouth students are mostly from younger age
demographics). Therefore, using these methods alone would cause the majority of results and
perceptions to be biased towards these age groups and a true representation from all age groups
could not be met.

36. UP653689 | PJS40
Page | 36
In order to attempt to gather responses from older age groups, the author chose to distribute the
questionnaire amongst colleagues at their place of employment, a Central Government/Civil
Service organisation. This was achieved by sending an email containing the questionnaire link
to approximately 250 people of various age groups. This email is shown in the Figure 7 below.
By doing this, the author hoped to accumulate enough responses from older age groups in order
to make the collection of results less biased towards the younger age groups. In addition, the
author hoped that differences/correlations in results could be highlighted amongst these
different age groups, (ie. n% of 18-23 year olds said X whereas n% of 61-70 year olds said Y).
Figure 7 - Using mass email at author's place of employment as distribution method
3.5 – Analysing Primary Research Results
Obviously, these primary research methods would prove to be completely useless unless some form
of data analysis was performed on their results. Once the questionnaire has gathered an adequate
amount of responses, all of the results that have been recorded within the Google forms spreadsheet
will be thoroughly analysed. This analysis will consist of quantitative data and will be expressed
statistically and textually, mostly through the use of percentages, graphs and pie charts. The
analysis will not only involve analysing the answers to each question individually, but the answers

37. UP653689 | PJS40
Page | 37
to different questions will be combined in order to find trends/correlations between the responses
as well.
On the other hand, the analysis of the 10 Online Banking websites authentication systems will
consist of mostly qualitative data and will mainly be presented textually, although it is also possible
that some statistical data could be used. This analysis will also be combined and compared with
some of the answers from the public questionnaire in order to highlight trends, differences and add
further integrity to the findings. For instance, the analysis of the 10 Online Banking websites may
highlight that bank X has a long authentication process, and then the public questionnaire may find
that a high proportion of users of bank X are not satisfied with the convenience of the authentication
process.
In order to discuss the findings of the research, make conclusions and answer the overall research
question, it is vital that triangulation is performed on the findings. Triangulation will be carried out
so that comparisons can be made between all of the quantitative and qualitative data obtained
through the public questionnaire, the analysis of the 10 Online Banking websites and the secondary
research in the form of the literature review.
3.6 – Ethical Considerations
It was important that all primary research was designed and carried out in a way that was
compliant with the University of Portsmouth’s research ethics. As human subjects are involved
in the primary research within the public questionnaire, the author ensured that an ethical
examination form was completed at the commencement of the project. This can be seen in
Appendix B.
3.7 – Chapter Summary
 The two primary research methodologies being used to collect qualitative and
quantitative data to answer the project’s research questions have been
introduced and thoroughly explained. These are a distributed public
questionnaire and an analysis of 10 UK Online Banking authentication
systems.
 The sample for the public questionnaire has been explained and a pilot study
of the questionnaire was run during the design phase for testing and
constructive feedback.

38. UP653689 | PJS40
Page | 38
 The methods used for distributing the public questionnaire to as wide an
audience as possible have been described.
 The way in which the results of both primary research methods will be
analysed has been explained, as well as how the results from all research
methods will be triangulated.

39. UP653689 | PJS40
Page | 39
Chapter 4 - Primary Research Results
The purpose of this chapter is to analyse the qualitative and quantitative data gathered by both
of the primary research methodologies: the analysis of the UK Online Banking websites and
the Public Questionnaire.
To reiterate, the primary research methods were carried out with the intention of answering the
following research questions:
 How are the authentication systems of some of the UK’s Online Banking websites
currently implemented and what security and convenience issues arise from them?
 Is there a demand amongst Online Banking users and non-users for the security and
convenience of authentication systems to be improved, and what are their perceptions
towards the prospect of biometrics being able to do so?
4.1 – Analysis of UK Online Banking Websites
4.1.1 – Data Collection
This analysis involved the author opening up 7 bank accounts from different providers and then
registering for each of their Online Banking services so that observations could be made about
their authentication systems. The observations made by the author are based upon the results
of the secondary research and so they include qualitative data about the different authentication
factors and mechanisms that each Online Banking website implements, as well as any
corresponding security or convenience issues that could arise from them. Based upon these
observations, the author was able to make their own assumptions concerned with which Online
Banking authentication systems could be the most secure and which could be the most
convenient for users. Relevant data gathered from the public questionnaire can then be analysed
and compared against these assumptions.
The main limitation which arose during data collection derives from the fact that the author
had initially planned to analyse the authentication systems of 10 Online Banking websites.
However, issues with postal deliveries and/or bank account applications caused the author to
be missing the necessary credentials for setting up Online Banking services for 3 bank
accounts.

40. UP653689 | PJS40
Page | 40
The notes of observations (ie. the qualitative data) that the author made about the logging in
process of each of the 7 Online Banking websites are shown in the table below in Figure 8.
Natwest
(Current
Account)
 Firstly need unique customer number which is the users DOB
(6characters) followed by 4 numbers which are assigned to each user
by the bank
 User then needs to enter different digits of a PIN which they set up
themselves (ie. 2nd
digit, 4th
, digit, 1st
digit).
 User then needs to enter different characters of a password which they
set up themselves (ie. 1st
letter, 6th
letter, 2nd
letter)
Natwest
(Credit
Card)
 Exactly the same as above except instead of a customer number, a
username is used instead which the user set up initially themselves
Nationwide
(Online-
only
Savings
Account)
 user must first enter a 10 digit user ID which was assigned to them by
letter by the bank when the account was opened up.
 user must also enter in their full password which they set up themselves
when setting up online banking.
 user must then enter 3 characters from the answer to 1 of: a
“memorable place”, “memorable date” or “memorable name”. User
set up these answers when setting up the online banking
Tesco
(Personal
Loan
Account)
 Firstly user must enter in their username which they set up themselves
initially when setting up online banking
 A user defined phrase and image is then displayed to prove to the user
that you are logging into the correct account
 Then need to enter 2 different digits of a 6 digit PIN code
 If the user is logging in on an unknown PC then a 1 time activation
code is sent to the user’s mobile number that is on the account
 User must then enter their full password which they assigned
themselves
Barclays
(Current
Account)
 Offers different options to the user for how they wish to log in.
 Must enter their surname first.
 User can then choose to identify themselves using a unique 12 digit
membership code which was assigned to them by the bank, the number
of the account’s debit card, or the sort code and the account number
itself.
 User must then enter a 5 digit PIN number which again was assigned
to them by the bank.
 They must then enter 2 characters of a password that they defined
themselves
 Alternatively, the user has the option to log in using a pin generating
device which they have been provided with by the bank called
PINsentry which generates a different PIN each time their debit card is
entered into it

41. UP653689 | PJS40
Page | 41
Santander
(Current
Account)
 requires a unique 10 digit user ID which is assigned by the bank each
time that a user wants to log in
 in order to assure the user that they are logging into an account on the
real santander website, a phrase and image is displayed which the user
initially sets up when setting up online banking
 the user must enter 3 different characters from a user assigned
password and then must enter 3 different digits from a user assigned
security number
First
Direct
(Online
Only
Current
Account)
 firstly there are three options that the user can choose for logging into
online banking when they’re setting up their account. they can choose
“digital secure key” which is part of firstdirect’s secure mobile
banking app. they can choose “secure key” which is a small credit
card sized device that generates a secure key when the user wants to
log in. lastly the user can choose to have neither of these secure key
services and therefore not be able to perform as many online banking
tasks (ie. set up new payments, update personal details etc).
 when logging on user must first enter their username which was set up
themselves
 user must then enter 3 characters from the password that they set up
themselves and then one of their security questions
Figure 8 - Notes of Observations made for analysis of UK Online Banking sites
4.1.2 – Data Analysis
Key Findings:
All of the seven Online Banking accounts observed implement the Single-Factor authentication
mechanism as the default or only way of logging in, whereby the only factors that are used for
authenticating users are a range of “knowledge based” factors including: customer numbers,
usernames, user ID’s, passwords, PIN’s and answers to secret personal questions. This is an
interesting finding as secondary research highlighted that the Single-Factor authentication
mechanism is the least secure and is most vulnerable to unauthorised access using techniques
such as password cracking or social engineering.
Only three out of the seven Online Banking accounts observed implement some form of
additional security using the Two-Factor Authentication mechanism with a possession based
authentication factor. Tesco implement this by requiring a one-time password/code that is sent
to the user’s mobile phone, but only if the user is logging in from an “unknown” PC. Barclays
implement this as an optional security feature for its users by means of a PIN generating device
called PINsentry. FirstDirect also implement this as an optional security feature for its users
using either a PIN generating device or a one-time password/code technique using their own
secure mobile app.

42. UP653689 | PJS40
Page | 42
Four out of the seven Online Banking websites implemented a username/user ID knowledge
authentication factor which is assigned to each user directly by the bank, rather than allowing
users to set this knowledge factor themselves. Although banks are likely to assign
usernames/user ID’s to users themselves with the intention of improving security, it does in
fact spur on further security risks caused by user’s behaviour. As outlined in the secondary
research, a vulnerability concerned with the use of knowledge based factors is that users
occasionally find them difficult to remember and so opt to make notes of them on paper or on
their mobile phones for example. Therefore usernames/user ID’s assigned by banks are likely
to be harder to remember for users than if they were assigned by the users themselves,
consequently meaning they are more likely to make insecure notes of them.
Two out of the seven Online Banking websites (Tesco & Santander) allow the user to upload
an image and enter a phrase when initially setting up the Online Banking account. These
specific images and phrases are then displayed to the user when they are logging in so that they
are assured that they are entering their log in credentials to their genuine Online Banking
website. Secondary research identified that man-in-the-middle and phishing attacks can occur
by using fake versions of Online Banking websites to gather user’s log in details. Therefore
this recognisable image and/or phrase technique can alleviate the risk of these attacks as bogus
websites will not be capable of displaying them back to the user and hence users will be more
aware they’re not on their genuine Online Banking website. Although this is a good security
feature, it is quite interesting that only two out of the seven Online Banking sites have
implemented it.
Conclusion:
Based on all of the observations and findings, the author is of the opinion that the Online
Banking website which demonstrates the highest level of authentication security is Tesco. This
is because:
 Users are less likely to make insecure notes of credentials such as their username/user
ID as they’re defined by themselves and so should be more memorable for them.
 A user defined image and phrase is displayed to users when they log in which assures
them they are providing their log in credentials to the genuine Tesco Banking
website, thus reducing the risk of man-in-the-middle and phishing attacks.
 If the authentication system recognises that a user is logging in from an unknown PC
then an added layer of security is added through the use of a one-time password/code

43. UP653689 | PJS40
Page | 43
(a possession factor), resulting in the authentication system becoming the two-factor
mechanism.
Based on all of the observations and findings, the author is of the opinion that the Online
Banking website which demonstrates the highest level of authentication convenience to its
users is the Natwest credit-card account. However, the author found this hard to decide as all
of the Online Banking websites implemented their authentication systems using similar types
and amounts of knowledge based questions. The Natwest credit card account marginally
demonstrates the highest level of convenience because:
 The authentication process is quick for the user to complete as only three knowledge
based questions are required.
 All three knowledge based questions (username, password and PIN) have
corresponding user defined answers meaning that the authentication process will be
relatively simple for users and harder for them to forget answers.
The author was unable to make assumptions regarding which Online Banking authentication
systems were the least secure or least convenient. The author believed that this was because
the remaining 6 authentication systems were very similarly designed and so it was difficult to
distinguish any which demonstrated particularly weak security or convenience levels.
However, based upon secondary research, the author adds that the four authentication systems
which do not provide any functionality or option of two-factor authentication at all (Natwest
current account, Natwest credit-card, Nationwide, Santander), to be considerably less secure
than the ones which do provide it in some way (Tesco, Barclays, FirstDirect).
4.2 – Public Questionnaire
4.2.1 – Data Collection
The data collection process proved to be successful with a total of 114 participants completing
the questionnaire. The main reason how this reasonably large sample of participants was
gathered in a short three week period is because of the choice of distribution methods used.
The mass email sent to University of Portsmouth students gathered the majority of participants
whilst the use of Facebook was responsible for collecting a large proportion of the total
respondents as well.

44. UP653689 | PJS40
Page | 44
However, a limitation did arise because of the use of these methods. They were both
accountable for gathering most of their data from respondents aged 18-23, thus causing the
majority of the overall results to be from respondents of the same age. This was an assumption
of the author, as the 18-23 age bracket is the one which they themselves fall into, and so the
social media distribution methods used were always likely to reach respondents of a similar
age. The author’s assumption that the mass email sent to University of Portsmouth students
would mostly reach those in the 18-23 age bracket as well, was proven to be accurate during
data collection. Additionally, as this mass email distribution method was responsible for
gathering the most amount of responses compared to the others, it caused the majority of the
overall results to be from students. The author was aware beforehand that this would be the
case but felt that the method’s advantage of gathering a large amount of data from a large
sample of participants, outweighed its disadvantage that it would be coming from respondents
of a particular occupation.
The fact that so many respondents came from one age group (18-23) and one occupation
(Full/Part Time Student) brings the possibility that the various results to the questionnaire could
be biased towards them. Therefore, throughout the data analysis, the age groups and
occupations of respondents will be compared with the answers to different questions to try to
determine whether age brackets or occupations play any factor in the type of answers
respondents provided. Consequently, determining whether results could be biased or not.

45. UP653689 | PJS40
Page | 45
4.2.2 – Data Analysis
4.2.2.1 – Demographics
Figure 9 - Pie chart showing gender split of total respondents
Figure 9 above illustrates that the split between male and female respondents is reasonably
close to being “50/50” and being equal. A total of 64 males answered the questionnaire
compared to a total of 50 females - 56% and 44% of total respondents respectively. As this
gender split is close to being equal the author can assume that the results of other questions are
not biased towards either gender.
56%
44%
What is your gender?
Male Female

46. UP653689 | PJS40
Page | 46
Figure 10 - Pie chart showing total amount of respondents from each age bracket
As mentioned in section 4.2.1, the choice of distribution methods used caused there to be a
large proportion of respondents from the 18-23 age bracket. Figure 10 above demonstrates this
graphically and proves that the age demographic is not balanced, with a total of 67 participants
(58.8% of total) coming from the 18-23 age bracket. The next largest age bracket demographics
were 24-30 with 10.5%, 31-40 with 12.3% and 41-50 with 10.5%. These age groups will be
compared with the answers to other questions to try to determine whether age has any effect
on the way in which participants answered.
18-23
58.8%
24-30
10.5%
31-40
12.3%
41-50
10.5%
51-60
3.5%
61-74
3.5%
75+
0.9%
Which age bracket do you fall into?
18-23 24-30 31-40 41-50 51-60 61-74 75+

47. UP653689 | PJS40
Page | 47
Figure 11 - Bar chart showing number of respondent's occupational statuses
Again, as mentioned within section 4.2.1, the University mass email distribution method
caused the majority of respondents to be students. Figure 11 demonstrates this using a bar chart
which shows that 60 respondents (52.6%) are a full/part time student. The next largest
occupation demographic with 39 respondents (34.2%) is those who are full/part time employed.
As the other occupation options only contained very small numbers of respondents, comparing
the answers they provided with the ones that students and employed people provided would
prove to be difficult. Therefore, answers of the two largest demographics (students and
employed people) will be compared instead, to try to determine whether occupations have an
effect on the answers which respondents provided.
60
3 3
5
39
4
0
10
20
30
40
50
60
70
FullTimeStudent
Unemployed/LookingforWork
Retired
Lookingafterfamily/home
Employedfull/parttime
Other
No.ofRespondents What is your main occupational status?

48. UP653689 | PJS40
Page | 48
Figure 12 - Pie chart showing the amount of respondents who do and do not use Online Banking
Figure 13 - Bar chart showing the percentage of Users and Non-Users compared by gender
As it can be seen in Figure 12 above, the vast majority of respondents are Online Banking users
with 97 out of 114 (85.1%) saying that they do use the facility and only 17 respondents (14.9%)
saying that they do not. It was an assumption by the author that this would be the case.
However, the author found it interesting to find that the use of Online Banking between
respondents appeared to be influenced by gender, as shown in Figure 13 above. 20% of female
97
17
Do you use Online Banking?
Yes No
92.18%
7.81%
80%
20%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Yes No
%ofRespondents
Percentage of People Who Do and Do Not Use Online
Banking - Compared by Gender
Male Female

49. UP653689 | PJS40
Page | 49
respondents did not use Online Banking compared to only 7.81% of male respondents not using
it.
It proved difficult for the author to compare the Online Banking users and non-users by age as
the majority of each were from the 18-23 age category. This is the case because the majority
of survey respondents were also from this age category. The statistics showing a comparison
of age brackets between users and non-users has therefore not been disclosed as the author
considers them to be an inaccurate representation of all.

50. UP653689 | PJS40
Page | 50
4.2.2.2 – Non-Users of Online Banking
Figure 14 - Bar chart showing the single most important reason respondents don't use Online Banking
The 17 respondents who did not use Online Banking websites were asked to provide the main
reason which is preventing them. Figure 14 above illustrates the amount of respondents who
picked each reason. The reason which was picked by the most amount of non-users (5) was
“Online Banking Websites are too Complex to Log Into” and the reason which was picked the
second most (4) was “The Process of Logging In is too Time Consuming”. These reasons are
particularly interesting as they both relate back to the convenience levels of Online Banking
authentication systems. They suggest that a dissatisfaction with the complexity and length of
0
1
2
3
4
5
6
NotaRegularInternetUser
NoNeedtouseOnlineBanking
OnlineBankingWebsitesaretooComplextoLog
Into
OnlineBankingWebsitesaretooComplextoUse
(BeyondLoggingIn)
ConcernsOverSecurityorFeelthatLevelsof
SecurityareInadequate
TheProcessofLoggingInistooTimeConsuming
EachTime
NotSatisfiedwiththeAmountand/orTypeof
FacilitiesthatOnlineBankingSitesOffer
BadExperiencesWhenUsingOnlineBanking
WebsitesBefore
Other
No.ofRespondents
What is the single most important reason for you not using
Online Banking websites?

51. UP653689 | PJS40
Page | 51
log in systems is the main reason preventing people using Online Banking. This could prove
to justify there to be a need to improve convenience levels using alternative authentication
methods such as biometrics. In order to make these suggestions more reliable, the author
believes that it would be very worthwhile to ask the same question to a larger sample of non-
users.
Figure 15 - Bar chart showing previous Online Banking User's level of satisfaction with Security and Convenience
5 out of the 17 non-users had used Online Banking websites before and the graph in Figure 15
above illustrates their level of satisfaction with the security and convenience levels that they
experienced. 2 of these respondents scored their satisfaction with the security they experienced
during the logging in process very highly with a 5/5. Additionally, 2 respondents scored their
satisfaction with the convenience they experienced during the login process lowly with a 2/5.
This is an interesting finding as it strengthens the suggestions made by the previous question
0
1
2
1 2 3 4 5
No.ofRespondents
< Not at all Satisfied.
Completely Satisfied >
If you have used Online Banking websites before-
How satisfied were you with the level of security that was
implemented during the logging in process?
How satisfied were you with the level of convenience and
ease of use that was implemented during the logg
Security Convenience and Ease of Use