From next month, banks will ramp up security for Hong Kong's 2.7 million online banking clients, Hong Kong Monetary Authority (HKMA) officials said.

William Ryback, deputy chief executive of the Authority, said Monday a process begun last year to thwart online ``phishing'' attacks that steal banking customers' online data has been completed, and the service will be introduced to ``high-risk'' clients.

From next month, all banks will require the use of ``two-factor authentication'' in order to guard third-party transfers from online snoops.

``Two-factor authentication'' is a process by which secondary information - usually an encrypted code - is transmitted to the customer or to the bank via an exterior device.

The move was made to keep the SAR in line with international standards on Internet security, banking supervision head, Li Shu-pui, said.

Security analysts have criticized banks for allowing their customers to fall prey to ``phishing'' - a process in which online spammers send out millions of emails to fake banking Web sites.

Last year, ``phishing'' attacks hit Hong Kong bank customers hard. The HKMA, which keeps tracks of such attacks, refuses to say how many bogus sites exist as they involve individual banks.

But, since June, 2003, police have received reports of at least 38 fraudulent financial and banking Web sites in operation.

Eleven members of a syndicate were arrested in October last year after they allegedly stole HK$660,000 from 12 HSBC customers. Police said it was the first successful fleecing of online bank customers in the territory.

In a ``phishing'' scam, an unwary customer signs on to a fraudulent link in a spam email. In so doing, the customer inadvertently reveals secured information to the fraudster, who can then use it to strip personal data from the customer or withdraw money from his or her online bank accounts.

The authentication will take three forms, but it will be up to the banks to decide which one to use and what choices will be available to their customers, said Li.

Two of the three forms utilize codes sent through SMS text messages, and a one-time code sent through a hand-held digital code unit that some banks, including HSBC, will give to their customers. According to the HSBC Web site, the device will be given to customers in stages.

The third involves using a Hong Kong smart identity card reader, which reads a one-time digital certificate during a transaction.

Hong Kong Association of Banks chairman He Guangbei said the moves will certainly lead to new charges, though he could not reveal how much or who will bear the costs.

``Different methods lead to different charges - some are one-off and some are ongoing,'' he said.

The charges should be acceptable to banks and will ``probably not be unreasonable,'' he added.

Bank of China will use digital certificates with the smart identity card and the SMS one-time passwords, according to deputy head of corporate communications, Angel Yip. ``All of these are free of charge. We will have the launch very soon,'' she said.

Hong Kong will be the third place in the world to use ``two-factor authentication'' for online banking transactions, after Germany and Singapore.

douglas.crets@singtaonewscorp.com