Banks find themselves in an awkward position right now. Technology has created exciting opportunities for innovative customer services, but rolling these out effectively requires the trust of their customers.

The media focus on the recent spate of spoofed banking sites has dented consumer confidence severely. And although banks can generally ensure that their own security is tight, their customer's machines may be wide open.

Experts suggest that attackers have been successful so far because of most internet users' naivety, even though these attacks have been highly publicised.

"Over the past year it has become clear that organised crime has woken up to the moneymaking possibilities of the electronic world and is making up for lost time," explained Cap Gemini Ernst & Young security specialist Jon Colombo.

The problem for firms in the financial services sector is that this totally changes the threat landscape in which they operate.

"Previously, with the possible exception of extreme groups, threats were primarily down to individuals and small groups, usually without the necessary skill to really capitalise on opportunities," said Colombo.

"The result was short-term opportunist crimes, which generally could not be considered as a threat to the business.

"Nowadays, there are well-funded international groups with the contacts to deal with the complexities of money laundering, and which can afford to take a long-term approach. This increases the intensity and breadth of the threat."

Colombo added that the sophistication and variety of ploys are likely to increase dramatically, and that the one thing they seem to have in common is that they undermine public trust in online business models.

"Certainly the first area to improve on the banks' side would be user awareness," said Phil Robinson, managing consultant at internet security specialist IRM.

"Information sent to clients should include education on how to secure home machines, as well as the potential risks of not doing so.

"Recommending the use of personal firewall features of new operating systems, such as Windows XP, or other downloadable products would be a step in the right direction."

Which is where the National Hi-Tech Crime Unit (NHTCU) comes in. The agency is confident that it is beginning to make a difference in this challenging environment as the UK's first national law enforcement organisation to combat computer-based crime.

The NHTCU has been working on sending out the right message to consumers to boost trust in web banking.

It has focused on getting users to regularly update antivirus software, and reminding them that banks will never ask for a Pin, password or any other memorable data via email.

"We know this is working because we have seen a dramatic drop in phishing, for example. I believe the main reason for this is the willingness of the press and the industry to send these messages out," said NHTCU crime reduction co-ordinator John Lyons.

Phishing is the act of obtaining a customer's confidential access details either through an email request or by getting them to access a fake website.

Uneducated customers are fooled into providing their details, then discover that they have been compromised. This has the knock-on effect of making it harder for banks to regain their confidence.

Even such simple steps throw up challenges, such as the need to use email as a marketing tool. Email is a cost-effective way for banks to build on their customer base and sell new services and products, but at the same time it could leave them exposed.

"We can't tell users that they should never respond to emails from their bank asking them to click on a direct link to a web page," explained Lyons.

To deal with this, the NHTCU is liasing regularly with financial service institutions, facilitating improved communication and co-operation to work towards a standardised approach to electronic banking.

But to be effective, banks have to play a bigger role: the NHTCU does not have adequate resources to handle all the possible threats.

Another problem is that financial institutions often rush to buy new electronic products without carefully inspecting all aspects of the product's security.

Survival will depend more on getting it right than getting it first, according to Daniel Deganutti, principal director at Avanade, a joint venture between Microsoft and Accenture.

"The first-mover advantage often makes this appear to be a reasonable risk-versus-return decision. However, significant failures can quickly wipe out any gains," he said.

Paul Lawrence, general manager at security vendor Top Layer Networks, delves deeper. "It's important to note that no single product holds the answer," he warned.

"The complexity of internet threats today demands a multi-layered approach to secure networks and websites. Firewalls still have a function to perform in the network, but this kind of perimeter is insufficient."

Colombo agreed that it is hard to find a single solution, given that the underlying digital threat adapts so fast. His advice for banks involves improved authentication, better intelligence and faster incident response.

But the short answer for building and maintaining customer trust in online banking is that there's no easy route to follow.

For individual institutions, the solution won't just be about technology, but marketing and market perception.

"Although technology has its place, it is those organisations that show a commitment to customers beyond the call of duty that will win customers' hearts," said Colombo.

He believes the answer lies in working with each other and law enforcement, finding the resources to counter the threat, disrupting organised attackers and learning to operate in a changed, more aggressive environment.

CASE STUDY: Lloyds TSB

Keystroke logging software can present a security threat that banks would rather avoid. Every time a user presses a key, a hacker can use the software to record what is typed, putting the user's private information at risk.

Lloyds TSB decided to tackle the problem last year as a pre-emptive measure to protect itself and its customers from a serious attack.

"The problem with keystroke loggers is that through the increased use of broadband, attackers can collect countless users' access details and then strike all at once. It is a systemic attack that hits the industry indiscriminately," said Jason Bacon, head of strategic development for internet channel at Lloyds TSB.

The bank came up with a simple but effective solution using something with which even the most uneducated user is familiar: a drop-down menu.

After a customer logs on to the site and fills in access details, a menu appears asking for a random set of numbers or letters from memorable data. The customer then uses the mouse to click on the characters in the box.

"They never use the keyboard and the keystroke logger is eliminated. An added advantage of randomly requesting numbers is reducing the risk of people peering over your shoulder and stealing your code," explained Bacon.

Lloyds TSB looked at another option whereby a keyboard rather than a drop-down menu would appear on the screen. The user would then click on the characters with the mouse. After tests the bank found that users often make mistakes, clicking on the wrong characters.

Because of evidence suggesting that sites which announce new security measures come under increased attacks, the service was launched to Lloyds TSB customers without notification.

Although the bank cannot provide any figures, Bacon claimed that the solution has successfully prevented any increase in attacks via keystroke logging.