This week Dr Jonathan Tuliani, UK technical manager for Cryptomathic, suggests the adoption of SMS-based security measures to counter 'man-in-the-middle' phishing attacks.

In recent months, gangs have started launching large-scale, carefully planned online attacks against high street banks and other services, both in the UK and overseas.

These phishing attacks begin with an email leading the recipient to a convincing web page, at which point they are tricked into entering their username and password.

Once obtained, these details are used by the attacker to log in to the user's account and drain it of funds.

Surely, in an ideal world the user would realise that the web page is bogus - that's what Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is all about.

Unfortunately, a combination of browser flaws, DNS attacks, lack of control over root SSL certificates and the need to make systems user-friendly means that, for most users, detecting a fraudulent web page is almost impossible.

Moreover, the economics of spam requires that only a very small percentage of users need to fall for the scam for it to be worthwhile.

The current industry trend to counter this threat is the introduction of stronger user authentication.

But the history of security teaches us that it would be wrong to assume that the introduction of two-factor authentication will be the end of the story. Faced with additional security measures, we must assume that the attacks will evolve, and that more advanced exploits will emerge.

My belief is that the next few years will see the emergence of internet man-in-the-middle attacks.

In this type of attack, instead of just the user communicating with the attacker, the attacker is also communicating in real-time with the bank.

Two-factor - or even 10-factor - authentication is of no help, since the attacker doesn't interfere with the log-in process. Both the user and the bank are unaware of the presence of the attacker, and believe they have a secure connection directly from one to the other.

Once established, the man-in-the-middle has complete control. He can modify instructions, such as transferring funds to a different account to that specified by the user, for example.

Most simply, he can cut off the user and submit whatever instructions he desires directly to the bank.

To combat this threat, it is necessary to move away from session-based security (based on a secure log-in), to message-based security (based on explicit authentication of individual transactions).

While offering a very useful interim defence against current attacks, in the longer term an alternative approach will be required.

Some companies are already considering allowing the transactions details themselves to be entered into the card reader, thus authenticating the transaction explicitly. This is similar to proprietary token-based schemes already offered by several vendors.

But this requires additional effort from the user (including great scope for user error) and offers very little future flexibility, as the tokens, once issued, cannot be changed.

Several vendors already offer the option of one-time-password distribution via short message service (SMS) as a cost-effective alternative to password-generating tokens.

Although it is neither authenticated nor encrypted, it is in practice unfeasible for an attacker to compromise both the SSL/TLS channel and the SMS channel to a particular user simultaneously. This independent channel also offers a way around the man-in-the-middle.

Adoption of SMS-based security measures must be carefully managed, particularly the procedures used for registering and maintaining records of users' mobile phone numbers.

The benefits, however, are great: there is no other cost-effective system offering defence against phishing, man-in-the-middle and Trojan attacks while maintaining a simple and intuitive user experience.