Fraud increased by nearly 300 per cent in the UK last year, costing public and private sector organisations more than £900m, according to consultant KPMG.

With more than half of this figure (£468m) being stolen from organisations by their employees, identity management and authentication is becoming ever more critical for both consumers and businesses.

Computing spoke to Art Coviello, president and chief executive of RSA Security, which has been tackling security threats for the past 20 years.

Q. Are criminals becoming more sophisticated in how they try to defraud internet users and banks?

A. Phishing is still the primary way of doing fraud online, but as technology improves we are more likely to see incidents of spyware attacks, key-stroke logging and new types of trojan software.

Recently we have seen the invention of the hijack trojan. It waits for you to log on so you have identified yourself, and then it takes over your banking session and makes financial transactions from your account.

Banks tell us the level of fraud is becoming a significant problem. If they are not already doing something, then they will soon, out of their own self interest and because of the scale of the fraud. It is a real problem that is only likely to get worse.

Q. Where are these internet criminals primarily operating?

A. When I go to Europe they say most of the attacks come from the US. But in the US they say the attacks are coming from Europe or China.

The fact is that no nation or ethnic group has a monopoly on this or at the same time are immune to it. But there are centres of excellence, and certain countries in Eastern Europe come to mind.

The attacks are linked to the criminal entrepreneurialism of some of these countries, but it is a problem for all of us because the internet knows no borders.

Q. There is a lot of focus on internet crime, but surely the threat coming from within the organisation is just as pressing?

A. Yes. In a lot of companies most people only use a static password or static log-on, and these can be hacked in as little as 12 seconds to 12 minutes.

If you look at some of the data warehouse breaches that have occurred in the US recently, one of them was the result of an administrator leaving a password on a Post-It note. Internal attacks can also be a little less internal than you think. If you have a wireless network someone can do an attack from the car park of your building.

Q. UK banks are taking different approaches to authenticating customers online. Do you think this could be a problem?

A. It will lead to confusion. But at the same time I don’t think one technology should or could dominate.

There are different people and different sizes of transaction, and different risks that banks face. It doesn’t seem possible to have a one- size-fits-all approach for this on the internet.

Q. There has been a lot of discussion about ecommerce sites adopting a federated identity approach. How successful has that been?

A. The technology exists today to federate identities online, from one domain to another.

But the problem is you cannot get the back-end agreement between the banks and the electronic retailers to pass out the liability for the identity.

In terms of privacy, we do not do anything with the consumer information, no one needs to worry about a Big Brother approach; all the technology does is identify passcodes.

We are the people that invented encryption on the internet, so we believe we can protect the information we are given.

Q. You acquired fraud detection and authentication firm Cyota last year, bringing clients such as HBOS and Barclays. What other benefits has the acquisition generated?

A. Cyota extends our portfolio of authentication capabilities, including a risk-based approach to authentication for banking and online commerce transactions.

The technology looks at behaviours, origination, IP addresses and transaction profiles. It looks for anomalies and then we adapt it based on the type of transaction you do. If you use a different computer with a different IP address, or you have relatives in Latvia who you want to wire some money to, for example, it will analyse all this and decide whether or not it is genuine. The idea is only to bother someone if an anomaly is detected.