IT experts warned today that, contrary to popular belief, two-factor authentication is not secure enough to curb internet banking fraud.

"Two-factor is good, but hackers are responding," Graham Cluley, senior technology consultant at Sophos, told vnunet.com.

"The latest generation of spyware not only includes key-loggers that trap passwords, but screen-grabbing software. This takes multiple images of what the user is doing and sends it straight to the hacker."

Cluley is not the only expert to warn of the danger of putting too much faith in two-factor technology, which combines conventional passwords with portable electronic tokens that generate a unique code in synchronisation with a central security server.

Bruce Schneier, chief technical officer at Counterpane, has also raised doubts about the technology's ability to cope with man-in-the-middle and pharming attacks. 

Nevertheless, the banking industry looks set to implement two-factor authentication after talks with the police and vendors. 

Patrick Runald, senior antivirus consultant at F-Secure, said: "Where I'm from in Sweden two-factor works very well. The banks can sell themselves on security and it reassures customers."

The warnings follow announcements from Microsoft and BT that they are planning to adopt two-factor authentication to enhance security.

The system still uses passwords, but adds a second layer of security with a physical token that synchronises with a remote server to prove the user's identity.