EVEN with security methods such as one-time passwords, SMS internet banking could be vulnerable to attacks, according to research.

One in five online transactions were vulnerable to attack despite the adoption of SMS passwords, the study by Queensland University of Technology researcher Mohammed AlZomai shows.

Mr AlZomai, from the university's Information Security Institute, said the threat was due more to human error than a technical security problem.

"The online transactions that use the SMS authentication scheme are vulnerable due to human errors,'' he said.

Several banks offered online banking customers an SMS password system as an extra security measure, Mr AlZomai said.

A typical method was sending a one-time password by SMS to the customer's mobile phone for each transaction. The customer must then manually copy the password from their phone to confirm the transaction.

The study finds that customers failed to notice when the bank account number in the SMS message was not the same as the intended account number. If this occurred, it was a clear sign hackers had infiltrated the system, Mr AlZomai said.

For its research the university developed a simulated online bank and used more than 90 participants to undertake more than 700 financial transactions using an SMS authorisation code.

Two types of attacks were simulated - an obvious attack that involved altering five or more digits in the account number, and a stealth attack altering only one digit.

The study shows 21 per cent of obvious attacks were successful, and 61 per cent of stealth attacks succeeded.

Mr AlZomai said banks and service providers must improve usability, not just the technical aspects of security.

The study showed many users were unable to identify an attack.

This was a strong indication that the SMS transaction authorisation method was vulnerable, Mr AlZomai said.

There was no evidence to suggest SMS password systems had been attacked as yet, he said.

"We don't know if it is happening in real life,'' Mr AlZomai said. ``But we expect it to happen in the future if the usability is not enhanced.''

Mr AlZomai, a PhD student working on digital identity management research, intends to present his findings at the Australasian Information Security Conference in January.