Internet banking is an evolving landscape "full of potholes that need patching".
"Internet banking 1.0 involved a username and password, and possibly a secret for high-risk transactions," Leach said. "Internet banking 2.0 introduced tokens and one-time pins, and site authentication. These are all various strategies that make the customer feel more secure, but we still have man in the middle attacks. So I say go to chip implants for Internet banking 3.0! Not really."
In 2003, Singapore was one of the first governments to mandate two-factor authentication for "high risk" transactions, but from the bank's perspective using SMS means sending out a lot of messages for no revenue and people's phone numbers can be altered by social engineering techniques anyway.
Likewise, just because a card has a chip on it doesn't mean it can't be cloned, but it makes it more difficult for the fraudsters.
It's online, or "virtual" transactions where there is a huge amount of potential for fraud.
"If fraudsters can steal your info they can get your money, but with two-factor authentication they have to be more savvy," Leach said.
"On top of that we have fraudsters out there with their own risk management. What's the cost between sending out phishing e-mails compared with breaking a chip card?"
When terminal line encryption was introduced in Malaysia, fraud dramatically decreased but moved over to neighbouring Thailand indicating fraudsters do change and adapt and will find ways around more secure systems.
Standard Chartered has now implemented two-factor authentication in five countries with plans to extend it to 20.
Of the two-factor authentication methods - including tokens, display and "bingo" cards, SMS, and IVR call back - Standard Chartered is deploying them in various ways in different countries.
"We're re-examining the problem. A verifiable identity is a problem and two-factor authentication doesn't solve everything as it's a point solution," Leach said. "And the solution should have the ability to adapt to fraud."