Reports that US and UK national security agencies may have managed to crack the sophisticated computer security systems widely used to encrypt and protect online content should prompt banks to review their security practices, according to leading experts in the field.According to reports on ProPublica, national security agencies in the UK and US have managed to access information supposedly protected in the Transport Layer Security or Secure Sockets Layer of the internet. These form the "https" part of the web, which is used by banks and online retailers to protect the flow of financial information in online banking and commerce.Most often, this uses a 128-bit encryption key uniquely created for each communication and designed so that only the sender and recipient of the information can decrypt the content.While some local security experts say the 128-bit key can't be cracked, and Bruce Schneier, a US-based security specialist who has written cryptographic codes himself, has also cast doubt on that possibility in his blog, two local experts have suggested banks should move to the 256-bit key.Douglas Stebila, senior lecturer in information technology at the Queensland University of Technology, said that it would not hurt the banks to upgrade to a 256-bit key, although he acknowledged there would be a processing overhead that might slow down some online activities.Meanwhile, Marco Ostini, a security analyst with Auscert, Australia's computer emergency response team, said banks should increase the level of encryption, as "128-bit is probably not ideal anymore."He also recommended that two-factor authentication, which would back data encryption with another level of protection, such as a token or biometric, would be increasingly important to secure future bank transactions.Nigel Phair, formerly with the Australian Federal Police and now a director of the Centre for Internet Safety, at the University of Canberra, said banks already understood that applying technology in isolation could not guarantee data security. "Banks don't look at technology as a saviour, it's also about people and processes," he said. When it comes to technology alone "anything's bustable."Phair said this was why banks take a multi-layered approach to computing security, which includes real-time monitoring of data to spot anomalies indicating a potential fraud or security breach.He said: "I think 128 is still strong enough for transactions in the thousands (of dollars). If it's in the millions then you'd possibly go to 256-bit."Stebila agrees with Schneier that "the mathematics behind good encryption are sound. It should not be possible to break good implementations of good encryption."However, he warned, while 128-bit and AES (advanced encryption standard) keys were generally reliable, the older RC4 cipher, which is still deployed by some organisations, has "some theoretical weaknesses" that could be exploited.In addition, the TLS protocol has, in the past, required security patches to fix vulnerabilities, while agencies which issue security certificates authenticating websites have also been compromised in the past, introducing further data security risks.Stebila said that the Western security agencies, which have reportedly accessed secure data, were more likely to have achieved this by targeting known security weaknesses