New US regulations on online banking are going to change everyone's practices of connecting up to their local bank or credit union to check balances and make payments. The move is to two-factor authentication, a system wherein you need not only your account password to get in but also some other token (a one-time pin from a piece of paper, a response from a hardware token, an answer to a cellphone SMS message) to get in.
My local bank branch manager (Republic Bank in Ann Arbor) was not aware of these changes when I got the paperwork to signup for online banking there. I suspect there's a lot of work to be done to roll these systems out all the way down the food chain to where they will be required to go, and I anticipate problems all along the way in new systems integration and customer learning.
Bruce Schneier notes that even these systems are not immune to phishing attacks - scammers will simply change their techniques.
When I was at First Virtual Holdings in the 1990s, we built a system that had two-factor authentication over email. You made a transaction over the web, but it didn't go through until you had validated the transaction in a simple email message. Imagine then getting a message every time you had a credit card transaction happen & how that might change how quickly you could catch unauthorized charges.
Links:
- Scandinavian Attack Against Two-Factor Authentication (Schneier on Security)
- Phishers target Nordea's one-time password system (Finextra)
- FFIEC Releases Guidance on Authentication in Internet Banking Environment (Federal Financial Institutions Examination Council)
- The Green Commerce Model (First Virtual Holdings)
- Internet Information Commerce: The First Virtual Approach (Usenix Electronic Commerce 1995)
- Perils and Pitfalls of Practical Cybercommerce (Borenstein, Rose, Vielmetti et al, CACM)
