Here on Between the Lines, I've routinely hounded the US banking industry for not biting the bullet and moving all of its customers (regardless of whether the customers like it or not) to a multi-factor (two or more) system for authenticating users for online banking. For some banks in Europe, it's standard operating procedure. From a post I did earlier this year:
Two years ago, a friend from The Netherlands who was visiting asked if he could use one of our PCs to do some online banking. As he began to login to his bank's Web site, he pulled a credit-card sized authenticator out of his wallet. Hardware-based authenticators like RSA's keyfob-esque SecurID 700 generate a random sequence of numbers at regular time intervals (eg: every 60 seconds). The way this works is, at any point in time when yo login to your banking system, you have to use your authenticator to randomly generate a key. I watched my friend as he pressed a button on his authenticator and then, from authenticator's LCD display, he read-off and keyed-in (on the keyboard) a long string of randomly generated digits.
If you had something similar and you were using one of RSA's authenticators, then, the bank would have an RSA-built appliance on its internal network that's generating matching keys for your account. The only way someone can log into your account is if they have your UserID, your password, and your authenticator. Randomly generated keys are only good for a minute or so. So, even if someone gets a hold of your UserID, password, and one of the randomly generated keys (eg: if they watched you key it on your keyboard), by the time they got to a computer to pretend to be you, the randomly generated key would have expired.
User names and passwords (the "what you know" factor -- often the first factor of multi-factor security) alone are no longer enough. At the bare minimum, a second factor -- often referred to as the "what you have" factor -- is required. ATM machines, for example, use two-factor authentication. Neither your ATM card (what you have) nor your password (what you know) will work alone. To activate an ATM machine, you need both. But to access most American banks online, all you need is a user ID and password. Even the US government issued federal guidelines to the banking industry (well, suggestions since they're not making banks do anything) suggesting that "what you know" security is not enough. The response from the banking industry has been underwhelming at best.
Last year, according to a story from The Register, APACS, the UK Payments Association, issued guidance to UK banks that was similar in nature to the guidelines issued by the US Government:
Last year, Apacs issued guidance to banks that called for stronger security. "In view of the growing incidence of Trojans and phishing attacks directed at internet users, banks are recommended to move towards stronger authentication for their online banking customers," it said.
In response, according to that same story, the UK-based Barclays bank is moving to a two-factor authentication system for online banking. But unlike random number generation solutions like those from RSA security, Barclays instead is giving its customers card readers that works like this:
The customer inserts his card to a reader (which is not connected to his PC). The device will generate a unique 12-digit number that the customer enters on his keyboard.
Which leads me to the next natural question. Suppose you're like my Dutch friend and you're going to someoene else's house or heading out on international travel. Are you supposed to bring a bulky card reader with you everywhere you go? In contrast, RSA makes versions of its securID solution that fit on your keychain. Think I'm crazy about the sort of mobility that people want out of their online banking? According to a ZDNet research blog from last December:
Forrester Research found that 51% of existing online banking users in the UK ages 16 to 34 would like to try mobile banking. 25% of those users would switch to a new bank if it offered mobile capabilities.
To boot, card reading solutions as a means for securing online transactions have not been met with consumer enthusiasm. Way back in 2001, Target (the retailer) announced that it would be issuing card readers (like this Target-branded one on sale for $5 at CraigsList) along with its Target-branded "smart Visa Cards" to help secure payments (card readers ensure that the end-user actually has a card as opposed to just the card number). But, by 2004, the entire smart card program was failing so miserably that Target pulled the plug on the whole thing.
Smart card readers for consumers? They're a bust for enough reasons that it doesn't make sense to give them to end users Barclays will probably end up learning this the hard way.