Acccording to recent reports, the feds will require bank web sites to strengthen their security precautions for internet customers. To this end, bank web sites are expected adopt some sort of “two-factor” authentication scheme by the end of 2006. In other words, customers will soon have to verify their identity using both a password (or PIN) and some sort of physical item, such as a hardware token that produces constantly changing access codes, or perhaps a ‘smart’ card that the customer inserts into a card reader attached to their computer.
Other options include some sort of biometric verification, or perhaps technology to approximate the physical location from which the login attempt was initiated (presumably via IP address???) and compare it to the customer’s address. While I agree that security is a major issue when it comes to online banking, I’m less than thrilled about having to carry around a pocketful of dongles just to access my various accounts. And the other options have problems of their own. In my opinion, login systems such as the one used by ING Direct ($25 account opening bonus) strike a good balance between security and usability — they require an account number, PIN, and an additional (rotating) security question. Moreover, they’ve recently implemented a clickable keypad on their login screen which should help to protect against keystroke loggers.
[Source: Yahoo! News]
I really like ING’s clickable PIN pad. It is an excellent defense against key loggers on public computer (not that I’d look at financial data on a public computer without additional security I have at my disposal). I agree the requirement of the Customer number is a pain (I don’t remember mine, but I have it in a password protected application on my compurter and Pocket PC), I’d much rather have a personal ID I can make up.
This is really not new news. E*trade already has available an RSA token. Login requires both password and the changing token number. Well nigh impossible to hack because the number changes frequently
I have to wonder why they continue to require the account number, though, instead of creating login IDs. The account number is not a secret, but it is extremely difficult to remember, and a pain in the butt to keep entering.