A tweet of @arrington just caught my eye, quoting the NY Times. The US top-fed (Director of the FBI) almost fell victim to a phishing email, pretending to be his bank. He caught himself just in time before he submitted his internet banking username and password to the fake website of the phishers. As a result, his wife forbade him using the internet for banking.
Zero liability
The article focuses on the fact that American banks offer zero liability for any internet banking client who will be stripped off their funds by hackers or phishers. But for me, as someone who specializes in security programming and architecture, that's not the point. The point is that major banks in the US, and also here in Canada (including my bank), still use bread-and-butter username-password authentication for internet banking. That is a sad joke.The NY Times article says that banks and other financial websites (such as PayPal) offer or consider introducing an additional authentication method, in which a secret code will be SMSed to your cellphone, and you'll have to type it in the website. This is authentication based not only on what you know (your password), but also on what you have (your code, or actually your cellphone). Which leaves of course the question what happens if someone stole your smart phone, where you have also stored for convenience the passwords for your favourite websites, including your bank's... But that's a different story.
Already 5 years ago...
My Dutch bank, ABN AMRO, has a different approach to "what you own" authentication. I use their internet banking since 2004 (and it existed even before) - that's more than 5 years ago! Their authentication (and they don't offer another one, such as username-password) is based on a smartcard reader device, called E.dentifier. It's actually more than that, it has a numeric keyboard and text display as well . This device uses my very own bank card. The Dutch bank card has not only a magnetic strip, but also a chip which is used for that. Your PIN code is stored not only on the strip, but on the chip as well.
The first version of the E.dentifier was a manual challenge-response system. When I wanted to login to my internet banking site, I got from it an 8-digit code. I had to put my bank card in the E.dentifier, type in my PIN code (to begin with), then type in the 8-digit code I got from the website. As a result I would see a 6-digit code on the E.dentifier display, which I had to type in the website. This authentication is required in the first place to login, and also separately for extra-sensitive actions, such as to approve transactions in case I want to transfer money somewhere.
What you own, what you know
The important is that this is based something I own, my own bank card, and something I know - my own PIN code. The E.dentifier itself is not personalized - once a colleague of mine in Holland asked me if I carried the E.dentifier with me - and he used my device with his own bank card to login to his account.The second version of the device, E.dentifier2, which was distributed in 2008, has a larger display and saves you some of the manual trouble. Unlike E.dentifier, which was a standalone device, E.dentifier2 connects via USB to your computer (it can also operate standalone like the old one). You have to download some additional software for that (available for Mac OS X and for Windows), and the challenge-response is done automatically. You still have to put in your bank card and type in your PIN code, of course, but that's it. No typing over of long codes. When you want to approve transactions, you have to use your bank card and PIN code again, and you get to see on the E.dentifier2 display something like: approve payment of XXX Euros to account no. YYY (information which comes from the website). You have to press a key to approve it.
