Secure Ways to Determine 'Something You Have'?

Steve Cerruti asks: "My credit union is implementing multi-factor authentication for online banking. They are following guidelines provided by the Federal Financial Institutions Examination Council as outlined in Authentication in an Internet Banking Environment (PDF). As you are already required to enter a password, 'something you know' is covered. 'Something you are' has significant technical hurdles while 'something you have' is familiar to credit unions in the form of ATM cards. My credit union chose to implement 'something you have' as a two dimensional lookup table that they email to an address you supply when you initially log in to the online banking service, further access is blocked until you enter a code from the table. New Measures to Make Online Access Safer describes the plan and a short video (FLV) provides further details." For the security conscious among us, do you think this is a decent way to implement the 'something you have' portion of a well secured system, or are there better ways to do it?
Their plan can best be compared to single use scratch off cards. However, I am unsure of what constitutes "something you have" in this example. If someone has the capacity to log into your online banking account, it would seem an email account would be equally subject to access. It would therefore be possible for the authorized owner and the attacker to both possess the table simultaneously. Does this system provide multi-factor authentication or is it simply a convoluted mechanism for sharing yet another secret?

Off topic questions:
Is depending on near instantaneous access to email a reasonable thing to do?
If you were dealing with this situation, would you implement a Firefox extension or a cell phone application to reduce the level of effort for banking access?"

Could be worse

[earnest+murderer]

My banks idea of security is entering a word in an image like you see on so many sites these days.

Those images are distorted so a computer can't just OCR the thing and brute force passwords (my understanding anyhow). This seems to have worked out well enough that you see it everywhere and brute forcing passwords is less of an issue (if at all).

Curiously my bank decided to implement this functionality differently. The background is a grey colored word, and it's always the same word. The "code" is always black.

I'm no genius but to the best of my knowledge this isn't much beyond an exercise in vigorous masturbation. Security through song and dance if you will?

What it boils down to

[Rosco+P.+Coltrane]

I watch the video and it sounds like a lot of PR talk and buzzwords to me.

At the end of the day, assuming the computers and networks between you and the credit union are secure (they're not, but let's forget that), the only problem they have is to make sure you're Mr. John Doe, legitimate holder of the account you're trying to access ("who you are"). Period. All that matrix and multi-identification stuff is just a variation on the same theme.

Up to now, "what you know" (a password) was assumed to be representative of "who you are", with the single point of failure that someone else might be able to know what you know as well (being your password that's too simple, or someone looking over your shoulder while you type in the password). This was a reasonable assumption because you can't separate someone with this someone's knowledge.

If they want to do better than that, they'll have to use biometrics (DNA analysis, fingerprinting, iris scanning, etc...) or some sort of permanent electronic tagging (RFID implant). That's plain as day. So if your credit union isn't providing you a fingerprint scanner or telling you to go to your local vet to get a RFID implanted, you can safely assume that their new ultra-super-duper solutions are a variation of what's already been implemented before, perhaps a little better, perhaps not, but definitely a lot of PR fluff.

Two ways already used in Europe

[enos]

A Danish bank mails you a card with 50 4-digit numbers. This is your one-time pad of sorts. When you log in to your account it asks you for, say, #23. You provide it, and it never asks for it again. When you're down to 20 numbers left or so, the bank automatically mails you another card. The card is something you have.

BPH (Polish bank) has your cell phone number on file. They do bank transfers, which are used over there a lot more than here, you can pay people directly like that (like an electronic check), even buy skype credit directly with it. When you attempt a transfer the bank sends you an SMS with a code you have to supply to the website. The cell phone is something you have. Trouble with this is that in the US some people have to pay for incoming SMSes. In the rest of the world that's usually free.

Re:there's fsck'd and there's FSCK'D

[Workaphobia]

> "But if the client's only point of interaction with the bank is through a single computer, that computer must be trusted. I don't see how you could have a secure system if that only point of interaction is compromised."

Simple: don't trust that computer. Home computers are general-purpose machines and very few of them are highly secured. A specialized, embedded device with a private key sounds much more trustworthy, and you could still use the untrusted home computer to transmit the resulting encrypted+signed message over the Internet.