Slashdot Mirror
Court Rules Passwords+Secret Questions=Secure eBanking
An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."
We've been using one-time pads in Finland for a long time, and they do the job.
What's the issue?
I think this standard is OK, *if* the banks are liable for compromises (as they are with credit/debit cards). Obviously this isn't totally secure, but you have to consider everybody's wasted time when weighing alternatives.
There's a name for this sort of security - "Wish it was two factor" security.
And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.
From a consumer perspective, the lower the bar is for "effective security measures" the better, because if an attacker breaks ineffective security measures, you're basically on the "caveat emptor" hook, meaning you failed to do due diligence, therefore any losses are yours. If the security's effective, the bank's on the hook for any losses due to theft. Think of it this way, your bank has a wooden safe, and a robber gets in, you try to sue the bank for your losses, the bank says "well, duh, we had a wooden safe, what'd you expect?", and gets off the hook, while if the bank has a steel vault, you sue, and the bank's required by fiduciary duty to cover your loss, even though it's not negligent. Kinda twisted, huh? But then again, look at the rhetoric flying around Washington about the banks, banking law is truly down the rabbit-hole.
Just because you're paranoid doesn't mean they aren't out to get you
I believe the ruling is correct, the judge is just saying 1FA is "what constitutes “commercially reasonable” security." Which I disagree of course, but who am I to judge (I'm sure the judge knows more about this than an IT professional). Consumers should boycott using IT banking from such banking systems and stick to those who have implemented 2FA. Not sure about US, but where I'm from, nearly all banks have that implemented, and still people worry about the security of internet banking, what with RSA's announcement and all. Doubt anyone would even consider using that with one that doesn't have it here
I find it odd that Blizzard offers more security for a World of Warcraft account than your average bank.
Sometimes my arms bend back.
Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour. Imagine if the judge had came down with a verdict like: True security is a 30+ character alpha-numeric password that is at least half capitals or special characters. The same password can never be reused. The user name must be a randomized 10 digit numeric sequence. Both user name and password can not be valid for longer than 30 days at which point both must be mail separately to the user on different dates. Users can not reset passwords without being in-person and present 2 forms of ID at a branch office. Lastly login periods can not last for more that 5min upon which the user must log in again.
What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
The company suing the bank had seen the bank's security measures. They had the opportunity to judge whether the bank's security measures were secure enough for them. The bank should win unless the precautions were unreasonably weak.
You would think everyone involved would be insured against these kinds of losses.
I worked in a business where we built point-of-sale terminals.
The banks are already crazy-serious about certifying devices that talk to their systems.
When you think that the future is everyone and their phone conducting banking operations and that most of those devices have multiple known exploits, you expect things will only get worse.
I don't know the meaning of the word 'don't' - J
If you have a business account where the bank won't cover losses from fraud; if your bank doesn't implement effective security measures; if you have some reason to stay with that bank anyway; if you feel compelled to sign up for online banking:
Use a dedicated computer. They're cheap. You can afford to have one computer that's off limits for web surfing, online videos, dancing cursors and so on. For extra credit put it on a separate LAN segment, and of course you should have disabled Autorun anyway. Set it up so it can only connect to your bank's web site and to Windows Update.
I find it upsetting that my online access to my bank account has a password limit of 10 characters which are also limited to letters and numbers. I've called and complained, but of course the silly stupid customer doesn't know anything about anything. Here's the exact limits according to their website:
Password must be between 7 and 10 alpha-numeric characters. Acceptable characters for passwords include combinations of any of the following characters: a-z, A-Z, 0-9, !, @, #, $, %, ^, &, *, (, or )
I hate retarded security.
I'm guessing Slashdot needs some kind of authentication system...
Perhaps I'm trolling, perhaps I'm not.
BS.. use a security key like paypal... sent via their hardware or via SMS on cell... works for me
I always obfuscate my answers to the lack-of-security questions. And not just for banks.
I mean, I get your average person isn't going to answer 'What's your favorite color?' with, "Leo Nikolayevich Tolstoy", but this is Slashdot. Please, tell me you guys aren't actually answering with data that could be scraped off your Facebook site/blog/linkedin profile/etc.
The case has generated enormous discussion over whether the industry's "recommended" practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC"
And who's fault is that? At what point does a bank's responsibility for a users poor choice of system end?
Have gnu, will travel.
It's pretty bad when a computer game, ie: World of Warcraft, is more secure then my bank. Rotating RSA key fobs are common in Europe and used regularly to secure wow accounts against hackers trying to get game gold Passwords and questions are easily obtained using a keylogger
I've worked at a bank where $30,000 was sent overseas by accident in a testlab incident. A testlab!
Banks are monumentally incompetent at securing their environments, so each individual needs to become accountable for the security of anything that takes place outside the bricks and mortar of their bank. Mmy strategy is to distribute my funds across a few different banks.
No password sharing minimises the risks, and distribution minimises the impact.
But it is not the fault of the banks. Governments around the world, including in the US, are very committed to spying on all of their citizen's networked interactions whenever they wish. Establishing much more perfect security including near unbreakable encryption is the last thing that governments wish to see. So if the banks had much more perfect security software then it would quite likely be illegal to use in most countries. If it has government back doors then it is that much less secure.
A decision by a U.S. District Court is not even binding within the same jurisdiction of that court. Yes, other District Court judges might give the decision some weight; but they are not required to do so.
Only when the U.S. Circuit Court of Appeals upholds a decision from a District Court in that circuit does the decision become binding on all the District Courts in that circuit. Even then, the decision is not binding in other circuits. To be binding throughout the U.S. requires a decision from the U.S. Supreme Court.
Even after the Supreme Court decides, similar cases may arise in which Circuit Court judges conclude the Supreme Court was wrong. Then the process starts all over again until the Supreme Court either upholds its prior decision (most likely result) or overturns its own prior decision (rare but not unknown). For the latter case, look at how long (about a half century) it took the Supreme Court to overturn its prior decision that "separate but equal" segregation was legal for public schools. Attempts to get the Supreme Court to overturn Roe vs Wade (abortion) have been unending for decades.
Conclusion: Living in California, I'm not yet worried about a ruling by a District Court in Maine on this issue.
If banks can't protect our money, and aren't liable when it goes missing, then what are banks for?
"In the absence of the ability to establish the attribute of truth they tried to establish the noble attributes."
Why is my world of warcraft account more secure than my bank account with 6 figures in it?
A password would be something you know and a fingerprint would be something you are. A common access card, RSA key fob, etc would be something you have. The court ruling looks to be saying single factor authentication is enough (something you know; password and answer to a security question. That is NOT 2 factor authentication.) It would be nice if 2 factor authentication was mandatory with anyone dealing with financial and medical information. I would doubt biometrics (something you are) would be used, instead a common access card, RSA keyfob, etc would be more likely to be used (something you have). I would like to see credit/debit cards with integrated key devices that will display codes every 30 seconds that must be applied with a known PIN number by the user everytime a purchase is made. If done in person, credit/debit should have photos on them and clerks should be mandated to ask for valid identification (drivers license or other ID card) no matter what the amount. Its so easy now to simply use anyones card today. If I had a clerk my drivers license with my credit card they blow it off saying they dont need it.
>> "The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of "something you know" + "something you have"."
ETrade offers SecureID.
Bank of America has a cell phone option. Various online activities, like adding a payee, causes a code to be sent to your phone via text message. The code must be entered to continue the operation. Not perfect but perhaps quite practical.
I have been using US and european online banks. US are less secure but easy to use. With some european I had to jump thru so many hoops to login so I either had to show up in person to unlock my account or stopped using them. I prefer easy to use, single password protected, with one time PC registration - nothing fancy.
If you don't think a bank offers enough security, don't use online banking.
I want my bank and other financial institutions to give me two different username/password combinations. One for [partial] read only access, and another for actual transactions. This would allow me to use services such as mint.com or quicken to aggregate my account information, but not actually give them the power to make any changes to my account.
Allow me to elaborate on the timeline of bank phishing, why this is horribly insecure and how even one time pads failed. I've spent my time in the early/mid 2000s working on this problem for some bigger banks in Europe, and if anyone feels like challenging this court's decision, I'll gladly come as expert witness, just to make this judge look like the clueless person he obviously is.
The first and foremost reason why this is insecure is that all these "security" (I'll use the term loosely here) schemes fail rely on a single channel: The user's computer. Now, I guess it isn't hard to understand that this machine can be compromised. The bank, OTOH, has no way to verify whether the machine they are talking to has been compromised or not. If anything, the bank could retreat on the position that if the user somehow "lost" his credentials or told them to someone else (accidentally, i.e. by using online banking and having a phishing trojan installed on his machine) it is not their fault, but secure it is not.
Now, why "code+question" isn't secure is obvious to anyone who ever dealt with security. Both are reusable and hence if they get lost once they can be used by an attacker at leisure. Now, what could be added is a security feature that ensures that it is indeed the correct user sitting in front of the machine, e.g. by adding a physical security item that cannot be stolen without the user noticing (e.g. a bank card + reader that would have to be attached to the computer), another security feature would be one time pads (where the user has to confirm his identity by a challenge for a once-valid password that would be submitted to him on a separate channel, e.g. paper in the mail). Both have been tried in Europe, both have failed.
The reason for this is that the computer, if compromised, can execute a man in the middle attack. The way this works has been demonstrated plenty of times and I still have my pet "trojan" I wrote for such a demonstration which I would of course gladly bring along. The way it works is rather trivial, allow me to gloat, erh, I mean, elaborate.
What said trojan consists of is a BHO, a browser helper object (for IE, but it works just as well as a plugin for Firefox or any other browser supporting plugins). Now, as we know from plugins that we enjoy, like ad-suppressors, these plugins are very capable of altering the contents of the display, and of course the contents of data submitted. What the plugin does is simply checking who you wanted to transmit money to, and the amount, and changing both in the background while displaying to you what you entered. The workflow runs like this:
1. When viewing your statement, the BHO checks for your balance to see what it can actually steal from you.
2. User enters his intended transaction (e.g. 100 bucks to "Water + Power")
3. BHO transmits "1000 bucks to "Mike Moneymule" to the bank.
4. Bank confirms "you want to transmit 1000 bucks to Mike Moneymule, please confirm this transaction with your one-time key".
5. BHO displays "you want to transmit 100 bucks to W+P, please confirm this transaction with your one-time key".
6. User searches his one-time pad for the requested code and enters it.
7. BHO sends one-time key
8. Bank confirms "Ok, 1000 bucks sent to Mike Moneymule".
9. BHO displays "Ok, 100 bucks sent to W+P".
Of course, this scheme also works like a dream if only code+secure question is used, but it would be a tad bit too sophisticated for this weaker way of authentication, since stealing code+question works just as well and allows the attacker to siphon money when he wants and doesn't need wait for the genuine user to make a transaction.
So what most banks here use now is a second channel for the one time key. When you send your request for transfering those 100 bucks to W+P, you get a text message saying something like "WE got an order from you where you plan to transmit $amount to $account, verify that this is correct and if it is, your confirmation key is $key". This allows the user to v
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because you can have 10 figures in your WoW account. Duh.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Many of the 2FA ideas put forward on here are broken Most major trojans have MITM or MITB capabilities to bypass many of the pure OTP type methods put forward here, including the manual transaction signing tokens. http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians Mobile authentication should be considered broken since there are many more ways past it and many newer trojans come with mobile plugins now too. http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html I use https://www.shieldpass.com/ authentication cards which have the ability to do mutual authentication passively and not be vulnerable to MITM. The plastic cards themselves cost less than a few cents to make so theres no argument why America shouldnt be using them.
Might as well call it a "fake judge". Magistrates are the courtroom equivalent of a "maintenance programmer", brought in to handle the menial stuff that real judges don't want to deal with. We're letting one of these guys decide a huge issue like this? Not good, not good at all.
My bank a year or two ago required you to enter an answer to two or three questions. I gave them false information (which I wrote down).
Think about it - why would giving a financial more private information make your information more secure? I mean sure it would be harder to break in that way to an individual account, but what if someone hacked the whole server, and got that private information? Wouldn't that make me less secure in the future?
I don't like this ask x personal questions about your customers policy one bit. I like the intent - but I dont' like the possibility of more private information getting into the hands of hackers and evil-doers.
While not perfect, we need some way to authenticate biometric data via the internet - be it a fingerprint or whatever. Or maybe a secret electronic key that only the account holder has - maybe something you plug into a usb port? a physical device that has a hard coded encryption key that only works on your account mixed with a password would be in my opinion much more secure than this 'ask x questions about our customers private lives' trend.
I mean really - it's none of the bank's fucking business where I lived when I was 13, or what my first car was.
Banks resist the idea because all the major trojans wreaking havoc have MITM /MITB capabilities to bypass the tokens and mobile sms in one way or another as well as cost issues.
The 2 European banks in the following article were using transaction signing tokens
http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians
and mobile sms trojans have been around for awhile now
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
You might want to investigate https://www.shieldpass.com/ online authentication cards which are cheap and can do mutual authentication passively. For example specific transaction information can be included in the challenges to stop MITM and the process is passive or visual so the trojans or phishers cant walk a target through a transaction as they did with the first link.
Using security questions for password recovery is a joke
Some people use questions that any friend of the family would be able to answer like "Whats your pets name"
Also alot of these companies dont make it possible to change the security question once its established. Then theres no possible way to secure the account if the attacker can just reset the password over and over. Companies need to know that i dont want a back door to my email account and bank accounts.
Just go on youtube and find a bunch of vloggers. Attempt to reset the password on all their accounts. Then attempt to reset the passwords on those email accounts of those who choose a weaker security question. THEN try their backup email accounts and those questions. You will likely find the answer to someones security question in one of their vlogs.
First off, if your machine is controlled by your adversary your probably fucked one way or another regardless of what your bank does if you give your attacker enough time. Also I run windoze 7... feel free to troll me.
With that out of the way I highly recommend using keepass or something similar, not only do you get the obvious benefit of stronger and unique passwords but if a form wants answers to secret security questions, just pick a question, any of them it doesn't matter, and use a long random hex key as the answer, then store it in the notes section of that key entry in keepass, or don't store it at all, your choice. In short, bank security could be better, there are a few creative ideas above me that could be offered on their end like the firewall between your account and other accounts idea, but there are smart things you can do to avoid the pitfalls of these stupid ass "security" questions.
Also, if you want to sync the database across machines, but are worried that your password may not be strong enough in the event that your online service for syncing is cracked into do this:
1) set up a keepass database with both a password and a key file for encryption
2) share the encrypted database through your favorite online syncing service, personal home server, dropbox, whatever
3) set up syncing with online service on each machine you want to access the database
4) put the key file on each machine you did in 3, if you want this to be more secure than just a password you CANNOT share the keyfile through the net, but it literally never changes unlike the database so copy pasta across machines with a usb key or similar manually is easy enough
5) additional note: this will save your password database for a non-trivial amount of time if someone has both your online service's password and your keepass password but cannot access the key file, hopefully long enough for you to realize what happened and change your passwords.
6) as a corollary to that: if your machine is hacked and the hacker is smart enough to search for the keepass database and the key file then your screwed, note that naming the file cleverly, using a clever file type extension, or putting it somewhere obscure does not help since keepass "remembers" where it is, so all the attacker has to do is find where keepass stores that info and the easiest way to do that is simply start keepass...
Failure formatting five FAQs of financial facts.
What you see on your screen may be fake, and what the bank sees you type may be fake too.
The only thing that may not be faked are your identification to the bank, when using one-time-pad.
The obvious solution, which is too deep for bankers and judges, is to secure all the necessary information.
In practice this means having something looking like a calculator which shows each transaction,
having cryptographic secure two-way communication to the bank via the net, and being tamperproof.
A sort of two-way code calculator.
The bad thing about a precedent is that it will fix at a certain time. Imagine they find something that is secure as we know it, while still being usable. That would be effective today.
Tomorrow some smart person finds a way around that security, making it insecure.
Now the banks will say the day after tomorrow in a lawsuit: We did what was required, while the customer will say that security was not enough.
Don't fight for your country, if your country does not fight for you.
I'd love to have such a financial institued. I'm writing my credit union to ask for this now. I'll go ahead and write BankAmerica as well (former bank of mine, which I still use for online one-time "Shop Safe" credit card purchases).
One method I could see which would get around a hacked phone would be to initiate an audio call to the person and describe the transaction and give the one-time key.
This would take some advanced hacking (beyond just grabbing text on the phone).
Why are they always to simple to figure out? A tiny bit of social engineering cracks that system. Solution would be if you could make up your own questions in some way.
But still a court rules that such a system works?
Odd world.
Which bank is this?
the Simple safe answer is for people to stop being lazy get off the arses and go to the bank branch instead of sitting in front of the PC and becoming fat arsed lazy gitts
No security worries no hackers just secure banking
Oh and if they do not have a branch of their chosen bank within reach then more fool them for picking a bank that has no representation in their area fool !!!
I use the Sony Playstation Banking Network and my money has never been safer.
which involves old/new olives. Funnily the judge does not try to verify by himself but call somebody who is a trade of olives and knows about the topic of old/new olives.
Once again Rush beat us to it by 20 years.
http://www.youtube.com/watch?v=XcYP5XP0Rlk
Rush - Supercondutor
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Here in Sweden - my bank uses a keypad - where the user first must key in a pincode to activate the device. Then to login - you must key in your national security number (userid) - from this the bank generates a code - I key this code into my unlocked keypad - and get a return code. This is I guess similar to the RSA key generation (the device is not supplied by RSA incidentally) - except that the whole activity is locked down by a 4 key pin in my handheld device - which I guess is the key to the code generation. My bank thinks this security is impregnable (the last time I questioned it they laughed at me) - but after the recent RSA hack I really wonder if this is the case. If the generation algorithm becomes common knowledge (ie the security provider is hacked) - then all that is needed is to identify the 4 digit pin code.
My bank's site requires three things to authenticate me:
1: a user code, 8 characters of randomness generated by the bank (something I and the bank both know)
2: a password, at least 8 character of not-very-randomness generated by me (something the bank can check without actually having to store it)
3: a four-digit number from a printed wallet-size list of one-time codes generated by the bank (something I have)
The password used to be also generated by the bank, but they came to their senses; now that I get to choose it myself, even the clerk who created my account (and possibly caught a glimpse at my one-time password list in the process) does not know everything that is needed to authenticate as me.
The extra trouble is, of course, the exchange of the one-time code lists. This they do by mailing me a new one when there are ~20 unused codes left in the old one, and then I just need to log in to their web site, give the id of the new list, and confirm the list change by a code from the old list.
Not nearly as high-tech as SecurID, but works like a charm.
The best security questions are for this "mastercard secure code' and "verified by visa" scam.
The problem is that somebody other than the CC user is liable for credit card fraud by default. This is because when the CC companies started and needed to gain adoption, they had to offer users good terms. So they come up with this new system that adds an extra password to your online CC transactions, which adds exactly 0 security, but if you read the small print, it shifts the liability to you.
Why does it add 0 security? First of all, because under practically all threat models where your credit card info can be stolen, so can this extra password. Multi-factor authentication is not N+1 passwords instead of N. Second, because if you want to reset your password it asks you for trivially obtainable information. I was once asked for my zip code and date of birth.
Oh, and it is also a usability nightmare... You get directed to this external site, that is not your bank's or the web shop you are buying at, and asked to enter the password. You can usually choose to skip this step, thankfully, and not use the system. Either way, you then get redirected back to the web shop: usually to its home page, with no indication whether the transaction went through or not. I have seen this happen on 3 different websites, including UK train reservation system and a big cellular network's site, and have had to cancel double transactions once already.
My Bank hands out small devices that have 5 light sensitive diodes and a slot for my bank card in them. For each transaction (after being logged in via password), the browser will display a small field with blinking squares. when I hold the device against the monitor, the details of the transaction will be transferred to the device and the device will display the amount and the recipient of the money in a small display. From this information and some information stored on my bank card, it will calculate a pin which i have to enter into the browser to confirm the transaction. that's all pretty secure and convenient if you ask me.
It is important to understand the ground rules for banks in the U.S.
Business (non personal bank accounts) are generally governed under the Uniform Commercial Code. So if they send all of your money to Eastern Europe to bad for you. If you have a personal account, then different rules apply, and you are most likely not on the hook. Small business are often targeted by fraudsters, possibly because they have more money, possibly because they have more lenient security. (Bank is not on the hook). My bank would never process a large transaction if I had no funds.
What if you want to change banks..
I would say that most banks fall into two categories. Major Banks BofA, WellFargo, Chase, etc. and community banks. So if you go to a major bank, you are getting the Banks security system. Some of these banks offer RSA tokens (not comforting right now). And other advanced features. ING for instance makes you enter your PIN with a mouse so keyloggers cannot pick it up.
That leaves community banks. If you are a small business you probably want to go to a community bank for better service. Well probably 99% of community banks outsource their banking systems, and guess what, they outsource to a relatively small pool of providers.
This article mentions Jack Henry, they are one of those providers, some other are Fiserve, Alltell, EDS, Perot. So you could be unhappy with a banks security, move to another bank, and get the exact same security.
Are there any secure online banking options in the US? That would be with real two-factor authentication of some sort. That could be a one time password sent over sms, on paper, or generated by a hardware token, or a usb dongle that signs transactions. Anyone have any experience?
I think my WOW account has better security; with the mobile authenticator; than most banks provide.
Still, what do people expect banks to do when the situation arises where the bad guys have complete control over the target PC? Then it really doesn't matter what the bank does. If I have control over your PC I can take in any security codes you enter and use them in real time. I can simply give you back the responses I know you expect from having captured that information already - all to the last part - when suddenly you entered everything you were supposed to and I fed back "sorry, technical difficulties at the bank - please try later" while I am in just happily chugging away in your account.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
As control over the PC from the outside includes control over any entered passwords, this is plain and simple one-factor authentication. It also shows that the person making this magistrate has no clue and did not bother to do research. Two-factor authentication always strongly depends on the two factors being independent. For example you can have a token and a password you enter not into the token but by some other way. Or if you have a secure device that you, say, enter a pin and a chip-card into, then this device must have a very high security level indeed. A PC does not qualify as a "secure device" in any way.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
http://www.computerworld.com/s/article/9156558/Michigan_firm_sues_bank_over_theft_of_560_000_
My former employer was the victim of their own ignorance... erm, I mean the victim of a phishing scheme and lost about $2-million - fortunately they got most of it back, unfortunately they had to lay a bunch of us off because of it. Afterwards, they sued the bank.
when they use secret questions to reset your password
It's a lot easier to guess answers to those "secret" questions than a decent password. And it increases the "buffer bloat" in the user's mind, and just might tip them to the SCREW THIS I'm writing it down side of the equation.
The best computer security is to not use the computer! Your insight is both valuable and relevant. Banks and customers on their way to/from the bank never get robbed, so this is completely foolproof. You are awesome.
What, a person calling you for your one time key? No way this could fly, eliminating the need for people was one of the driving factors behind online banking in the first place. No matter what solution you propose, it must not rely on personnel. No, not even dirt cheap CC Agents. Anything that cannot be automated is a no-go.
We will eventually see combined attacks where computers and cells will have to be compromised, but I wouldn't hold my breath. Until the majority of people uses the same device for making phone calls and doing online banking (i.e. nullifying the two-channel effect), or at least connect their devices fairly often (e.g. to sync calenders and mails), the chance to infect two devices belonging to the same person is so slim that the investment doesn't pay off. Besides, as you notice there's still plenty of banks that don't even have anything remotely similar to this two-channel authentication system.
Computer crime is a business. And like every business, they try to get by with the least investment for the best reward. Investing in a scheme that cracks the security of that two-channel auth system is pointless, for now.
But you're invited to hand this information to your bank. And maybe add that this information is about 5 years old, so I hand it out for free. For more current information, I have very affordable rates. ;)
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
POPPY Bobi Coach 2011 Spring Series is not only attractive STRAW APPLIQUé TOTE Large handbag,coach bags outlet online SEQUIN MINI FIELD BAG Zeyi sleek, small beads encrusted showcase a new line of handbags. Small Shoulder Bag is also a highlight. In the nostalgic STUDDED FRINGE SUEDE WRISTLETS wrist bag, and the latest BELLA TOTE Large handbag, full of rustic tassels add a dynamic and Bohemian. Other designs include a new POPPY HIGHLIGHT, the flagship of the long, thin shape, the pearl white patent leather piece decoration or embellishment applique patterns captivating. Highlight handbags as well as a new word block of coarse cotton jacquard pattern.
There is no need for a live person to place the call. An IVR system can place the call and relay the details and await the response. No SMS, no high-tech phone required at all.
ING.nl has it, but ING.com does not (two-channel authentication). It's a choice on their side because no one in the US is asking for it. Adding an audio option is not hard, and compared to sorting out SMS carrier issues in the US, it may be easier.