Shouldn't the banks have figured out how to authenticate their online banking sessions using PC's before they started introducing Mobile Banking?
They're not going to do the username/password thing again are they? Didn't they hear? That doesn't work.
It's not that there isn't a solution. Again, the easiest, most trusted and most familiar method to authenticate the online banking session is to do what we do at an ATM.
Hundreds of millions of Americans are both familiar with the process and trust it. The banks seemingly trust it as well (or they wouldn't give you $200 at 2:00 AM two thousand miles away from their main branch when you swipe your bank issued card and enter your bank issued PIN.)
So why do banks still ask us to "type" in our username and password? What don't they get? (cause keystroke loggers, phishermen and online banking trojans all seem to get it)
Here's a rhetorical question for you...
Do you think that banks would trust an easily obtained "username and password" to dispense cash from their ATMs? No?
Then why do they push this antiquated Login method for online banking? Don't they understand that all they are doing is creating a gateway for the bad guys to obtain sensitive online banking credentials.
The long and the short of it is that banks still haven't introduced a viable authentication platform for online banking (such as using a PCI 2.0 Certified PIN Pad for two factor authentication) and now they are going to simply "shrug their shoulders" and introduce mobile banking platforms.
Man oh man, when I replaced "Economy" with "Typing" in Clinton's "It's the Economy Stupid" and introduced the "It's the Typing Stupid" slogo, I thought was being facetious but maybe, just maybe, I was right on.
Bank's cannot continue to shrug off security... it will be their own undoing. Instead, I'd love to see an American bank step up to the plate and be the first (30% of Europeans use a card reader to authenticate financial transactions) to issue our devices to their online banking customers. Watch what happens. It ain't about convenience anymore. It's about securing people's money.
The lack of monetary security breaks up marriages everyday...if you are a banker, don't think for a moment that a lack of monetary security won't destroy your relationship with your customer.
I guess now is the time we move from the "Online Banking is Not Secure" era into the "Mobile Banking is Not Secure" era. Banks need to "pitch" security. The Security Pitch would produce an "ERA" they could be proud of.
Let the games begin with this...ComputerWeekly has published a couple of articles over the past 10 days questioning the security of Barclay's Mobile Banking platform. Now the Information Commissioner's Office is involved...
ICO in talks with Barclays over weak mobile banking security
The Information Commissioner's Office (ICO) is in talks with Barclays Bank about the security set-up of its mobile banking service.Simple security questions expose details of Barclays' mobile customers
The personal information of millions of people is potentially at risk of exposure on Barclays bank mobile banking site.
People who lose their bank card, or have their card details copied, could have their banking transactions exposed to prying eyes, Computer Weekly has discovered. The problem affects the Barclays.mobi web link which connects customers to pages designed to be viewed on mobile phones. The site allows users to view their financial transactions if they answer four basic security questions.
Three of the answers are available on the card itself. These are surname, 16-digit account number and three-digit security code. The other question is the customer's date of birth.
Editor's Note: Believe it or not, bank's are still under the impression that those "four questions" constitute "multi-factor" authentication.
Here's a tip.
Anytime you "type" ("anything") into a browser (yes, mobile browsers too) it can be lifted by a bad guy.
So it doesn't matter if you type two things, (username and password) four things (username and password, card number and three digit security code) or ten things. (you get the idea)
Typing is the problem and requiring that people type more information into boxes in browsers isn't the solution. A PCI 2.0 Certified PIN Entry Device utilizing 3DES/DUKPT Encryption is...
If someone is going to "Swipe" your card information, shouldn't it be you?