Wednesday, March 07, 2007

2-Factor Security for UK Online Banking

A wee birdy tells me that a major UK bank is nearly ready to begin (I know, lots of hedging in there - maybe it was a dunnock) rolling out its EMV card-based 2-factor solution for online banking.

This will provide strong cryptographic security that a person with the customer's card and knowledge of their password was involved in authorising the transaction - so preventing session hijacking. I got a small play with the beta version (as part of a customer usability trial) and it seemed to work reasonably well at providing you with enough information to prevent transaction hijacking (one of the difficulties here as compared to traditional challenge - response systems.) Hopefully, you will at least be given the option to use this for log-on (I do not believe that you will be required to do that.)

Of course, this provides no protection against data leakage from transactions proxied through a man-in-the-middle site or recorded by malware infection of the workstation you are using but it is a damn good start.

More when I get my kit, assuming I am in one of the "early-adopter" pools.


No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.