Although the cyberthieves have made in-roads this year, there are a number of clever low-cost authentication methods being tested. The thing they have in common, simplicity with no new hardware.
Here is a quick recap of the available techniques. Generally, these techniques would be used in addition to a username and password:
To thwart keylogging (but not phishing):
- virtual keypad (or string of numbers from 1 to 10): user selects numbers from the keypad/list instead of typing (for added security the numbers should be positioned differently each time)
To thwart keylogging AND phishing:
- picture/graphic selection: instead of a numerical ID, users identify the correct graphical image or picture from a everchanging pool of choices
- bingo card: user enters the requested coordinates (which change each login) from a preprinted "bingo" card (refer to previous FMW article)
- one-time PINs: user enters a number from a list of one-time-use PIN numbers previously mailed, emailed, text-messaged to a mobil phone, or voice messaged to any phone
- shared secrets: the bank and the user establish a serious of shared secrets, one of which must be answered correctly to complete login
- random partial passwords: similar to the shared secret approach, the bank asks for a different portion of the PIN number at each login
For more information, refer to our previous security FMW security articles and Online Banking Report (#93/94).
--JB