As more people’s e-mail Inboxes get flooded with phishing attempts on their bank accounts, banks are being forced to rethink and upgrade the security used to access their online account systems. Most banks are turning to 2-factor authentication where you not only need to enter your traditional password or PIN, but another code typically automatically generated by a different piece of hardware. One such example of this kind of device is RSA’s SecurID and one example of a bank that is testing out this type of technology is Lloyd’s of Britain. 30,000 of their customers (out of 2 million online ones) are in the test group.
You would think that this is great news, but would you believe that the bank’s problem is that by introducing what seems to be another obstacle in getting online, they risk alienating existing and potential customers from jumping online. Yep, it’s true: computer security today is not convenient, but it is necessary. So necessary, that a Security Focus columnist suggested that 2-factor should not be left up to the banks, but legislated. I partially agree. There should be legislation that specifies some kind of minimum level of online banking security, including the need to have banks’ systems audited by a 3rd-party security organization. There are too many small banks with horribly insecure websites. The legislation may include some minimum level of security (ex: the no-brainer of using SSL), but if it gets too specific such as to include using 2-factor authentication by using a hardware token, then it’s not forward-thinking; security will change and improve in the future.