Internet Banking – Security Device

To reduce cases of phishing and sniffing of passwords in Internet Banking, banks are now introducing 2-factor authentication using a little security device. You press the only button and a 6 or 8 digit passcode appears, which you have to enter after your username/password.

In this way hackers not only must know your username and password, they need to gain physical access to your device to complete the stunt. Similarly only getting your device doesn’t give the hacker access to the account.

But how does the device work? How does it generate the number? Is it unique across so many devices in circulation? Can the algorithm be reproduced?

Little information has been provided, probably in hope of less attempts to break it. However, as history shows, security by obscurity will never work. From the information gathered, the device contains a clock, a unique serial number and the algorithm. When the button is pressed, the algorithm takes the serial number and clock as input to generate the number. Since the server knows the time and your serial number (based on your username/password) the server is able to perform the same calculation to verify the numbers entered.

What I felt intelligent in this algorithm is the use of time as input. This means the numbers are only valid for probably the minute the button was pressed – you cannot just remember 1 set of digits and use it every time you login. Instead you are forced to press that button every time.

[1] … 355AAe8u8T
[3] … x01.html#1
[4] … issueid=91

On this blog [5] the author feels the device is an overkill. He compares it to another secure account that he has that does not require the security device.

However I feel that despite user education, not all may be able to maintain the rules of thumb. Users who change passwords frequently do not remember their passwords (I have a perfect example for that). With the increasing number of internet applications and passwords to maintain, if every application forces users to change their passwords so regularly, users end up wasting time changing system passwords every other day, and forgetting that password soon after.

Layman users may also not know if they are on a secured or unsecured connection, or if any part of their connection is unsecure. Even if the system is his personal desktop that no one else has access to, it is not guaranteed to be free from keyloggers. With the security device the account is more protected since keyloggers are no longer effective.

[5] … ty-device/

RSS feed for comments on this post · TrackBack URL

Leave a Comment