Banks and OTP
Apparently my bank offers an additional security mechanism on their internet banking facilities where account holders are issued with a device that generates one-time-passwords (OTP) for identification purposes. It appears to be time based, so one would assume that it's time-synchronised to the bank's computers, and also contains an account-specific shared secret. Enter a PIN, push a button, and get a token which is valid for that particular minute of the day.
The use of such a device changes internet banking from depending upon "something you know" (account number) and "something you know" (password), to the much more secure "something you know" (account number/password) and "something you own" (OTP device).
If all the banks moved to such a system then we could expect the incidence of password phishing for bank details to significantly decrease. Scammers could potentially harvest a single, short-lived token for an account, but would be unable to recover the physical device itself. The would significantly reduce the value of an account to an attacker.
It appears the bank hardly mentions this additional security mechanism to standard clients because they charge $99 for the device in question, and most clients are likely to complain and claim they can go to a different bank which doesn't need OTP technology for internet banking.
I'm comforted that banks are providing these facilities to their customers.
