Last week, my Internet banking security token gave up the ghost (or rather, its battery did). Being in a different country doesn’t make things easier, and this is how I learnt about the bank’s rather unexpected differentiation between Internet and phone banking…
I had used phone banking for a while, before the Internet came along and changed my world. Why would I bother with trying to remember what the vox box at the other end is claiming as my menu options when I can see them laid out in front of me in colour? So it’s been a few years since I used the service, but I never de-activated it, on the basic assumption that it could come in useful some day (or perhaps I just forgot!).
After the Internet came spam. After spam came key-loggers. After key-loggers came phishing. And after phishing the banks started to realize that security online isn’t the same as the traditional kind with vaults, armed guards, and a huge insurance policy (though of course the latter is still there, if somewhat bigger).
So after some time, my bank decided to start using two-factor authentication, splitting the earlier password-only authentication with two passwords: one they called a "memorizable answer" to a silly question, and a password that you had to type in on a virtual keyboard. Frankly I didn’t see that it really increased security any. A key-logger can easily be updated to include mouse-logging with a screen-shot of the small area around the mouse position during a click. Sure enough, the bad guys