One little thing that has been bugging me for a while – the spoofing of websites and the installation of keystroke loggers to get customer details. The banks actually make this easier for the fraudsters in the way they implement their websites.
Not to pick on any one in particular, as they all do this to some extent, but the ANZ, for example, when you go into the site to do your banking, it opens a pop-up window for your details. You then put in your full transaction card number followed by your password. A keystroke logger makes mincemeat of this – log the keys and then you have the full string needed to get in and create havoc. The website spoofers also find it easier, as the popup can be faked with a link embedded in an email, and the details then transmitted.
Finextra has something to say on this re. Citibank. I think this just reinforces the possible solution over the fold.
The only site I have seen with a solution to this it the Royal Bank of Scotland’s site, RBSDigital. There they ask you to put in your customer number (which is your date of birth followed by either a two or four digit number) and then take you to a second page, where you are asked to put in numbers from your security number – but random ones. So, if you have 4 digits in your number, it might ask for your third, followed by your second followed by your last, like this:
Your Security Number
Next, it asks for letters from your password and these also change:
Personally, I believe this works much better. The keystroke loggers are defeated immediately as they cannot know the order you are putting in your numbers and letters. Users also think something might be up when they receive a spoofing email and get asked for their full details as they have never had to give them before.
Granted, it is a bit trickier to do – a truly silly user could not get in. You also cannot (easily) write a script to get you into your bank account. I think these are actually further benefits.