I just saw an article posted on Slashdot regarding Bank of America's relatively new online security feature, called SiteKey. The basic gist of the story is that because users tend to ignore an incorrect or missing SiteKey, the security system is therefore flawed.
That's true, I guess. But the article more or less ignores the fact that SiteKey is also technically flawed. Of course, all knowledge-based security mechanisms are fundamentally flawed. That's the elephant in the living room that a lot of people are ignoring.
Bank of America's SiteKey feature is, for the most part, an improvement over previous security measures. It is designed to mitigate basic phishing techniques, not to protect against man-in-the-middle attacks or other more sophisticated hacks.
Other banks use different measures, each of which is typically aimed at a different security problem. For instance, HSBC uses a "virtual keyboard" to mitigate keyboard loggers, for instance.
But the basic flaw in all of these security measures is that they rely on knowledge to authenticate a user. The problem is, knowledge is transferable. Whether it was a keyboard logger or a phishing attack, whatever the company is using to try and make sure you are who you say you are can just as easily be used by somebody else.
The only way around this is using a combination of both knowledge *and* something non-transferable. This can be biometric (retinal, finger print, face, whatever), or something a lot more simple (and cheap), such as a smart card. (Yes, I know a smart card can be stolen, but it's going to be a *lot* harder to steal a smart card AND the login information at the same time.)
Using a combination of transferable and non-transferable authentication requirements means that even if somebody phishes my login/password/sitekey/mother's maiden name/social security number/etc, if they don't have the little card on my key chain, they're not getting into my bank account.
It's just a matter of time before this becomes widespread. Microsoft already requires this for all employees accessing their company network, and support for this kind of two phase authentication is built into Windows Vista. Vista also supports a technology called CardSpace, which can further mitigate the security problems associated with knowledge-based mechanisms.
As the technology becomes cheaper, it will slowly become an option for banking customers, and eventually a requirement. Only then will online transactions become, at least in principle, truly secure.
