I'm not a application Security expert, but why can the banks issue a authentication Certificate, and only allow connections to those who are authenticated?
Certs would help, but they are a PITA to get working reliably. I know of one place that does use them (www.vir.co.nz - only for dealers) - but Banks are very much mass-market, and mom-and-pop would have a lot of troulbe working it out. I think one of the banks (ANZ??) tried it a while back. Not sure what they use now tho. The worst I have used was BNZ - they had a Java applet, and you had to CLICK on your password, on a keyboard on the screen. Wow, how secure, if someone is shoulder surfing, or capturing mouse clicks. And, it was just crap to use, especially if you didn't have Java (you just couldn't get in without Java!) 2-factor authentication is one of the few ways they could tighten up on security. ASB already does this, to some extent, with NetCode (ditto BankDirect - same company tho). They send you a text to confirm (you have to enter the code in the text) if the amount is over a specific value ($2500 per day). Works great. Why not do it on ALL transactions under a certain value (eg, $50)? Want to log in and check accounts? Fine. Usename + password. Want to move money? You then MUST use 2-factor authentication. I'd say that 99% of people with computers, also have cellphones, so text messages is a good way. Going overseas? Get one of those fancy SecureID cards on loan. I'm SURE that a load of people on this list know those cards - credit card sized "random" number generators on their keyrings. Same idea could be implemented for LESS cost than the banks usually loose.... Of course, the banks have to be motivated to do it.... And they are not, really, at the moment. It might still give the phishermen entry, but only within a VERY small window (60 seconds to 5 mins, usually), which would solve most of the problems. Of course, you'd need to sync it up with the Beer Tap at the pub somehow..... Maybe give the "keys" away free with every pint sold? Righto. Back to work :) Nic -- Nic Wise - Senior Developer - Microsoft MVP (.NET) t. +64.21.676.418 w. http://www.aftermail.com/ e. nic.wise(a)aftermail.com b. http://www.fastchicken.co.nz/blog/