BNZ tried using certs in 2000 for IB for public - was a nightmare - far too early for browser compatibility usual portability of certs etc.

Ah, I might have had my banks mixed up.

And of course, and this will come as a surprise to some, certs aren't very good for authentication remember - their power in is in persistently marking transactions/data or whatever That BNZ system was tried to get round key loggers but as you say anything that needs specific machine setups/configs will fail for retail banking. And there are screen grabbers now anyway.

Oh, I found that even without the threat of phishers etc, the pain of using it (Even after I installed Java) was just too high.

2-factor also does not solve the problem and can introduce more. Netcode relies on a now-defunct, unsupported product from RSA - it was dropped from the RSA product line due to the issues with SMS delivery and security - ask yourself how secure the SMS network is, would you know, do you know ? I

Well, personally, I'd find it more secure that not having it at all. Without something like it, anyone can get in with my username + pwd. With it, atleast if they ALSO intercept my cell transmission, they can get it for what, 10 mins (assuming they have my UN+PW as well). That's a fairly small window, and better than the current situation.

would be more concerned about that than anything. Also, the banks cannot control SMS delivery nor guarantee anything and therefore don't like it. 2 factor is relatively complex to manage in big deployments, expensive (relatively compared to a password) and probably overkill for retail but spot on for business - which of course you'll know has been used in for a number of years now by most banks....

I think ASB got around that by having something in there saying "if you don't get the text within X mins, call us on 0800 WHATEVER, quote ID 123456 and we'll check your details like we normally do".

Remember though - you can use a computer - most people who use retail Internet Banking can't - IB is the pinnacle of their PC knowledge

VERY good point. Smartcards + reader look interesting, but there again - hardware compatability. Does it works on a Mac? Does it work on my mothers old P166 without USB? Etc.

And anyway banks don;t make any money from retail banking so until phishing and e-banking scams become sufficiently common they still pale in comparison to manual frauds. The real answer is to remove some functionality but of course we'd all moan...Free beers for life for the person that cracks the portability vs security conundrum !

Very true. As long as they keep refunding people when they get all their money nicked, it's not THAT huge a long-term problem. Short term, and for the person who's cash is (for a while) gone, it's a bit of a stresser. :) Good discussion to have, me thinks, especially given the types of people on this list. :) Now, lunch and Beer :) Is it Friday yet? N