Written by A short while ago we alerted you to the new Alliance and Leicester two factor authentication system. It’s now up and running.
The log in experience doesn’t seem that different to me – it still features a 12 digit log in number and a five digit pin both of which are set up to confound my browser’s pin storing abilities (annoying but good I guess). What it does do is authenticate the site to me so I know that I’m not using a phishing site. It does this by showing me a specific picture and phrase after I enter the log in number and before I enter the pin. I haven’t got the faintest idea what my picture is supposed to represent – it looks like something created by a dwarf Heath Robinson.
Unfortunately it doesn’t stop a phishing attack, it just raises the bar somewhat. In the past, phishing was an MITM where the phishing site just collected your data and went off to bank some time later.
Now, a phishing site would have to dynamically go to the bank site and feed the requests back and forth. This realtime attack has been seen in the wild, sometime last year … it remains to be seen whether it is too expensive to run or will take off when the easier pickings are exhausted.
I’m also slightly concerned that the image I’ve been allocated is such that if I were presented with a reasonable facsimile of whatever the heck it’s supposed to be, I wouldn’t be able to tell the difference