The banks appear to be flying a kite again about making customers responsible for the consequences of fraudulent activity.
I would have thought there were a number of ways banks could protect themselves (and customers) from this type of fraudulent activity:
- When online banking started up 5-6 years ago, customers had a dedicated dialup, and also had to download a registration key for the machine they were going to use for online banking. I don't see why at least part of this should not be revived, there is no reason why users should not register in advance the specific machine(s) they are going to use, these could still be work machines, laptops etc.
- One time keypads. Like a pocket calculator. When entering the service, the bank transmits a code to the customer, customer enters this code and their Pin to device (not the PC, so invisible to hackers), device then displays a unique authorisation code, which customer enters to PC. These have been (and for all I know still are) used to authorise CHAPs and similar business transfers.
- Dongles. Basically you would carry this around on your key ring or wherever and plug into the USB port of machine you are accessing the service from, effectively like a debit card.
The main obstacle appears to be cost, but if it avoids the losses due to fraud and allows a more reliable service, why not?
Of the above, 2 would probably be the most universally practicable for TV and telephone banking. There would presumably be economies of scale in procuring these devices if applied across the whole consumer online banking market.
Better than having to enter random letters/numbers from your PIN and password, which discriminates against customers with dyslexia and makes it more probable that people will write these things down! And having to put up with emergency restrictions applied at a moments notice on what you can do on your account!