Meridea Software is offering a solution for banks that want to secure online transactions by adding a second factor to prevent phishing attacks.
The solution is based on an application that consumers will install on their mobile phones (J2ME based, I guess) and that is included in the transaction like this:
How it works:
1. A customer specifies a transaction in his/her web bank, i.e. pay â‚¬1000.00 to Jack
2. The bank will issue a challenge code specific to this transaction (it appears on the web bank screen)
3. The customer launches the Meridea 2FA application on his/her phone and enters the given challenge code
4. If the challenge code is not from the genuine bank, the user receives a warning. If the challenge code is genuine, the customer sees the specific details of the transaction on their phone screen â€“ the amount, and significant digits from the destination account number. In this way the customer can be certain that they are authorizing the genuine transaction. If the details are correct, the customer enters his/her secret PIN.
5. A valid response code appears on the screen of the customersâ€™ mobile device
6. The user enters the valid response code to the web bank, and the transaction completes.
It’s a nice solution, something that I’ve been wanting to do ever since I got interested in mobile technologies (I have a history in working for companies that do online financial transactions).
There are a few difficulties that I can see when you’re trying to roll this out to real people, though:
- You need a J2ME enabled phone. Duh.
- You need to install the application, either via WAP or from a PC download. Either way, this alone requires quite a level of expertise on the user side that I don’t currently see.
- They say that after you enter the challenge code, you will see teh details of the transaction on the screen. That either means it is quite a long challenge code and they’re basically encryting the details to a public key that’s included with the app, or they’re double checking the challenge online (which requires more phone configuration and may cost the consumer money).
It looks quite appealing to a geek like me, but for – say – my mother, I don’t really see this coming yet.
As a bank, I’d probably look at something like Entrust’s IdentityGuard, which is far easier to understand and a lot easier to roll out (as well as being available on the phone, if you need that).
Please don’t get me wrong, I’m actually quite happy to finally see mobile phones used for more than playing snakes. This would be even better if it were part of a generic mobile identity service that multiple businesses could plug into, i.e. you’d only have to install one application (or get it pre-installed by your operator) and you could use it for any bank or online transaction (think eBay, PayPal…).