ING eBanking
Recently, I signed up for an ebanking account at ING. The first thing I’ve noticed was the digipass (scroll down for pictures) they gave me free of charge. It seems they don’t trust their clients enough to let them use one static password for account access. But that is… a good thing — although I’d rather not have to use this device each time I log in to my ebanking account. Probably many ebanking users can’t tell the difference between the authentic ebanking login site and a phishing page.
Having to use 3 different strings for logging in is really something:
- the client ID they give you (although it follows a pattern, it’s random as far as I can tell)
- the digipass PIN required by the device (they mention that should you enter an incorrect PIN 5 times in a row, the digipass will be blocked; I guess I’ll just take their word for it)
- the password generated by the digipass
Even after logging in, if you wish to make a transaction you have to use your digipass again to generate a code for signing that.
Now, for some digging into the algorithm and how it may protect people against phishing attacks. The authentication code given by the digipass is time-dependent. You get a different one each 30 seconds or so. However, at one moment in time, you can use the last couple of codes generated to access your account. It’s quite basic, you need some time to read and type in the code. These are just assumptions based on observations made by me.
Now let’s take a basic phishing situation.
The phishers sent the an email requesting a login action and got an unfortunate client to reveal his/her ID and code. They have a limited time to access the account before the code expires. But let’s say they were very fast and got into the account. Unfortunately, all they can do now is look at the numbers, transactions, etc. They would still need another code to sign a transaction. Nonetheless, you wouldn’t want anyone to know about your financial history.
Here are some shots of the Digipass they gave me:
Going back to the actual ebanking interface, I’m really satisfied. It’s pretty straightforward and easy to use. I haven’t had a chance to see it in action yet, but I really want to test how fast it’s updated with my account transactions. I’ve had a BRD ebanking account for some time and I’m definitely not happy with seeing the transaction only the next day.
Oh, and for being a student you get a Visa card attached to an account in RON with the ebanking for only 12 RON (about 5 USD). No monthly/yearly fees or cash withdraw commissions. Thanks ING!