A new credit card arrived, plain white envelope, terms and conditions inside, but I knew what it was as I’ve been feeling all of my mail for the last month hoping for this – as, obviously, the previous one was running very close to expiration.
Once upon a time it was optional to add a PIN to your credit card (hell, once upon a time it wasn’t even possible to add a PIN to your credit card), now it’s mandatory, and it was that requirement that had ASB send me off on quite a satisfactory journey of verification, malware countermeasures, and delicious gooey multifactor goodness.
First up, of course, you have to log in to the bank website, which is all encrypted and verified by SSL. I don’t use a username or password I use on any other site.
This is the most basic of first steps, “something you know”, vis: username and password. So far so ordinary, but once you get into the card activation section things get slightly more interesting.
We get our first example of requiring a second authentication factor “something you have”, in this case the thing you have is the secret code printed on the back of the card. Possibly you could argue this is just a third example of “something you know”.
Next we have the bit I found most interesting, partly because I didn’t even notice they’d done it until I was about to hit enter. The numbers in the pad are scrambled, so malware that tracks your mouse clicks doesn’t net “the bad guys” anything useful.
Interesting that my brain translated this without even alerting me to anything suss, either it’s because I play too many computer games, so I’m used to little puzzles like this, or maybe everyone’s brain does the same thing?
Sure enough, after submission the “re-enter your code” box has a different number order.
Lastly, another factor: “something you have” again, this time my mobile phone – I couldn’t proceed without entering a randomly generated string of numbers they texted to me. I’m sure most people are used to this, it’s only in a combination with all of the other steps that I found this noteworthy.
Very satisfying, possibly this has been the way it’s worked for a couple of years, but of course I’m not in the habit of getting a lot of credit cards.
Have you noticed any other examples of really satisfyingly “good feeling” security?