I signed up for a Treasury Direct account this month (so I can buy I Bonds). They have the most impressive online security I've ever seen on a site designed for consumers.
When you sign up for your account, you enter your email address and pick a password. Then they send your account number to your email. You still can't login, though. They also send you in the postal mail a personalized decoder ring card. It has 10 columns and 5 rows of letters, presumably different from everyone else's.
When you go to log in to treasurydirect.gov, you punch in your account number as you would on any site. Then you use a virtual on-screen keyboard to enter your password. Many banking sites do this (such as HSBC), but Treasury Direct is the first I've seen that randomizes the order of the keys on the virtual keyboard. This is important because the whole point of the virtual keyboard is to prevent a program from logging the key strokes or mouse clicks of your password. If the on-screen keyboard is always the same, then having the virtual keyboard doesn't help at all against that sort of attack and is just an annoyance to the user.
The final login step involves the decoder card you received in the mail. The site gives you a list of coordinates (such as B2, G5, etc.) and you have to enter the letters at those coordinates. Entry of these letters is also done with the randomized virtual keyboard.
Very, very impressive. In this case, the government is the vanguard and a role model for the private sector. Let's hope the rest of the financial industry wakes up some day and follows the Treasury Department's lead.
permalink | comments | technorati