(via Bruce Schneier) Two banks in New Zealand are introducing an interesting form of two-factor authentication. Looks like anyone who tries to transfer $2,500 or more to a third party bank account via the website will be required to use their new technology. The system will text message the customer’s cell phone an eight-digit passcode, which will be required to complete the transfer. Passcodes will expire after three minutes, and users can lower the $2,500 threshold if they would like.
I assume the banks involved have done a study and determined that a good majority of the people banking online with them also use a cell phone. What I’m curious about is the security of the text message. Not knowing anything about how the SMS protocol works, I wonder how hard it is for me to intercept a message headed for someone’s phone. Presumably if I know enough about someone to get their bank username and password, and I’d like to steal more than $2,500, it’d be easy enough for me to try to find their cell phone number. Another factor is how hard it is to clone a cell phone. Again, not knowing much about SMS, I’d assume that a cloned phone would be able to intercept any messages sent to the original.
That being said, two factor authentication is always a big step up from just requiring a user name and password, especially since one if not both of those are usually easy to figure out. It will be interesting to see if this catches on elsewhere.