I quite like the National Bank’s new lo-calorie two factor authentication system. Nothing extra to carry around; no extra passwords. Easy. [Disclaimer: I used to work there, on NBNZ Online Banking. But I left a while back now and was not involved in this project. The following are my own opinions yada yada yada…]
Called Online Code, it will send you a text message (at no charge) containing a short numerical code to your mobile whenever you (or someone else) try to do certain things in Online Banking. You have to enter this code to prove that it’s really you out there at the end of that long piece of string between Online Banking and your PC. The code lasts for the rest of the session; you won’t need another unless you log out or time out.
Interestingly, not only is it voluntary, but they allow you to choose what kinds of activities you’d like to be texted for. There’s little guidance given on this, so in order to set it up some thought needs to be given to the kind of threat the service could forestall. My thoughts on this follow; you should probably think about this yourself before making any similar decisions.
So for me, I’m thinking “What if someone somehow got hold of my Online Banking password – for example, from me using a virus infested PC; or a dodgy internet café; to do my online banking on?”
If this happened, there’s a risk that the person doing it wants my money. So in this case, I’d want to be texted if any value was being transferred out of my accounts to somewhere else. There are a few ways this could happen:
- One-off Payments: an obvious target. Therefore I need a text for any of these. No exceptions.
- Automatic Payments: well, the ones I have now are OK (unless my kids maliciously increase the AP from my account to their accounts – somewhat unlikely for me I hope but for some people this could be a real scenario: kids; flatmates; spouses) but the fraudster could create a new one to themselves and use that. So I want to be texted if a new AP is created.
- Bill Payments: again, the existing ones, which are mainly to my utilities, are OK. Who is going to want to overpay my Telecom bill for me? (Some might. But it’s unlikely. And if it did happen I’m sure could go to Telecom and get the money returned.) So I won’t need to be notified if any payments are made on those Bill Payees. But again, I will want to be texted to approve any new Bill Payee setups.
- Tax Payments: well, I suppose the fraudster could pay their tax bill from my account… or pay some random person’s out of sheer malicious pranksterism. I personally don’t think this is terribly likely, so I won’t require a text for this. On the other hand, I might change it back later. Do I trust the IRD to give me my money back if it did happen? I’m not completely decided as yet.
Here’s my current settings:
The options for addresses and passwords are also worth considering if you think a wider identity theft threat is credible – and as it costs nothing to tick the boxes I’ve done them too.
The easiest setup solution – down here at the bottom
On the other hand, maybe the easiest solution is just to tick them all. Then, if you get sick of being texted when you make a Bill Payment (the most common transaction in most internet banking systems) just untick that box only.
See? Easy. Although I took a long time getting here.