As we noted way back in 2006 the value in gaming credentials will bring out the fraudsters.. Now Blizzard is offering tokens for WoW. Queue the "If I can get it for WoW, why not my bank" blog posts:

I agree with the sentiment but I wanted to start a conversation regarding why you won't be seeing these tokens in the mail from your bank any time soon. The reason most banks, e-commerce sites, and even corporate VPN connections aren't protected by two-factor authentication can be broken down into a few reasons:

• cost: additional cost to customer, shipping, inventory, infrastructure, licensing, staff, overhead, etc.
• complexity: dealing with lost tokens, mistyped numbers causing locked acconts, countless help desk calls, etc. If you are locked out of your WoW account you can't play a game, when you are locked out of your bank account you can't pay bills, transfer funds, check your balance, etc. Simply put, the downside risk of customer convenience is greater than the upside risk of greater levels of security.
• motive: Blizzard is providing these tokens to help secure customers accounts, but also to further secure their future revenue stream and also to combat piracy and cheating, in short, it makes business sense. Banks don't typically suffer very much if a customer account is breached as they very rarely take the hit themselves but instead either insure against the loss (either federally or privately) or simply passing the costs onto customers.

I will offer up another reason: Stolen credentials are only one of the risks that banks face. They face much tougher threats from man-in-the-middle attacks and malware. Hardware tokens do nothing against such attacks. Online banking will require mutual authentication and eventually, some form of transaction authentication or digital signing. It may well be that the banks are waiting until such security is packaged and offered up by their software providers before investing too much into security.

Just a quick note to check our our howto on HTF: How To Secure Postgresql Using Two-Factor Authentication From WiKID . Since databases are the repository for critical information such as credit card numbers, we thought this would be a useful edition given PCI requirements, etc.

I'm always explaining what my company does to laymen and to some technical peoptle who look confused when I say that that WiKID does two-factor authentication. However, I am surprised that a security researcher and Trend Micro would not know what two-factor authentication is.

In Two-Factor Authentication Debunked by TSB Phish Fatima Bancod states:

The phishing Web site asks the user for his/her Open24 Number and Internet Password. Open24 is the online banking service established by the said bank to allow clients to access his/her records and transact via the Internet. It is usually printed on account-holders’ ATM or LASER cards, along with the Internet Password.

After keying in his/her credentials and clicking the CONTINUE button, the user is redirected to another phishing Web page that asks for the user’s 6-digit access number. The 6-digit Personal Access Number is a password previously created by the user. This password is a second layer of authentication that banks use to test whether the user is really who he/she claims to be.

At first I wondered if the "Open24 number" was a pre-printed list of one-time use numbers. But apparently not. So, this is equivalent to saying "write down your username and password on a sheet of paper and this will be your 'something you have' factor". This is not two-factor authentication. Not even close.

Of course, there are attacks against one-time password systems, as mentioned on this blog and there easily could be real-time phish attacks against time-based one-time password systems - and strong mutual authentication will protect against them. This attack just isn't one of them.