Replacing hardware tokens for bank transactions
Continuing on from the previous shot, the Vasco Digipass is also required for each Rabobank transaction. I think we could replace this also which would eliminate the need for the token altogether and have true mobile banking.
-----------------
My local Rabobank uses the common Vasco Digipass system for hardware authentication. In my previous shot, I gave my thoughts on how this hardware system could be replaced for login. Rabobank also requires the Digipass for each transaction that you do.
To carry out a transaction (e.g.: transfer money between your accounts) the process is:
1. Do the regular stuff you would do to specify an amount and the to and from accounts.
2. When it comes to confirm the transfer, Rabobank will present you with a 6 digit code to enter into your Digipass.
3. You enter your PIN to unlock the Digipass, then use the 6 digit code to generate an 8 digit code which you enter back into the website.
4. If the 8 digit code matches what Rabobank was expecting, the transfer goes through.
The authentication here is to confirm that the algorithm you have matches what Rabobank believes you have. We can replicate this with just the keyboard and your PIN:
1. Do the regular stuff you would do to specify an amount and the to and from accounts.
2. When it comes to confirm the transfer, enter your PIN into what looks like a randomised number pad (see the image). While the number pad looks random, it actually still maps to the normal placement of numbers. E.g.: if you type a PIN of 12345, the actual number sequence sent to Rabobank is 36017.
3. If this matches the 5 digits that Rabobank was expecting, the transfer goes through.
The heart of this concept is that it still checks that you have the correct algorithm; the algorithm in this case is the keyboard layout. By my calculation, there are 3.6 million keyboard layouts possible and similar to the concept behind time-based hardware tokens, keyboard layouts would change every minute or so.
Combined with the UUID for the device, that would enable authentication for transactions using just your regular PIN and without the need for a hardware token.
------------------
Overall, what I'm getting at is: hardware tokens have done a fine job for a long time. Now, there are options, in particular to make something like banking more humanised instead of having it be similar to managing nuclear launch codes.
