A German bank is attempting to thwart the phish in online banking through the use of pre-assigned transaction number identification. Online banking customers will soon be asked to provide a TAN when conducting a transaction, which is supposed to cut the emptying of accounts by thieves down to roughly 1%.
This is kind of like entering two passwords or PINs when conducting a transaction. One is permanent, getting you access to your account. The other is a temporary, one-time-use item assigned to the customer. The likelyhood of a scammer getting both from an account holder through a phishing exploit still seems pretty high (because, after all, many folks are still plain dumb). But given that TANs are assigned in just the hundreds, the ability of a thief to randomly generate the right TAN (if they don’t already have one) drop significantly.
I’m interested in hearing how this all works out. Whether US banks adopt a similar method is yet to be seen, but given that their back offices are already a data sieve, why would scammers really care about picking off a single customer anyway.