Bruce Schneier's blogged a piece he wrote for the ACM magazine on "two-factor authentication." That's systems that combine a password that you've memorized with a password that's randomly gneerated form a keyfob. Your employer may already require this for accessing your email (here at the O'Reilly Emerging Tech convention in San Diego, all the BBCers are lugging these things around) and your bank may have distributed these to you to reduce fraud.
However, the majority of Internet-based bank-frauds can't be solved by "two-factor authentication" because the attack it defends against isn't the attack that fraudsters use:
Here are two new active attacks we're starting to see:
* Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
* Trojan attack. Attacker gets Trojan installed on user's computer. When user logs into his bank's website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.
See how two-factor authentication doesn't solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.
