What is a phishing scam? One day, you received an email that appears to
be from a well-known website. The
email asked you to click on the link to the “website” so as to update
your “personal particulars” or account information. As you happen to have an account with the site, you quickly click on the link, find the “familiar” interface of the “known website”, and started to login with
your UserID and Password. Then you also proceeded to “update” your
personal particulars, including the credit card number. After that, you
logged off and go about your business. So what happened? You had just
entered your UserID, Password and Credit Card details at a phishing
site which will then record these information and… use it on the
Actual site for themselves. This is a phishing scam.

Now, banks have started to introduce a Security Token that will help to remove such scam… maybe for good.

Security Tokens are basically a small electronic devices that look like this:

Security Token

Notice the 6-digits code on the screen? Everytime you are login into your online banking account, you will need to enter the 6-digit security code from the device to login. These 6-digit codes are generated in real-time, and will expire in a short time span of say, 5 mins or 10 mins. Everytime you login to your account, a different, short-term code is generated in real-time for immediate use only.

As you can see, a phishing website can grab your login information, but they will not be able to login to your online account, unless they also have the same device attached to your account (yes, these device are also account specific).

A point to note is that, while Security Tokens can protect you from losing your login information to a phishing website, it does not help much if you have entered other information within the phishing site, e.g. your credit card  number, etc… So if you are login into a phishing site and you noticed that you did not have to use the codes from the Security Token, it should have warned you that there is something wrong. On the other hand, you may still make the mistake by forgeting about the code and just typing in your account details.

These Security Tokens are mostly used by the major, local online banking sites. However, we find that they are unlikely to be used widely for any other major websites on the web. From a consumer’s perspective, it would be troublesome to keep several Security Tokens for different companies.

The conclusion is that though Security Tokens will help to reduce phishing scams for some companies, this solution is not going to eradicate phishing scam forever.

Perhaps there should be just one such device that can be used for different companies that implements the same security technology?