ING Direct's <ingdirect.com> three million U.S. customers now must enter passwords into the site with an on-screen PIN pad. Users have the choice of clicking on their numerical PIN or typing the corresponding letter into an on-screen box (see screenshot below). The letters are scrambled each time to defeat many keylogging programs.

Although, the virtual PIN pad technology has been widely deployed elsewhere in the world, it's new in the United States.

Analysis
Until recent deployments at Bank of America (NetBanker May 26), Citibank (NetBanker May 30), E*Trade (NetBanker March 2), and a handful of others, ING Direct has been the sole U.S. bank making at least a minimal attempt to make login more secure. For the past four years, it's required a third piece of information at login (partial social security number or year of birth). It's not really multi-factor authentication, because the third piece isn't too difficult to figure out, but it at least provided the perception of better security (click on screenshot below to see closeup of login page).

The virtual PIN pad, first used by ABSA Bank in 2003 (see Online Banking Report 96/97), isn't foolproof, but it does make it tougher for key-loggers and phishers to successfully recreate the login process at the bank. It's also a relatively inexpensive improvement with very little customer impact. In fact, I'd expect that the customer response is overwhelmingly positive.

If the bank combines these cosmetic security features with robust behind-the-scenes authorization controls, it should have enough to keep the crooks at bay AND satisfy regulators.

--JB