I just logged into ING Direct Canada. While I’ve been away they’ve done a major software upgrade. I don’t know if the site works differently, aside from what I’d like to talk about here, but the accounts page looks cleaner and displays totals for your accounts by currency.

Presumably to combat phishing attacks against their customers they have introduced a feature allowing you to specify an image and some text that will appear whenever you are asked to enter your PIN — if you don’t see the image, it’s not ING’s website.

The image is picked out of a set that ING makes available to you. You can enter your own text, but some random-ish text is provided. I got a couple of samples and it’s all phrases like “my red house” “her fast mountain” — [pronoun] [adjective] [noun]. That probably makes it easier to remember in passing.

The login process is now multi-stage. You enter your client number. If you are on a recognized computer ING sends you the PIN entry page with your image and text. If you are not on a recognized computer ING sends you an authentication question. I tried to fool it by authorizing my Mac and then logging on with my PC (they share one IP) but the site responded correctly.

From home page to account page logins are now three clicks in the best case.

There will be people that blow by without checking the combination, heck I probably will eventually — security through annoyance is self-defeating.

There will also be people that don’t know why they should care about the image and phrase. ING is the only site that I’ve seen that does this so they’ll have to make it very clear to clients that they should care, and why.

A larger part of the problem is that people who fall for phishing are non-technical. Just phish them for the authentication information as well:

Dear Mr. Smith:

You might noticed that we’ve updated our security over at ING recently. If you haven’t yet signed up for “You Know It’s Us and We Know It’s You” just go to http://ingdirect-secure.ca, enter you client number and PIN, and we’ll get you started.

If you’ve just signed up, why not take a moment to do a security checkup? Just go to http://ingdirect-secure.ca/checkup. Make sure you have your security questions and your new image-phrase security combination ready! We’ll be testing you!

Thanks for your business. Hope to see you at our secure site soon,

ING Customer Service

No system is perfect. This new one will probably slightly decrease the number of phishing victims while slightly annoying everyone else. (Three-click logins!? What are they? Nuts?)