The email message from the bank looks real. It isn’t. Law enforcement agencies that oversee computer security are well versed in the many permutations of “phishing,” the scam in which fraudsters try to lure people to a counterfeit replica of their bank’s website, for example, and have them part with their user names and passwords.

But even the professionally wary can be gulled — or close to it. Just ask Robert S Mueller III, director of the Federal Bureau of Investigation. Mueller recently received an email that seemed to be from his bank. He clicked on the link and began to follow the instructions to “verify” his account information. Before completing the procedure, however, he realised that he had been led to a counterfeit site — so he left. It’s the aftermath that is of most interest. After Mueller told his wife about his close call, he said she drew this conclusion from the experience: simply having online access to bank accounts is unacceptably risky.
“No more Internet banking for you,” she told him. The FBI director related the story in a speech to the Commonwealth Club of California in October. “Too little attention has been paid to cyber threats — and their consequences,” Mueller said.
An audience of civilians would naturally wonder, “What chance do we have of keeping our pockets from being picked?”

I’m not convinced, however, that online banking carries the high risk that Mueller implies. I know that as ordinary computer users, we are offered unlimited bait from phishers. But I’m not particularly worried: I’m not on the hook for losses from fraud — my bank is. I could not find any online financial service that stops short of promising to make a victimized customer whole.

Mueller, encouraging his audience to invest in “cybersecurity,” raised a terrifying spectre when he spoke of guarding “against losing everything.” But how could I suffer “losing everything” at the hands of online criminals when my bank has this policy posted on its Web site: “We guarantee that you will be covered for 100 per cent of funds removed from your Wells Fargo accounts in the unlikely event that someone you haven’t authorised removes those funds through our Online Services.”
Banks would like for us to use more sophisticated security than a password to protect our accounts. One way to combat the phishing threat is to require that online customers supply a second piece of information when they log in, a one-time-only numeric code that is either generated by a little gizmo built for this purpose or is sent to the customer’s cellphone.

Your password is “something you know,” as security experts describe it, and the temporary security code is “something you have” — and something that a phishing fraudster would not. Requiring two dissimilar things is the essence of “two-factor authentication.” I don’t know whether Mueller has persuaded his wife to lift the household ban on online banking. If he hasn’t, he should deploy the two words that have the magical power to put the most anxious online bank customer at ease: Zero liability.
The New York Times