Three things that had been added. One is that the client need to select an image icon with their challenge phrase under that image that they selected. Now the user will save additional information to the Maybank2u.com server. This image with its challenge phrase will appear each and everytime before you specify your password for login (Not too sure for transaction though). The reason of this feature added, it to ensure that the bank knows something that the user know. Thus, in order for the user to trust the bank, the user gotta know whether the bank knows what the extra information the user kept. This can temporarily keep phishing attack away. Sometimes you might wonder that you do not need this feature as you can identify phishing from the URL, but bear in mind that not all user are so careful and in addition to that, there is a phishing attack that does not change your URL much.
Next, is the challenge questions. You need to set three challenge questions with your own answers. I am not too sure though when this challenge questions will use. Perhaps during the transactions? But in general, this is a challenge and response feature and it is quite common. But to have three challenge and response, I am not too sure. It could be during when you change some of your profile information such as password, you might need the Transaction Authorization Code (TAC) together with the challenge questions.
The third, is when you do a login, you will no longer directly specify your username and password together for the bank to verify you. Instead, you will specify your username first, then the bank will show you the image where you can trust, then only you send your password to them for authentication. If you realize this step to login is quite similar to HSBC login system.
What is the Outcome?
Security – 3/5
Not having the out-of-band transmission will take out one point out from the rating and also not fully protecting Man in the Middle will take out another point. However, it still deserve a 3 points out of 5 points as this new security feature will help a little to certain users who are aware of this.
Convenience – 4/5
There is not any extra inconvenience added after this security feature. Not really much. Still the transaction can be done at normal flow. Just the login section now required two steps but it is not a big trouble in bringing any inconvenience. However one point out as the SMS TAC is used for normal user which will cause inconvenience during peak hours as it is hard to receive SMS TAC at that time.