Use two-factor authentication, unless it's too hard

Somewhat odd, but something

Somewhat odd, but something must be done with credit card system ASAP.
All additional security mechanisms put on i.e. my Master Card are as useful as until used in wrong place first time. Then, after running on a single phisher, there is virtually no method of proving I am not using credit card, chopping it to pieces won't help, I must have 24x7 service in bank to call immediately to cancel card and lock account.
In effect, a method is needed to verify each transaction, even if it causes transaction delay measurable in hours or days. One time passwords or challenge/response mechanisms ought to be used.
What is needed?
1. I make online purchase.
2. Site sends bill.
3. I sign bill with my secret key. If secret key is compromised, I can immediately change secret key/public key pair and assign for new one at my bank
4. Site sends my signed credentials to my bank.
5. Bank approves or not approves transaction, depending on my bank account status and balance.
5a. Bank sends to me the bill for veification. I can approve or not approve charge and amount on bill. Now it is based on confidence, which is not very good if you pay to anonymous site of certain character that is on unknown address in unknown country, and you don't know whom to sue in case of disputed charges.
5b. I sign the bill with my secret code and reply to bank.
6. Online site acknowledges my purchase, as it has been wired money.
7. I am sent goods or service.

You not that 5a and 5b introduce a delay, but then the system is practically PGP-strength proof on identity theft.

Since all data is transfered via a challenge/response method, identity theft is useless, since no data is valid twice.

If secret key is stolen or lost, credit card number does not have to be changed, neither there is a need to issue new physical card: a call or visit to online site is enough to cancel old secret key/public key pair, with time of cancellation, and all later uses of that key pair will be invalid, rejected and reported to some authority on suspicion of fraud.

WHO WOULD USE SUCH SYSTEM? When we know that additional complexity prevents people from using PGP?

It should be seemlessly incorporated into major browsers. Optional new protocol or existing protocol extension is required.

Physical token is optional.

This works this way:

1. Enter card number on purchase site.
2. Site makes online connection to your bank.
3. Bank sends challenge with scrambled charge amount
4. Site proxies challenge
5. You see challenge, open token, and type in response, acknowledging amount
6. Site proxies your response to bank
7. Bank wires money
8. Site delivers goods or service

This has the strength of the bank's challenge/response algorythm. In case of broken/compomised algorythm, malicious online site could decrypt your token's state from your reponse and authorize greater amount of money, forging also challenge, but this is a full compromise of bank anyway, rather unlikely to happen, or say much less likely that possibility of compromise if paid pirate software over the net on pirate site, or some other content.

The possibility of phishing is drastically reduced in both cases, since phishing site cannot emulate neither bank's secret key/public key algorythm, nor challenge/response algorythm, except in case where bank itself is compromised, or not even then if the strentgh is depending on encryption rather than on trust to bank's personnel.

In case of actual phishing site, all compromised information is used exactly once, and the charge amount is controlled and known in advance, so the damages are lesser by order of magnitude compared to full identity theft with series of charges from many sources to the account.

The existing ceredit card system in unusable, and it is based on weakest link strategy: credit card account is as sure as the weakest site where credit card number was used and/or deposited.

It will break inevitably, sooner or later.

It has to be replaced completely, or strenghtened with tokens or OTPs at least.

Thank you if you've read this far into this comment.

As a technical tool,

As a technical tool, two-factor authentication solves user authentication issue to a degree. However, the whole security system can still be defeated if other areas are attacked. In security games, each tool has its limitation and is useless if not used properly or no adequate process is in place.

[Full disclosure: this

[Full disclosure: this comment refers to technology developed and marketed by my company. However, I think that you will find that we have a serious contribution to make to the strong authentication debate.]
There is another very unique authentication technology that you should be aware of. It is based on peoples' innate ability to recognize familiar faces and has characteristics from two conventional authentication classes: knowledge factors and biometrics. I leave you to judge whether it qualifies as a new class of authentication (we call it a cognometric or recognition-based authentication) and as a true second factor or as single factor plus. Please check it out at www.passfaces.com.