Delaying tactic improves online security

Instead of sending a password straight away, the customer sends an encrypted message that the recipient can only decode if they already know the password. That recipient then sends a message back to prove that it knows the password. But neither message is of any use to a criminal who intercepts it, because they do not contain the password itself. "The bank doesn't get any information," says Jakobsson. "But you know it's really your bank."