The emergence of online banking makes it possible for us to queue up at the counter with our fingers at home, which not only facilitates ordinary users, but also greatly improves the operating efficiency of financial institutions and reduces their operating costs. However, online banking can't escape the security threats that the network generally faces. From the beginning of the online banking business, the online banking thief has been with you. The online banking system can be divided into three parts: bank server, network and client. In recent years, online banking security accidents often occur, and major domestic banks are constantly upgrading their own systems. The security of servers has been extremely high, so thieves pay more attention to a large number of users (clients) with different information security awareness. User authentication, which requires user operation, has become a crack in the "egg" of online banking, which is favored by thieves. Since the adoption of dynamic password technology, people no longer have to bother to remember passwords and worry about Trojan attacks. However, can dynamic passwords provide security for online banking as we hope? In fact, with the popularity of dynamic password, its defects are increasingly exposed to everyone. For example, a scratch card has a fixed number of passwords. In addition to the inconvenience of regular replacement, more importantly, its security risks: if you collect information for a long time, you may collect all the dynamic passwords, completely crack the dynamic passwords in the form of scratch cards, or even copy or steal that small piece of paper, or you may use the user's identity information falsely. From the perspective of online banking transaction process, dynamic password only authenticates the user's identity, but does not verify the transaction process. After the user's identity is confirmed, the "middleman" intercepts the user's transfer operation, falsifies the data and sends it to the server. However, the server can't distinguish whether the user or Trojan horse sent the transfer instruction to it, and directly performs the transfer. The "middleman" then falsifies the information returned by the server and displays it to the user. In this way, the "middleman" can easily bypass the dynamic password, obtain the user's personal authentication information, and completely control the transaction. The dynamic password has become a "bodyguard" in name only, and it can't really protect the security of user accounts. A series of practical cases also prove that dynamic passwords cannot lock users' accounts. Mr. Li Xiaofeng, the general manager of China Financial Certification Center, the real "security door", believes that to complete a secure transaction, both parties to the transaction must have not only identity authentication, but also confidential, complete and unchangeable data, and the transaction must be undeniable. Once there is a transaction dispute with the bank, these are the necessary legal basis. Therefore, online banking must have a truly reliable legally recognized electronic signature and certificate, which is the ultimate solution to the problem. Also using double authentication technology, USBKey digital certificate with smart card chip is more secure because it adopts public key system (PKI) and supports electronic signature. Because USBKEY is an independent hardware device, the new generation of USBKey also adds transaction authentication technology, so phishing attackers can't forge the user's signature, impersonate the user to log in to the server, and can't tamper with the user's transaction data, thus resisting attacks against transactions rather than identities, such as "transaction forgery" or "transaction hijacking". What is a dynamic password? Dynamic password is also called dynamic token and dynamic password. Its main principle is: before the user logs in, according to the user's private identity information, random numbers are introduced to generate randomly changing passwords, so that the password information transmitted in each login process is different, thus improving the security of user identity authentication in the login process. Because the password changes every time, even if it is obtained, it is useless, and this dynamic password is generated by a special algorithm, which is very random and difficult to crack. Therefore, dynamic password greatly improves the security of user identity authentication. In 2007, the Banking Regulatory Commission issued a circular [2007] 134, informing all commercial banks to uniformly use dual identity authentication for all high-risk online banking accounts. Therefore, dynamic password (OTP) has gradually entered the public eye and is strongly recommended by banks. Gich