Passwords just don't cut it anymore.
The security community has been saying this for years, yet single-factor authentication - user name and password - is still the Internet's calling card. Whether you're doing online banking (if you dare; I don't), fiddling with your movie rental queue or loading up an online shopping cart, a user name and password is all you need. And it's simply not good enough. The proliferation of phishing has made that much clear.
Whatever we've done to educate the general public about spoofed e-mails and Web sites is failing. Miserably. Last week a young relative of mine - one who is smart, plugged-in and a recent grad of a good business school at a major university - told me that she'd never heard of phishing. I thought it was one of those strange blips where you have a blind spot about something everyone else knows, like how I managed to live some 25 years without knowing who Sean Connery is. (My now-husband eventually forgave me.) Then, yesterday, a report from the Pew Internet & American Life Project hit my desk. Of 2001 adult Internet users polled this spring, only 29 percent said they had a good idea of what phishing is. Fifty-five percent weren't really sure, and a full 15 percent had never heard the term.
We could blame this on overly technical descriptions - for starters, why accept a silly name like phishing, when all we're really talking about is spoofing, a word that everyone knows? But that's not the point. Phishers are asking for user names and passwords; people are giving them up; and if people stop giving them up voluntarily, the criminal community will just start taking them, by using malware, pharming and other kinds of criminal mayhem with silly names we've yet to make up.
Which is all just a roundabout way of saying that yes, passwords as we know them are dead - or they ought to be. In fact, George Tubin, a senior analyst at the Tower Group, believes that we should start assuming that a user name and password are going to be compromised. I agree.
The predictable fix is two-factor authentication - biometrics and keyfobs and other whatchamacallits and doo-dads that those same people who've never heard of phishing would be expected to figure out. But what's far more exciting to me is the prospect of building the same kind of fraud protection used by credit card companies into online banking and other e-commerce applications.
Consider this. That same relative of mine recently had her credit card stolen. She found out because her credit card company called her to ask if she was trying to take out a large cash advance at a casino in Las Vegas. This wasn't typical behaviour, so the credit card company blocked the transaction. We need to move the same kind of fraud protections to the online banking world. There's even more incentive for it there: While credit card companies can pass on a great deal of the cost of fraud to merchants, last year the banking industry ate most of the estimated $140 million in direct losses caused by phishing.
This is the rare case where technology, not education and awareness, needs to be the backbone of an effective approach. Vendors are just starting to create a whole category of nifty software that will, without causing customers much if any consternation, protect their accounts much better than user name and password ever could.
It's the kind of program that Bank of America just announced. With SiteKey, online banking customers will have the option of picking an image and phrase and answering three additional security questions of their choice. Then, when they log on to Bank of America's site, they'll see the image and phrase. If they don't, they'll know something is wrong. (Notice I don't say that if the picture does appear, they'll know everything is OK; this is simply an extra level of protection.) Even more promising, if someone tries to access an account from an unknown computer, one of the additional security questions pops up. It's sort of like flagging a sudden cash advance in Las Vegas - or in Latvia, for that matter - by calling the customer.
This kind of technology is so new that there isn't a silly name for it yet; Tubin refers to it loosely as "risk-based authentication." The idea is to look at, say, the IP address, operating system and clock setting of the computer or computers where a customer generally accesses his online accounts. This creates a sort of digital fingerprint that includes the computer's geolocation - something that marketers and content-delivery networks have been using for years to serve up targeted Web sites and ads and to balance bandwidth usage. This information can be incredibly powerful in fighting fraud, if matched with anti-fraud systems that monitor typical behaviour. A log-in attempt from an unusual location, or the sudden movement of large amounts of money to recipients with whom the customer has no previous relationship, calls for an extra level of authentication.
The problem with passwords is that they make logging on a yes/no operation. With these new techniques, the log-on process gets reincarnated as a yes, no or maybe operation. It won't solve all the problems of account fraud and identity theft, but it may just keep us in the game.