http://www.wired.com/news/technology/0,70234-0.html By Ryan Singel February 17, 2006 SAN JOSE, California -- Identity theft and online bank fraud were the unofficial themes of the 2006 RSA Conference, a massive security confab where Bill Gates came to announce the imminent death of the password and vendors filled the exhibition halls with iPod giveaways and promises that their product could stop everything from spam and malware to hackers and typos. Thanks to a California law known as SB 1386 that requires companies to disclose sensitive data leaks to California consumers, companies like ChoicePoint and shoe retailer DSW became poster children for corporate negligence last year after mishandling sensitive data. In the wake of Senate hearings and investigations from federal regulators, corporations are beefing up security, both behind the scenes and at their virtual front doors. To find out how those changes will affect consumers in their daily online activities, Wired News surveyed the offerings of the over-250 security companies packed into RSA's exhibit hall, accompanied by cryptographer John Callas, who has been attending the conference since 1993. Callas is currently the CTO of PGP, the industry leader in encrypted communications and data storage. Perhaps the biggest change this year will be in online banking, as financial institutions move to comply with federal oversight agencies that are directing banks (.pdf) to secure their sites with more than just user logins and passwords. These extra fraud profiling and authentication measures are necessary, according to Callas, since the threats on the internet have changed. "Now we are not dealing with kids having fun," Callas said. "We are dealing with criminals -- the Russian mafia. And online banking risks are there if your bank offers it, even if you don't use it." E-trade, for instance, already offers free RSA security tokens to its most active users. Those battery-powered devices work by using a using a seed number and the current time to cryptographically generate a secure one-time code to complement the normal user login and password. But those gadgets aren't cheap and most people don't want multiple tokens or prefer not to carry them around. That's prompted newcomers to find alternative methods of performing "two factor" authentication. Callas likes PassMark Security's solution, which examines the device a user logs in from, looking for a number of factors including IP address and a secure cookie or Flash object the bank has previously stored on the machine, as the extra identification. Bank of America began offering the service in May 2005. Now a Bank of America customer logging in at the usual time from her usual machine will only need to enter the user name and password. But if that person is on a different machine using a different browser in a different time zone, for example, she will be presented with challenge questions that she answered when she signed up. Users could also be sent an additional one-time password by SMS text message or called on their cell phone by a machine using a synthetic voice to tell them an extra password. Additionally, PassMark helps keep users from entering passwords into fraud sites pretending to be their bank by displaying a unique image and caption, such as a sailboat labeled "Dream Boat," on the real site. The authentication back to the user is great, and can't easily be hacked without detection, according to Callas. And while it won't eliminate crime, it might be enough to persuade would-be fraudsters to go after a different bank, Callas said. "It is reasonably valuable if you can convince someone to steal from other people," Callas said. Another authentication method that caught Callas' attention was by BioPassword, a company that adds an extra layer of security by locking out users who don't type in a password with the same typing style as the original user. Callas says he's generally not bullish on biometrics like fingerprint readers for e-commerce, since, like credit card numbers, the data can be stolen. But he likes the typing rhythm idea, because unlike a fingerprint, the user can easily reset the system. "If you pick a new password then you will have a new rhythm," Callas said. "That's the disposable biometric." The system does have one side effect that may or may not be a bug, admits BioPassword vice president Dean Bravos. Users who have been drinking may not be able to log in. These two companies aren't the only ones trying to find ways to add extra authentication without requiring users to carry around security tokens. Conference organizer RSA Security, the undisputed leader in security tokens, recently acquired Cyota, which offers financial institutions methods to authenticate users based on their usage patterns. Cyota technology looks at such metrics as users' cookies and IP address, in combination with their transaction history -- so a middle-America socker Mom sending sending $2,000 at 2:00 am to an account in Turkey might raise a red flag. Other new offerings from RSA Security include a browser toolbar that works like a security token, and software that can turn a mobile phone or a BlackBerry into a token. Even mostly invisible, behind-the-scenes authentication will help internet users feel safer, as banks and brokerage houses can now offer financial guarantees to their customers, according to Scott Young, the vice president of RSA/Cyota's consumer division. "A lot of us are familiar with the experience of getting a call from a credit-card company, saying, 'Hey, did you make this transaction?,'" Young said. "Even though we don't see that going on all the time, the reassurance of having someone check with us, even if it was us making that transaction, is really valuable. "Likewise, most of the time, consumers are not inconvenienced by (RSA/Cyota's) extra security but a decent percent will know, since they have will some interaction with the security system at some point, that they are being protected." _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Feb 20 2006 - 22:38:36 PST