Get Four
Free Issues

Subscribe to BW
Customer Service


Full Table of Contents
Cover Story
International Cover Story
SmallBiz -- Spring 2005
Up Front
Editor's Memo
Readers Report
Corrections & Clarifications
Books
Technology & You
Economic Viewpoint



Business Outlook
News: Analysis & Commentary
In Biz This Week
Washington Outlook
Asian Business
European Business
Latin America
International Outlook
Information Technology
Finance
Marketing
Social Issues
Personal Business
Footnotes
The Barker Portfolio
Inside Wall Street
Figures of the Week
Editorials


INTERNATIONAL EDITIONS
International -- Readers Report
International -- Finance
International -- Int'l Figures of the Week




MARCH 14, 2005
TECHNOLOGY & YOU

New Weapons To Stop Identity Thieves

The motivation of the folks who write viruses and launch other attacks on computers is murky. But the goal of phishers, people who lure you to phony financial sites on the Web in order to steal passwords and account information, is theft, pure and simple. They pull it off primarily by fooling their unsuspecting victims, rather than by exploiting flaws in software.


That may explain why phishing incidents continue to proliferate despite the concerted efforts of software publishers to make it harder. And it is why the time has come to attack the problem at its root: the inadequacy of passwords. For Web sites where the potential losses are large, such as online banking sites, the password, no matter how cleverly constructed, has become too dangerous to use by itself.

The issue is authentication -- proving that you are who you claim to be online. The strongest password can be stolen by phishing. So for real security, passwords should be supplemented with either a biometric, such as a fingerprint, or a code. In most cases, the latter is an electronic password that changes with each log-in and that's generated by a device you carry.

Biometrics work well on corporate networks, where the initial registra-tion can be done in person, but they're problematic for online-only transactions. Code devices may have broader appeal. The best-known is the SecurID from RSA Security (RSAS ), which looks like a key fob for opening your car door but has a little window that displays a different six-digit number every minute. To log in to a SecurID-protected system, you en-ter a user name, a regular password, and the number on your fob. If it matches the number the system expects, you're in.

THE MAIN DRAWBACK of the SecurID is cost, both for the fob and the technology required to maintain tight time synchronization between the device and the log-in server. To date, it has been used mainly for corporate accounts, but America Online (TWX ) offers a version called PassCode to members who want greater security for their online transactions. It charges about $33 a year for the service.

Some European banks have begun offering a lower-tech alternative. They mail their customers a card or sheet that contains a series of scratch-off numbers, something like a lottery ticket. To begin a transaction, the customer scratches off the next available number and enters it on the log-in screen. If it matches the number the system expects, the customer gets into the system. When the numbers are gone, the customer gets a new card. At $10 a year, it's cheaper than the SecurID -- but may still be too pricey for mass use.

Entrust (ENTU ), a Canadian security company, has come up with a very clever solution. IdentityGuard is a grid with a number labeling each of five rows, a letter for each of 10 columns, and a digit in every cell. This allows for many trillions of arrays to be generated randomly with a near zero probability of any two being alike.

When you log in to an IdentityGuard-protected system, you are asked to enter your user name, password, and the digit that appears in three or four cells. You look up the information on your array, which could be printed on an ATM or credit card, and enter it to log in.

Simple as this is, there are serious limitations. People won't carry a separate card for each of the Web sites they visit. Until we get a common log-in system -- something like Microsoft's (MSFT ) failed Passport, but with broad industry support -- the use of IdentityGuard-type approaches will be limited to sensitive accounts such as financial institutions and health records.

Some financial institutions are toughening up their online security to protect both customers and themselves. Bank of America (BAC ), for example, has contracted with VeriSign to develop a supplement to passwords -- possibly a code device -- for online transactions. This is going to make doing business online slightly less convenient, but it's a necessary evil. The extra step is far less trouble than cleaning up after an identity theft.

For a collection of past columns and online-only reviews of technology products, click here



By Stephen H. Wildstrom

 BW MALL   SPONSORED LINKS
Buy a link now!

Get BusinessWeek directly on your desktop with our RSS feeds.XML

Add BusinessWeek news to your Web site with our headline feed.

Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.

To subscribe online to BusinessWeek magazine, please click here.

Learn more, go to the BusinessWeekOnline home page

Back to Top



TODAY'S MOST POPULAR STORIES

  1. Apple's iPod Problem
  2. Detroit's New Bill: $34 Billion
  3. Auto Workers Give Up Notorious Featherbed
  4. Small Towns with Big Money
  5. Ford's Mulally Hits the Road

Get Free RSS Feed >>
  MARKET INFO
DJIA 8591.69 +172.60
S&P 500 870.74 +21.93
Nasdaq 1492.38 +42.58

Portfolio Service Update

Stock Lookup

Enter name or ticker



Media Kit | Special Sections | MarketPlace | Knowledge Centers
McGraw-Hill Cos.