|
|
|
 |
|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
Auto Beat
Bangalore Tigers
Blogspotting
Brand New Day
Byte of the Apple
Economics Unbound
Eye on Asia
Fine On Media
Green Biz
Hot Property
Investing Insights
Management IQ
NEXT: Innovation
NussbaumOnDesign
Tech Beat
Working Parents
TECHNOLOGY
J.D. Power Ratings
Product Reviews
Tech Stats
Wildstrom: Tech Maven
AUTOS
Home Page
Auto Reviews
Classic Cars
Car Care & Safety
Hybrids
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads |  |
MARCH 14, 2005
New Weapons To Stop Identity Thieves The motivation of the folks who write viruses and launch other attacks on computers is murky. But the goal of phishers, people who lure you to phony financial sites on the Web in order to steal passwords and account information, is theft, pure and simple. They pull it off primarily by fooling their unsuspecting victims, rather than by exploiting flaws in software. That may explain why phishing incidents continue to proliferate despite the concerted efforts of software publishers to make it harder. And it is why the time has come to attack the problem at its root: the inadequacy of passwords. For Web sites where the potential losses are large, such as online banking sites, the password, no matter how cleverly constructed, has become too dangerous to use by itself. The issue is authentication -- proving that you are who you claim to be online. The strongest password can be stolen by phishing. So for real security, passwords should be supplemented with either a biometric, such as a fingerprint, or a code. In most cases, the latter is an electronic password that changes with each log-in and that's generated by a device you carry. Biometrics work well on corporate networks, where the initial registra-tion can be done in person, but they're problematic for online-only transactions. Code devices may have broader appeal. The best-known is the SecurID from RSA Security (RSAS ), which looks like a key fob for opening your car door but has a little window that displays a different six-digit number every minute. To log in to a SecurID-protected system, you en-ter a user name, a regular password, and the number on your fob. If it matches the number the system expects, you're in. THE MAIN DRAWBACK of the SecurID is cost, both for the fob and the technology required to maintain tight time synchronization between the device and the log-in server. To date, it has been used mainly for corporate accounts, but America Online (TWX ) offers a version called PassCode to members who want greater security for their online transactions. It charges about $33 a year for the service. Some European banks have begun offering a lower-tech alternative. They mail their customers a card or sheet that contains a series of scratch-off numbers, something like a lottery ticket. To begin a transaction, the customer scratches off the next available number and enters it on the log-in screen. If it matches the number the system expects, the customer gets into the system. When the numbers are gone, the customer gets a new card. At $10 a year, it's cheaper than the SecurID -- but may still be too pricey for mass use. Entrust (ENTU ), a Canadian security company, has come up with a very clever solution. IdentityGuard is a grid with a number labeling each of five rows, a letter for each of 10 columns, and a digit in every cell. This allows for many trillions of arrays to be generated randomly with a near zero probability of any two being alike. When you log in to an IdentityGuard-protected system, you are asked to enter your user name, password, and the digit that appears in three or four cells. You look up the information on your array, which could be printed on an ATM or credit card, and enter it to log in. Simple as this is, there are serious limitations. People won't carry a separate card for each of the Web sites they visit. Until we get a common log-in system -- something like Microsoft's (MSFT ) failed Passport, but with broad industry support -- the use of IdentityGuard-type approaches will be limited to sensitive accounts such as financial institutions and health records. Some financial institutions are toughening up their online security to protect both customers and themselves. Bank of America (BAC ), for example, has contracted with VeriSign to develop a supplement to passwords -- possibly a code device -- for online transactions. This is going to make doing business online slightly less convenient, but it's a necessary evil. The extra step is far less trouble than cleaning up after an identity theft. For a collection of past columns and online-only reviews of technology products, click here  By Stephen H. Wildstrom
BW MALL
SPONSORED LINKS
Get BusinessWeek directly on your desktop with our RSS feeds.
Buy a link now! Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | |
 Copyright 2005, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Notice |
Printer-Friendly Version
