PASSWORDS have been used as a security device for centuries but now their days are numbered, according to some. Bill Gates, for example, believes that arming everyone with yet more complex technology will make electronic transactions safer. While this may be true for those prepared or able to use such technology, there’s a lot more that communications networks can do to take the strain and keep things simple.
Most electronic transactions and security procedures are “protected” by user name and password authentication, so it’s hardly surprising that passwords have become a currency among criminals who attack banks, businesses and individuals to steal cash, data or identities.
Many people use the same password for everything while others use a different password for each system. Both approaches have serious weaknesses. The first flaw enables a hacker who has successfully captured a password to tamper with not just one but all of a victim’s electronic accounts. The second defect is that people need to remember dozens of passwords, and to change them regularly. People often forget passwords, write them down or else enter the wrong one, increasing the burden on helpdesks.
Beyond passwords, there are approaches to authentication that have previously been considered a “gold standard”. In reality, though, nothing is foolproof and there always has to be a trade-off between security, usability and cost. There is no point, for example, in a bank spending a fortune on a system that is too cumbersome for its customers to use.
An appropriate level of investment, however, is essential to manage the risks involved in a rapidly evolving threat landscape. Fraud, money laundering and the financing of terrorists are activities carried out by “professionals” who work to a business case just like any legitimate organisation. Fighting them involves working to a business case that has the opposite objectives and ensuring you are sufficiently fleet of foot to outwit the bad guys.
Challenging the password
Authentication systems revolve around one or more of three things:
> something you know, such as a password or PIN
> something you have, like a smart card or an electronic token usually in the style of a key-fob
> something you are – for example, individual biometrics relating to fingerprints, voice patterns or iris scans.
Until now, passwords have ruled the roost because they are cheap to implement. But Bill Gates thinks we’ve reached the limits of this simple technology and is advocating stronger measures based on new technologies.
Like many other companies, Microsoft believes in a ‘multi-layered’ approach to security in which it becomes harder and harder to penetrate systems as the potential for damage to the organisation or its customers increases.
The software giant, however, tends to focus on measures that can be installed on the desktop or back-office server, or literally put into a person’s hand. The latter could be an electronic token or a hand-held card reader for use in the home in a similar way to the devices that read credit cards in shops.
This is not the only way to address the security challenge. First, though, what are the pros and cons of the approach Microsoft is recommending?
Two-factor technology
While most US banks still employ a simple approach to authentication based on user names and passwords, many organisations around the world now use ‘two-factor’ techniques. Typically, these involve tokens that generate a unique number which becomes useless after 30 seconds or so, or which is limited to a single use. In the case of electronic tokens, the user enters a unique one-off number as well as their user name and password.
The result is an enhanced level of security, but the technique has its limitations. Citibank, for example, uses a two-factor system in the US, but it was successfully attacked by fraudsters last year. The phishing gang cloned the bank’s website so that customers updating user names and passwords, in response to emails purporting to come from the bank, were actually giving their login details to criminals.
Such scams are increasingly commonplace and have made it urgent for organisations to find a way to convince the public that the websites they are accessing are genuine. One of the challenges is to find a way of doing this that delivers acceptable security, is easy to use, and is of acceptable cost to organisations and their customers.
Evolving risk
Achieving all three is a challenge. In Holland, for example, people are prepared to buy hand-held card readers to access their bank accounts, but research shows that people in the UK are not be willing to pay for enhanced security.
Even if answers can be found, they may only be effective for a limited time. The banks, among others, are beginning to realise this. They face a number of challenges:
> Securing their own websites and call centres
> Confirming transactions made on other commercial websites
> Checking that customers really are who they claim to be
> Encouraging people to use online services rather than going to the bank.
The picture is constantly changing. The arrival of chip and PIN authentication has seen a shift in fraud patterns from straightforward over-the-counter credit card fraud to so called CNP (cardholder not present) fraud – either online or over the telephone.
The regulations that banks must meet are changing, too. To prevent money laundering, for example, European and American authorities now require banks and other financial services organisations to validate every new customer’s identity.
The Americans consider single-factor authentication including passwords and PINs to be inadequate for high-risk transactions but recommend a “reasonable” approach to risk. A recent report says: “The method of authentication used in an internet application should be appropriate and reasonable from a business perspective in the light of foreseeable risks.”
Crucially, it requires financial institutions to develop an ongoing process to align the extent of authentication with the level of risk involved in a class of transaction and to ensure the most appropriate authentication technologies are used in each case.
Network approach
So if ‘two factor’ techniques are already showing signs of weakness, are there any alternatives?
One that’s been in use for some years is based on the analysis of people’s behaviour patterns. Some credit card companies, for example, do more than check that the correct PIN is entered when a purchase is being made. They also look at the amount being charged and the store’s location to be sure these details fit with the card-holder’s normal behavior. If they aren’t, additional checks are made.
Phone companies apply similar checks to customers’ calls. Have they suddenly started making more calls, or started calling premium-rate numbers for long periods? Anything suspicious prompts a call to the customer to make sure all is well.
In many ways, users and customers are the strongest weapon against hackers and fraudsters. Organisations should strive to keep their customers on their side – alert to the threat and helping defeat it. The clearer and more straightforward security checks are to complete, the more likely users or customers will want to cooperate.
Richard Baker is BT’s chief identity architect
Subscribers 0
Fans 0
Followers 0
Followers