- Related Stories
-
Net banking gains popularity, study says
November 17, 2004 -
Caught in a phishing trap
November 17, 2004 -
Report: Crooks behind more Net attacks
November 16, 2004 -
Police arrest phishing mob suspect
November 11, 2004 -
Trojan horse spies on Web banking
November 11, 2004
The software giant's chief security strategist, Scott Charney, said that companies had failed to adopt the technology as fast as he would have liked.
"We haven't had as much adoption as you would hope for," Charney said at the Microsoft IT Forum in Copenhagen. "A lot of solutions for two-factor authentication are for enterprise spaces. If you get two-factor authentication to the consumer level, you reduce the phishing threat."
Phishing attacks are identity theft e-mails that are written to look as if they were sent from legitimate organizations. Companies such as eBay and PayPal, and some banks have seen their customers targeted by the fraudsters behind such scams.
Phishing fraud has cost U.S. consumers $500 million, according to a recent survey sponsored by Truste, a nonprofit privacy group, and NACHA, an electronic payments association.
"Banks are looking at (two-factor authentication)," Charney added. "The real issue is the consumer acceptance. This kind of security when implemented is not often viewed as friendly. There is a challenge in how you communicate this."
Earlier this month Howard Schmidt, former cybersecurity advisor to the White House, called for companies to implement two-factor authentication. He said that the technology was already available and that people had to supply more credentials for Internet transactions.
But the United Kingdom's Association for Payment Clearing Services (APACS), which represents the banking industry, said on Wednesday that no decisions have been taken to go ahead with two-factor authentication, despite the rise in phishing attacks.
"The fact is, it's a massive undertaking," said Tom Salmond, a managing consultant in the e-banking fraud liaison group at APACS. "It's under active consideration, but no decisions have been made at this time."
Richard Clarke, another former cybersecurity advisor to the White House, said earlier this month that online banking transactions cost just half of 1 percent of the cost of a physical transaction.
See more CNET content tagged:
Scott Charney,
authentication,
phishing,
electronic banking,
bank
up their butts (again) but how can a requirement for dual ID's
stop a phishing attack that asks to verify both forms of ID?
If people are dumb enough to respond to current phishing
attacks, they are dumb enough to provide both ID forms to an
expanded phishing attack.
- Two Factor Authentication
-
by wbenton
November 18, 2004 9:16 AM PST
- Two factor Authentication or only One factor Authentication... it doesn't matter.
-
Reply to this comment
-
(3 Comments)As long as the Authentication process(es) one or more can be spoofed... they will continue to be a problem.
The Key to security lies in the keys.
Keys for authentication
Keys for encryption
Method of Key creation
Method of Key storage
Method of Key delivery
Method of Key backup
Method of Key protection
All of these combined make any Authentication (Single, Double, Triple or otherwise) secure or unsecure.
Where are the keys stored?
Is that storage encrypted?
How were the keys created? (is there any pattern?)
Who has access to those keys?
Are those keys backed up? (What backup methods and storage for those backups?)
What encryption method is used, what is the key length, can those keys be retrieved somehow?
It's quite complex and the FIPS 140 Specifications detail a lot of methods to use, but all of them are cumbersome at best.
Bottom line: Good security ain't cheap and cheap security ain't necessarily good.
Likewise, strong keys used with a weak encryption method or weak keys used with a strong encryption method make for more mess than it's worth.
Keys are the KEY to security, from creation, handling, storage & backup to revoking.
FWIW