March 15, 2005 12:35 PM PST

Expert: Better ID checks won't beat fraud

Plans to bolster online security with code-generating doodads, fingerprint readers or smart cards are not likely to solve the identity fraud problems currently plaguing database companies and online stores, a security expert has warned.

Two-factor authentication, or the use of a method in addition to a password to verify identity, could still be defeated by Trojan horses and phishing attacks, Bruce Schneier, a cryptographer and chief technology officer at network protection company Counterpane Internet Security, said on Tuesday.

Related story
Password imperfect
Microsoft is looking to plug a security hole: weak passwords
"Since we have proposed the solution, the problems have changed," Schneier said in an interview with CNET News.com. "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."

The well-known encryption expert, who has authored books on information security and terrorism, argued in a posting to his blog that e-commerce companies and security providers need to think more deeply about what two-factor authentication can solve.

"It's not going to prevent identity theft," he wrote. "It's not going to secure online accounts from fraudulent transactions."

Schneier's no-confidence vote comes a day after Microsoft renewed calls at the CeBit conference in Hannover, Germany, to supplement passwords with another identity check. It also comes on the same day that the U.S. Congress held a hearing on several high-profile data leaks that occurred in the past month.

A representative of Microsoft was not immediately available for comment, but the company confirmed that it did argue for further security checks at the German conference.

While his arguments seem to run counter to Microsoft's effort, Schneier stressed that the software maker's focus on improving security beyond passwords, for example with the use of key fob-size hardware tokens, is a good one.

"Doing away with passwords is a good idea," he said. "Tokens work great, with employees logging onto the corporate server."

However, what's good in a closed corporate network is not as useful on the "anything goes" Internet, Schneier said. Trojan horses can be created that let the attacker know when someone is logged into their bank account and, even with a second identity check, could insert new transactions into the session. Also, online thieves could take control of a server that routes Internet traffic and then develop programs to similarly insert fraudulent transaction into a banking session.

"The tactics will change," Schneier said.

That may be true, but that does not mean that enhancing security with a fingerprint-reading or code-generating device is a bad thing, said Chris Voice, chief technology officer at security company Entrust. Raising the bar for attackers will give some respite from attacks and make fraud that much harder to do, he said.

"You don't stand still just because the criminals are going to evolve," he said. "You still put the lock on the door."

Yet online service providers should look to more permanent solutions, Schneier said. While two-factor authentication does not solve the problem, security companies should still re-analyze the issues, he said.

"Focus on the problem: Fraudulent transactions," he said. "There are two strategies: You can make identities harder to steal, or you can make identities less useful. I think the first fails in the end."

1 comment

Join the conversation!
Add your comment
Advertisement for Counterpane Internet Security?
I just hate it when people complain and dont provide a solution. Every one is tired of hearing the sky is falling. Two factor authentication is a valid way to reduce the reliance of the old fire wall intrusion detection offered by Bruce Schneier's company. If every one is strongly authenticated the value of the services of Counterpane Internet Security, Inc., is reduced. It appears to me this article is to save his piece of the security pie. Sure strong authentication does nothing to address man in the middle attacks or Trojan attacks thats what virus scanners are for. Of course they can be provided as a managed service by Bruces company.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.