[Dataloss] Fwd: [ISN] Passwords Passé at RSA

[blitz]

>
>
>http://www.wired.com/news/technology/0,70234-0.html
>
>By Ryan Singel
>February 17, 2006
>
>SAN JOSE, California -- Identity theft and online bank fraud were the
>unofficial themes of the 2006 RSA Conference, a massive security
>confab where Bill Gates came to announce the imminent death of the
>password and vendors filled the exhibition halls with iPod giveaways
>and promises that their product could stop everything from spam and
>malware to hackers and typos.
>
>Thanks to a California law known as SB 1386 that requires companies to
>disclose sensitive data leaks to California consumers, companies like
>ChoicePoint and shoe retailer DSW became poster children for corporate
>negligence last year after mishandling sensitive data.
>
>In the wake of Senate hearings and investigations from federal
>regulators, corporations are beefing up security, both behind the
>scenes and at their virtual front doors. To find out how those changes
>will affect consumers in their daily online activities, Wired News
>surveyed the offerings of the over-250 security companies packed into
>RSA's exhibit hall, accompanied by cryptographer John Callas, who has
>been attending the conference since 1993.
>
>Callas is currently the CTO of PGP, the industry leader in encrypted
>communications and data storage.
>
>Perhaps the biggest change this year will be in online banking, as
>financial institutions move to comply with federal oversight agencies
>that are directing banks (.pdf) to secure their sites with more than
>just user logins and passwords.
>
>These extra fraud profiling and authentication measures are necessary,
>according to Callas, since the threats on the internet have changed.
>
>"Now we are not dealing with kids having fun," Callas said. "We are
>dealing with criminals -- the Russian mafia. And online banking risks
>are there if your bank offers it, even if you don't use it."
>
>E-trade, for instance, already offers free RSA security tokens to its
>most active users. Those battery-powered devices work by using a using
>a seed number and the current time to cryptographically generate a
>secure one-time code to complement the normal user login and password.
>
>But those gadgets aren't cheap and most people don't want multiple
>tokens or prefer not to carry them around. That's prompted newcomers
>to find alternative methods of performing "two factor" authentication.
>
>Callas likes PassMark Security's solution, which examines the device a
>user logs in from, looking for a number of factors including IP
>address and a secure cookie or Flash object the bank has previously
>stored on the machine, as the extra identification.
>
>Bank of America began offering the service in May 2005. Now a Bank of
>America customer logging in at the usual time from her usual machine
>will only need to enter the user name and password. But if that person
>is on a different machine using a different browser in a different
>time zone, for example, she will be presented with challenge questions
>that she answered when she signed up.
>
>Users could also be sent an additional one-time password by SMS text
>message or called on their cell phone by a machine using a synthetic
>voice to tell them an extra password.
>
>Additionally, PassMark helps keep users from entering passwords into
>fraud sites pretending to be their bank by displaying a unique image
>and caption, such as a sailboat labeled "Dream Boat," on the real
>site.
>
>The authentication back to the user is great, and can't easily be
>hacked without detection, according to Callas. And while it won't
>eliminate crime, it might be enough to persuade would-be fraudsters to
>go after a different bank, Callas said.
>
>"It is reasonably valuable if you can convince someone to steal from
>other people," Callas said.
>
>Another authentication method that caught Callas' attention was by
>BioPassword, a company that adds an extra layer of security by locking
>out users who don't type in a password with the same typing style as
>the original user.
>
>Callas says he's generally not bullish on biometrics like fingerprint
>readers for e-commerce, since, like credit card numbers, the data can
>be stolen.
>
>But he likes the typing rhythm idea, because unlike a fingerprint, the
>user can easily reset the system. "If you pick a new password then you
>will have a new rhythm," Callas said. "That's the disposable
>biometric."
>
>The system does have one side effect that may or may not be a bug,
>admits BioPassword vice president Dean Bravos. Users who have been
>drinking may not be able to log in.
>
>These two companies aren't the only ones trying to find ways to add
>extra authentication without requiring users to carry around security
>tokens.
>
>Conference organizer RSA Security, the undisputed leader in security
>tokens, recently acquired Cyota, which offers financial institutions
>methods to authenticate users based on their usage patterns. Cyota
>technology looks at such metrics as users' cookies and IP address, in
>combination with their transaction history -- so a middle-America
>socker Mom sending sending $2,000 at 2:00 am to an account in Turkey
>might raise a red flag.
>
>Other new offerings from RSA Security include a browser toolbar that
>works like a security token, and software that can turn a mobile phone
>or a BlackBerry into a token.
>
>Even mostly invisible, behind-the-scenes authentication will help
>internet users feel safer, as banks and brokerage houses can now offer
>financial guarantees to their customers, according to Scott Young, the
>vice president of RSA/Cyota's consumer division.
>
>"A lot of us are familiar with the experience of getting a call from a
>credit-card company, saying, 'Hey, did you make this transaction?,'"
>Young said. "Even though we don't see that going on all the time, the
>reassurance of having someone check with us, even if it was us making
>that transaction, is really valuable.
>
>"Likewise, most of the time, consumers are not inconvenienced by
>(RSA/Cyota's) extra security but a decent percent will know, since
>they have will some interaction with the security system at some
>point, that they are being protected."

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20060221/265a4fb2/attachment.html