<html>
<body>
<blockquote type=cite class=cite cite=""><font size=3><br><br>
<a href="http://www.wired.com/news/technology/0,70234-0.html" eudora="autourl">
http://www.wired.com/news/technology/0,70234-0.html</a><br><br>
By Ryan Singel<br>
February 17, 2006<br><br>
SAN JOSE, California -- Identity theft and online bank fraud were
the<br>
unofficial themes of the 2006 RSA Conference, a massive security<br>
confab where Bill Gates came to announce the imminent death of the<br>
password and vendors filled the exhibition halls with iPod giveaways<br>
and promises that their product could stop everything from spam and<br>
malware to hackers and typos.<br><br>
Thanks to a California law known as SB 1386 that requires companies
to<br>
disclose sensitive data leaks to California consumers, companies
like<br>
ChoicePoint and shoe retailer DSW became poster children for
corporate<br>
negligence last year after mishandling sensitive data.<br><br>
In the wake of Senate hearings and investigations from federal<br>
regulators, corporations are beefing up security, both behind the<br>
scenes and at their virtual front doors. To find out how those
changes<br>
will affect consumers in their daily online activities, Wired News<br>
surveyed the offerings of the over-250 security companies packed
into<br>
RSA's exhibit hall, accompanied by cryptographer John Callas, who
has<br>
been attending the conference since 1993.<br><br>
Callas is currently the CTO of PGP, the industry leader in encrypted<br>
communications and data storage.<br><br>
Perhaps the biggest change this year will be in online banking, as<br>
financial institutions move to comply with federal oversight
agencies<br>
that are directing banks (.pdf) to secure their sites with more than<br>
just user logins and passwords.<br><br>
These extra fraud profiling and authentication measures are
necessary,<br>
according to Callas, since the threats on the internet have
changed.<br><br>
"Now we are not dealing with kids having fun," Callas said.
"We are<br>
dealing with criminals -- the Russian mafia. And online banking
risks<br>
are there if your bank offers it, even if you don't use
it."<br><br>
E-trade, for instance, already offers free RSA security tokens to
its<br>
most active users. Those battery-powered devices work by using a
using<br>
a seed number and the current time to cryptographically generate a<br>
secure one-time code to complement the normal user login and
password.<br><br>
But those gadgets aren't cheap and most people don't want multiple<br>
tokens or prefer not to carry them around. That's prompted newcomers<br>
to find alternative methods of performing "two factor"
authentication.<br><br>
Callas likes PassMark Security's solution, which examines the device
a<br>
user logs in from, looking for a number of factors including IP<br>
address and a secure cookie or Flash object the bank has previously<br>
stored on the machine, as the extra identification.<br><br>
Bank of America began offering the service in May 2005. Now a Bank
of<br>
America customer logging in at the usual time from her usual machine<br>
will only need to enter the user name and password. But if that
person<br>
is on a different machine using a different browser in a different<br>
time zone, for example, she will be presented with challenge
questions<br>
that she answered when she signed up.<br><br>
Users could also be sent an additional one-time password by SMS text<br>
message or called on their cell phone by a machine using a synthetic<br>
voice to tell them an extra password.<br><br>
Additionally, PassMark helps keep users from entering passwords into<br>
fraud sites pretending to be their bank by displaying a unique image<br>
and caption, such as a sailboat labeled "Dream Boat," on the
real<br>
site.<br><br>
The authentication back to the user is great, and can't easily be<br>
hacked without detection, according to Callas. And while it won't<br>
eliminate crime, it might be enough to persuade would-be fraudsters
to<br>
go after a different bank, Callas said.<br><br>
"It is reasonably valuable if you can convince someone to steal
from<br>
other people," Callas said.<br><br>
Another authentication method that caught Callas' attention was by<br>
BioPassword, a company that adds an extra layer of security by
locking<br>
out users who don't type in a password with the same typing style as<br>
the original user.<br><br>
Callas says he's generally not bullish on biometrics like
fingerprint<br>
readers for e-commerce, since, like credit card numbers, the data
can<br>
be stolen.<br><br>
But he likes the typing rhythm idea, because unlike a fingerprint,
the<br>
user can easily reset the system. "If you pick a new password then
you<br>
will have a new rhythm," Callas said. "That's the
disposable<br>
biometric."<br><br>
The system does have one side effect that may or may not be a bug,<br>
admits BioPassword vice president Dean Bravos. Users who have been<br>
drinking may not be able to log in.<br><br>
These two companies aren't the only ones trying to find ways to add<br>
extra authentication without requiring users to carry around
security<br>
tokens.<br><br>
Conference organizer RSA Security, the undisputed leader in security<br>
tokens, recently acquired Cyota, which offers financial institutions<br>
methods to authenticate users based on their usage patterns. Cyota<br>
technology looks at such metrics as users' cookies and IP address,
in<br>
combination with their transaction history -- so a middle-America<br>
socker Mom sending sending $2,000 at 2:00 am to an account in Turkey<br>
might raise a red flag.<br><br>
Other new offerings from RSA Security include a browser toolbar that<br>
works like a security token, and software that can turn a mobile
phone<br>
or a BlackBerry into a token.<br><br>
Even mostly invisible, behind-the-scenes authentication will help<br>
internet users feel safer, as banks and brokerage houses can now
offer<br>
financial guarantees to their customers, according to Scott Young,
the<br>
vice president of RSA/Cyota's consumer division.<br><br>
"A lot of us are familiar with the experience of getting a call from
a<br>
credit-card company, saying, 'Hey, did you make this
transaction?,'" <br>
Young said. "Even though we don't see that going on all the time,
the<br>
reassurance of having someone check with us, even if it was us
making<br>
that transaction, is really valuable.<br><br>
"Likewise, most of the time, consumers are not inconvenienced
by<br>
(RSA/Cyota's) extra security but a decent percent will know, since<br>
they have will some interaction with the security system at some<br>
point, that they are being protected."<br>
</font></blockquote></body>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>