Identity and password management is an increasing concern to IT directors and organisations with an e-commerce site, which are facing growing pressure to protect themselves from hackers and organised crime syndicates looking to steal valuable information.
One firm pioneering new employee and customer authentication technologies is RSA Security, which supplies more than 13 million pass-key devices to businesses and e-commerce sites.
Computing talked to RSA Security president and chief executive Arthur Coviello about the growth in identity theft and how to put safeguards in place.
What are the biggest IT security threats businesses and consumers face?
We are seeing a shift from generalised attacks that affect everyone to attacks that are sent out generally but are designed to affect specific businesses and individuals.
The first types were about mischief-making but the latter are about criminal activity for economic gain. Attacks such as phishing, which are getting all the press, have gone from about 100 last year to thousands.
Phishing has become such an issue that in Australia, banks with liberal security policies have actually retrenched because of it.
But there are new forms of spyware and Trojans that are tougher to resolve because they are not protected by typical virus signatures. That's why secure authentication is so important; it makes phishing a lot harder to carry out.
Does two-factor authentication put a stop to identity fraud scams such as phishing?
It doesn't necessarily guarantee it, but currently if your password is taken a criminal can use it at any time. With two-factor authentication, pass codes need to be used immediately because they expire every 60 seconds. So, why would someone try to steal a one-time pass code?
The banks have something of a dilemma. Their original online strategy thought that passwords were adequate, but not anymore. On the other hand they don't want to scare customers by saying that accounts can be hacked.
Levels of online fraud are going to get high, but the cost of two-factor authentication products makes it affordable for banks and e-commerce sites to stop it today.
We are talking to a lot of banks in Europe about this at the moment and, from what we are hearing, two-factor authentication's time has come.
There is more awareness than ever before about password vulnerabilities and there are too darn many of them.
But wouldn't introducing technology such as SecureID tokens be too expensive for online banks and e-commerce sites?
Devices such as SecureID have a lot of marketing potential. If you think about the credit card industry, first everyone wanted a credit card. Then they wanted a gold card and then a platinum one, but now there's a black card. The same thing can be done with two-factor devices.
Banks will attract more customers and become more efficient online if they introduce better security devices. They could also make significant savings as it would reduce the amount of helpdesk calls from customers who have forgotten passwords.
You wouldn't think of building an office block without putting in heating and ventilation, and you wouldn't calculate its return on investment. It's a fundamental part of the building, and it should be the same with security for e-commerce and online banking.
Are security concerns hindering e-commerce?
Although the majority of Europe can connect to the internet, it is only a small number of people who are carrying out activities such as buying or paying bills online.
It's time we started making e-commerce more rewarding for consumers. Banks have fewer staff and fewer tellers, so people are using online banking because it's straightforward.
But there should be some incentive for doing things online. It won't be one thing that makes e-commerce mainstream, it will be multiple factors.
Will a single sign-on capability for web users play a role in this?
Federated identity management, which allows internet users to access multiple sites using a trusted single sign-on, can help to spread the cost of two-factor authentication between firms and internet users.
It will also help with the growth of e-commerce. Why can't I log into AOL, go to the toolbar, click on my favourite sites and have AOL pass on that authentication to other trusted sites?
In theory you could also use it to pass on certain user attributes to allow people to carry out transactions for a certain amount of money or give permissions. The technology is being used today by companies in the US such as Nationwide and Wal-Mart.
The growth of cash points is a good example of how federated identity management can grow. First of all you could only use a bank card at your own branch, then it spread so you could use it at banks in your own county, but now you can use it at almost any bank in any country.
What is holding back the use of this technology?
The main issue is back-end infrastructure: it needs to be set up so that firms can say to other firms: 'I won't send you anyone that hasn't been authenticated by us with a secure ID token.'
Federated identities don't need to be token-based either, as you need to give consumers choice. You can use smartcards, PDAs, smartphones and many other technologies.
I think we are reaching a tipping point in terms of the adoption of federated identity management. It could be as early as 2007 or as late as 2010.
reader comments