All factors considered

So you think you are clever? Well, if you really are smart, you will know that there is always someone even more clever than you.

This rule applies to the IT security industry perhaps more than anywhere.

No sooner is there a new solution for the latest fraudulent activity on the internet, then those too-clever fraudsters have found a way around it.

Two-factor authentication – the process of securing web sites using a second, physical form of proving identity, such as biometrics or single-use passwords – is expected to play a major part in the attempts of financial services firms and retailers to secure ecommerce and online banking. Several banks are already testing different possible technologies.

Yet already we hear that one financial web site using a form of two-factor authentication has been attacked. Should we be surprised? Should banks be downhearted and start to look elsewhere? Not a bit of it.

Sadly, we are a long way from finding a security technology that is 100 per cent secure. At the very least, there will always be one link in the chain that remains vulnerable – the all-too-fallible human user. Apocryphal stories of people in the street revealing passwords in exchange for a free chocolate bar are amusing, but indicative of the problem.

If anything, an early warning such as that suffered by the E-gold payments site is a reminder of the importance of vigilance, of thorough testing, and of educating users.

The threat today is likely to come not from criminals intent on stealing £1m from one victim, but on stealing £1 from a million people.

Bad guys like the easy option. Two-factor authentication makes things harder for fraudsters, but like any security solution, it is not a panacea but another protective technology in the IT toolbox.

IT managers need to put individual security products into context and treat any concerns as proof of the need for a broader approach that covers people, process and technology.

What do you think? Email Computing at feedback@computing.co.uk