User confidence takes a Net loss

We've seen plenty of evidence lately that security on the Internet is not all that it could be. Recent examples of lost, misplaced, or unsecured data -- including episodes with CardSystems Solutions, ChoicePoint, Citibank, Bank of America, and Wachovia -- could potentially affect millions of consumers.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

The consulting group Gartner is warning that concerns about security are eroding Internet users' confidence, which will impact the U.S. business-to-consumer sector by slowing growth in Internet sales. Gartner says that in the coming year the growth in the total dollar value of b-to-c online sales could slow by anywhere between 0.3 percent and 1 percent.

Little wonder consumers are hesitant. A Gartner survey of 5,000 U.S. adults showed that phishing attacks grew at double-digit rates last year in the United States. In the 12 months that ended in May, an estimated 73 million U.S. adults who use the Internet said they believe they definitely received an average of more than 50 phishing e-mails in the past year.

Can anyone say, "Urgent: Update your PayPal account"? I know I can.

Burt Kaliski, vice president of research and a chief scientist at the security firm RSA Security, tells me he is hearing concerns from RSA's customers about the need for stronger user authentication, or the process of validating that a user is who he or she purports to be. If a phishing attack is successful, a hacker has your password and your user authentication is compromised. That means a hacker can purchase with your own money that iPod you've been lusting after. "Our customers are concerned because if user confidence is reduced, it is going to impact their business," he says.

Kaliski believes there are solutions to the problem of user authentication, but it may take a variety of solutions before these issues become more manageable. "There are three areas to look at for solutions: encryption, user authentication, and identity and access management. They all help solve the problem, so it becomes a question of which solution solves the problem best for your organization," he says.

Financial institutions are looking into token systems for their high-end customers, he adds. A token system such as RSA's SecurID Authenticator functions like an ATM card. Network and desktop users must identify themselves with two unique factors -- something they know, and something they have (the token) before they are granted access. That may work fine for a bank's high-end customers, Kaliski says, but it may be too cumbersome for most customers. "We're working to make user authentication easier but also more reliable, and I think we're getting there," he adds.

Kaliski also mentions a theory called "minimalist authentication," which advocates using as little overhead and causing as little disruption as possible to achieve a secure authentication. "The idea is that if you can keep authentication simple it is less likely to break down somewhere," he says.

The idea of minimalist authentication came to mind when I spoke to Ori Eisen, CEO of The 41st Parameter. Besides being an entrepreneur with a computer-security startup, Eisen has previously been the director of worldwide fraud for American Express and for VeriSign, so he knows a bit about computer security firsthand. Like the idea of minimalist authentication, Eisen believes his products offer "zero imposition" on a company's customers. The 41st Parameter recently announced a patent for a core piece of its antiphishing product, PhishingNet. The technology, called TimeDiff Linking, automatically correlates log-in data, computer data, and customer data to build a fingerprint of a perpetrator's device. By creating a unique fingerprint for each device that logs in, The 41st Parameter's technology pinpoints repeat offenders and builds a stronger defense against all the different behaviors exhibited by unauthorized users.

"For instance, if someone takes your password and sells it to an overseas hacker, and then the hacker attempts to connect to your banking Web site, our product can tell that this is not the same computer that usually checks into the site and, depending on how the customer sets up the system, can deny access to the hacker," Eisen says.

In other words, if someone from Moscow attempts to access your bank's site with your password at 3 a.m., PhishingNet will realize you are, a) not up at that unholy hour, psychotic about that $15.25 check to Wal-Mart, b) unlikely to be buying the complete works of the Russian rock band Vasily Shumov and Center, and c) not guzzling java and Web surfing at one of the Montana Coffee cafes in Moscow. That is just one component of PhishingNet, Eisen says. Much like McDonald's guards its secret sauce, Eisen did not disclose all the components of the product. "We don't want to tell the hackers exactly what we're doing, just our customers," he says.