User confidence takes a Net loss

We've seen plenty of evidence lately that security on the Internet is not all that it could be. Recent examples of lost, misplaced, or unsecured data -- including episodes with CardSystems Solutions, ChoicePoint, Citibank, Bank of America, and Wachovia -- could potentially affect millions of consumers.

The consulting group Gartner is warning that concerns about security are eroding Internet users' confidence, which will impact the U.S. business-to-consumer sector by slowing growth in Internet sales. Gartner says that in the coming year the growth in the total dollar value of b-to-c online sales could slow by anywhere between 0.3 percent and 1 percent.

Little wonder consumers are hesitant. A Gartner survey of 5,000 U.S. adults showed that phishing attacks grew at double-digit rates last year in the United States. In the 12 months that ended in May, an estimated 73 million U.S. adults who use the Internet said they believe they definitely received an average of more than 50 phishing e-mails in the past year.

Can anyone say, "Urgent: Update your PayPal account"? I know I can.

Burt Kaliski, vice president of research and a chief scientist at the security firm RSA Security, tells me he is hearing concerns from RSA's customers about the need for stronger user authentication, or the process of validating that a user is who he or she purports to be. If a phishing attack is successful, a hacker has your password and your user authentication is compromised. That means a hacker can purchase with your own money that iPod you've been lusting after. "Our customers are concerned because if user confidence is reduced, it is going to impact their business," he says.

Kaliski believes there are solutions to the problem of user authentication, but it may take a variety of solutions before these issues become more manageable. "There are three areas to look at for solutions: encryption, user authentication, and identity and access management. They all help solve the problem, so it becomes a question of which solution solves the problem best for your organization," he says.

Financial institutions are looking into token systems for their high-end customers, he adds. A token system such as RSA's SecurID Authenticator functions like an ATM card. Network and desktop users must identify themselves with two unique factors -- something they know, and something they have (the token) before they are granted access. That may work fine for a bank's high-end customers, Kaliski says, but it may be too cumbersome for most customers. "We're working to make user authentication easier but also more reliable, and I think we're getting there," he adds.

Kaliski also mentions a theory called "minimalist authentication," which advocates using as little overhead and causing as little disruption as possible to achieve a secure authentication. "The idea is that if you can keep authentication simple it is less likely to break down somewhere," he says.