Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Phishers and Life Beyond Passwords

How phishers killed the password (and why that's a good thing)

By

July 26, 2005CSO

Passwords just dont cut it anymore.

The security community has been saying this for years, yet single-factor authenticationuser name and passwordis still the Internets calling card. Whether youre doing online banking (if you dare; I dont), fiddling with your movie rental queue or loading up an online shopping cart, a user name and password is all you need. And its simply not good enough. The proliferation of phishing has made that much clear.

Whatever weve done to educate the general public about spoofed e-mails and websites is failing. Miserably. Last week a young relative of mineone who is smart, plugged-in and a recent grad of a good business school at a major universitytold me that shed never heard of phishing. I thought it was one of those strange blips where you have a blind spot about something everyone else knows, like how I managed to live some 25 years without knowing who Sean Connery is. (My now-husband eventually forgave me.) Then, yesterday, a report from the Pew Internet & American Life Project hit my desk. Of 2,001 adult Internet users polled this spring, only 29 percent said they had a good idea of what phishing is. Fifty-five percent werent really sure, and a full 15 percent had never heard the term.

We could blame this on overly technical descriptionsfor starters, why accept a silly name like phishing, when all were really talking about is spoofing, a word that everyone knows? But thats not the point. Phishers are asking for user names and passwords; people are giving them up; and if people stop giving them up voluntarily, the criminal community will just start taking them, by using malware, pharming and other kinds of criminal mayhem with silly names weve yet to make up.

Which is all just a roundabout way of saying that yes, passwords as we know them are deador they ought to be. In fact, George Tubin, a senior analyst at the Tower Group, believes that we should start assuming that a user name and password are going to be compromised. I agree.

The predictable fix is two-factor authenticationbiometrics and keyfobs and other whatchamacallits and doo-dads that those same people whove never heard of phishing would be expected to figure out. But whats far more exciting to me is the prospect of building the same kind of fraud protection used by credit card companies into online banking and other e-commerce applications.

Consider this. That same relative of mine recently had her credit card stolen. She found out because her credit card company called her to ask if she was trying to take out a large cash advance at a casino in Las Vegas. This wasnt typical behavior, so the credit card company blocked the transaction. We need to move the same kind of fraud protections to the online banking world. Theres even more incentive for it there: While credit card companies can pass on a great deal of the cost of fraud to merchants, last year the banking industry ate most of the estimated $140 million in direct losses caused by phishing.

RESOURCE CENTER