[ISN] Passwords Passé at RSA

InfoSec News isn at c4i.org
Tue Feb 21 01:14:26 EST 2006


By Ryan Singel
February 17, 2006

SAN JOSE, California -- Identity theft and online bank fraud were the
unofficial themes of the 2006 RSA Conference, a massive security
confab where Bill Gates came to announce the imminent death of the
password and vendors filled the exhibition halls with iPod giveaways
and promises that their product could stop everything from spam and
malware to hackers and typos.

Thanks to a California law known as SB 1386 that requires companies to
disclose sensitive data leaks to California consumers, companies like
ChoicePoint and shoe retailer DSW became poster children for corporate
negligence last year after mishandling sensitive data.

In the wake of Senate hearings and investigations from federal
regulators, corporations are beefing up security, both behind the
scenes and at their virtual front doors. To find out how those changes
will affect consumers in their daily online activities, Wired News
surveyed the offerings of the over-250 security companies packed into
RSA's exhibit hall, accompanied by cryptographer John Callas, who has
been attending the conference since 1993.

Callas is currently the CTO of PGP, the industry leader in encrypted
communications and data storage.

Perhaps the biggest change this year will be in online banking, as
financial institutions move to comply with federal oversight agencies
that are directing banks (.pdf) to secure their sites with more than
just user logins and passwords.

These extra fraud profiling and authentication measures are necessary,
according to Callas, since the threats on the internet have changed.

"Now we are not dealing with kids having fun," Callas said. "We are
dealing with criminals -- the Russian mafia. And online banking risks
are there if your bank offers it, even if you don't use it."

E-trade, for instance, already offers free RSA security tokens to its
most active users. Those battery-powered devices work by using a using
a seed number and the current time to cryptographically generate a
secure one-time code to complement the normal user login and password.

But those gadgets aren't cheap and most people don't want multiple
tokens or prefer not to carry them around. That's prompted newcomers
to find alternative methods of performing "two factor" authentication.

Callas likes PassMark Security's solution, which examines the device a
user logs in from, looking for a number of factors including IP
address and a secure cookie or Flash object the bank has previously
stored on the machine, as the extra identification.

Bank of America began offering the service in May 2005. Now a Bank of
America customer logging in at the usual time from her usual machine
will only need to enter the user name and password. But if that person
is on a different machine using a different browser in a different
time zone, for example, she will be presented with challenge questions
that she answered when she signed up.

Users could also be sent an additional one-time password by SMS text
message or called on their cell phone by a machine using a synthetic
voice to tell them an extra password.

Additionally, PassMark helps keep users from entering passwords into
fraud sites pretending to be their bank by displaying a unique image
and caption, such as a sailboat labeled "Dream Boat," on the real

The authentication back to the user is great, and can't easily be
hacked without detection, according to Callas. And while it won't
eliminate crime, it might be enough to persuade would-be fraudsters to
go after a different bank, Callas said.

"It is reasonably valuable if you can convince someone to steal from
other people," Callas said.

Another authentication method that caught Callas' attention was by
BioPassword, a company that adds an extra layer of security by locking
out users who don't type in a password with the same typing style as
the original user.

Callas says he's generally not bullish on biometrics like fingerprint
readers for e-commerce, since, like credit card numbers, the data can
be stolen.

But he likes the typing rhythm idea, because unlike a fingerprint, the
user can easily reset the system. "If you pick a new password then you
will have a new rhythm," Callas said. "That's the disposable

The system does have one side effect that may or may not be a bug,
admits BioPassword vice president Dean Bravos. Users who have been
drinking may not be able to log in.

These two companies aren't the only ones trying to find ways to add
extra authentication without requiring users to carry around security

Conference organizer RSA Security, the undisputed leader in security
tokens, recently acquired Cyota, which offers financial institutions
methods to authenticate users based on their usage patterns. Cyota
technology looks at such metrics as users' cookies and IP address, in
combination with their transaction history -- so a middle-America
socker Mom sending sending $2,000 at 2:00 am to an account in Turkey
might raise a red flag.

Other new offerings from RSA Security include a browser toolbar that
works like a security token, and software that can turn a mobile phone
or a BlackBerry into a token.

Even mostly invisible, behind-the-scenes authentication will help
internet users feel safer, as banks and brokerage houses can now offer
financial guarantees to their customers, according to Scott Young, the
vice president of RSA/Cyota's consumer division.

"A lot of us are familiar with the experience of getting a call from a
credit-card company, saying, 'Hey, did you make this transaction?,'"  
Young said. "Even though we don't see that going on all the time, the
reassurance of having someone check with us, even if it was us making
that transaction, is really valuable.

"Likewise, most of the time, consumers are not inconvenienced by
(RSA/Cyota's) extra security but a decent percent will know, since
they have will some interaction with the security system at some
point, that they are being protected."

More information about the ISN mailing list