Internet security analyst at Network Box and author of the authentication white paper, Simon Heron, argues that web-based services – especially those holding financial information – must increase security in order to protect their customers effectively.
Identity fraud is increasing, particularly card-not-present (CNP) fraud, and yet secure access to more and more web-based applications relies for the most part on authentication through user name and passwords.
However, as people have more and more online accounts, be it with eBay, Facebook, your bank, emails, online subscriptions, ecommerce, etc, the jungle of usernames and passwords become impossible to remember if each account should have its own unique details. According to Network Box, the average person has in excess of 25 usernames and passwords to remember, something that forces people into using the same password over and over again if they are not to write them down.
Some sites vary what form and length of passwords they accept, but this tend to spur users into writing them down, or to use the ‘forgotten password’ function on many sites.
The forgotten password function is a security issue in itself. One high profile example is when vice-president candidate Sarah Palin’s email account was hacked last year.
“Hackers were able to access her email account and reset her password, simply by knowing her birth date, her zip code, and the answer to a ‘secret’ question (where she met her husband). All information that is publicly available for a person in the national spotlight.”
The same weakness can be used to hack a ‘Verified by Visa’ account, as all that is needed to reset the password is the date of birth.
Complex passwords were found to have little impact as they are of no use against phishing and keyloggers. They are not changed frequently and often repeated because they are so hard to remember. “So if a hacker successfully phishes for a password to one account they will get access to all accounts. A sort of ‘hack on, get the rest free’ deal,” Network Box said.
Banks sometimes use two factor authentication in the form of security tokens such as key fobs or card devices. The problem with that approach is that when people have multiple accounts, they would have to carry a range of these tokens, Network Box said.
Identity 2.0
With Identity 2.0, users would have a single identity that is recognized by many – or even all – entities instead of having multiple usernames and passwords. It would use verifiable data and could cut down fraud and theft.
However, this approach also has its security problems. First of all, an open identity could be compromised through a phishing attack or malware, so it would need more than a single factor of authentication.
There is also the question of privacy, said Network Box, as people often want to browse the internet anonymously, and an open identity could tempt some companies to track users for marketing purposes.
Network Box also warned that more oppressive societies could use the open identity to control and/or track individuals on the internet. Identity 2.0 would therefore require a “powerful, independent regulatory body to ensure the privacy of personal data.”
There are several initiatives already out there such as OpenID, Higgins, WS-Federation, Shibboleth and Windows Live ID, but according to Network Box, there is not a single system that shows a clear advantage to both users and suppliers.