Phishing relies on a number of conditions that come together to form a sort of ''Perfect Scam''. Uneducated or over-trusting online consumers are often the victims of phishing scams. Weak user name and password protection schemes make it easy to access accounts. And the e-mails themselves tend to look official among the deluge of spam in e-mail inboxes.
Vendors in the security space are jumping on the opportunity to tout products that offer more secure authentication than user names and passwords, and they're using the backdrop of the billion-dollar phishing industry to market their products to a different audience.
RSA announced this week it was using new products, new accessibility options, and a partnership with an unnamed consumer ISP to push its two-factor authentication scheme into the consumer and small-business markets.
Strong authentication is more secure than a user name and password scheme because it combines something the user knows (such as a PIN) with something the user possesses, like RSA's SecurID token that generates a random, one-time password every 60 seconds.
While not releasing too many details, RSA announced it is currently beta testing its SecurID solution with a major ISP for use by its consumer and small-business customers, with full rollout expected later in the year. RSA is also completing an installation of a federated identity solution that allows for the secure, transparent exchange of trusted identities between Web sites within a popular online marketplace to streamline and improve the customer experience.
ActivCard is also positioning its products as a form of protection against phishing attacks. The company's Token Protected Online Consumer Banking solution also uses a time-limited, one-time use password. It is targeted at banks and online retailers, which host it within their infrastructure.
ActivCard also has a solution that uses PKI, the ActivCard USB Key, smart cards, and ActivClient middleware to support high-value, high-risk transactions for commercial banking customers. It utilizes a third-party certificate authority, housed within the bank's infrastructure or through a trusted third party, to authenticate communications between the company and its commercial customers, thereby reducing the ability of phishers to create a fraud scenario.