Fighting Phishing with Stronger Authentication

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Phishing scams that lure Internet users into divulging details of their online accounts using official-looking e-mails have swindled more than 57 million Internet users and cost banks more than $1 billion, according to a Gartner study, and vendors of advanced authentication schemes are taking notice.

Phishing relies on a number of conditions that come together to form a sort of ''Perfect Scam''. Uneducated or over-trusting online consumers are often the victims of phishing scams. Weak user name and password protection schemes make it easy to access accounts. And the e-mails themselves tend to look official among the deluge of spam in e-mail inboxes.

Vendors in the security space are jumping on the opportunity to tout products that offer more secure authentication than user names and passwords, and they're using the backdrop of the billion-dollar phishing industry to market their products to a different audience.

RSA announced this week it was using new products, new accessibility options, and a partnership with an unnamed consumer ISP to push its two-factor authentication scheme into the consumer and small-business markets.

''Identity theft, phishing, and malware are proving that passwords are woefully inadequate for protecting sensitive information online. This is shaking the confidence of individuals and organizations using the Internet,'' said Art Coviello, president and CEO at RSA Security.

Strong authentication is more secure than a user name and password scheme because it combines something the user knows (such as a PIN) with something the user possesses, like RSA's SecurID token that generates a random, one-time password every 60 seconds.

While not releasing too many details, RSA announced it is currently beta testing its SecurID solution with a major ISP for use by its consumer and small-business customers, with full rollout expected later in the year. RSA is also completing an installation of a federated identity solution that allows for the secure, transparent exchange of trusted identities between Web sites within a popular online marketplace to streamline and improve the customer experience.

ActivCard is also positioning its products as a form of protection against phishing attacks. The company's Token Protected Online Consumer Banking solution also uses a time-limited, one-time use password. It is targeted at banks and online retailers, which host it within their infrastructure.

ActivCard also has a solution that uses PKI, the ActivCard USB Key, smart cards, and ActivClient middleware to support high-value, high-risk transactions for commercial banking customers. It utilizes a third-party certificate authority, housed within the bank's infrastructure or through a trusted third party, to authenticate communications between the company and its commercial customers, thereby reducing the ability of phishers to create a fraud scenario.

This article was first published on InsideID.com. To read the full article, click here.