To combat phishing, companies are augmenting passwords with new web safeguards to keep your personal info protected writes, Stephen Wildstorm in Businesweek. Excerpts with edits and my comments added:
Unlike virus attacks, in a typical phishing attack, thieves send mass e-mails supposedly from reputable businesses, directing customers to a site where they are asked to divulge vital information, such as passwords, bank account numbers or credit card information., Phishing is theft, pure and simple. They pull it off primarily by fooling their unsuspecting victims, rather than by exploiting flaws in software. Phishing incidents continue to proliferate despite the concerted efforts to control them. The time has come to attack the problem at its root: the inadequacy of passwords. For Web sites where the potential losses are large, such as online banking sites, the password, no matter how cleverly constructed, has become too dangerous to use by itself.
The issue is authentication - proving that you are who you claim to be online. Even the strongest password can be stolen by phishing. So for real security, passwords should be supplemented with either a biometric, such as a fingerprint, or a code. In most cases, the latter is an electronic password that changes with each log-in and that's generated by a device you carry. Biometrics work well on corporate networks, where the initial registration can be done in person, but they're problematic for online-only transactions. Code devices may have broader appeal.
Solutions like Entrust have come with a number labeling each of five rows, a letter for each of 10 columns, and a digit in every cell. This allows for many trillions of arrays to be generated randomly with a near zero probability of any two being alike. when you log in to an IdentityGuard-protected system, you are asked to enter your user name, password, and the digit that appears in three or four cells. You look up the information on your array, which could be printed on an ATM or credit card, and enter it to log in. This site tracks online phishing scams and identity theft issues –including phishing scandals in sites like eBay and here is an article phishing story in a banking environment.This is going to make doing business online slightly less convenient, but it's a necessary evil. The extra step is far less trouble than cleaning up after an identity theft
|