COMBATING THE SCOURGES OF IDENTITY THEFT
AND PHISHING
Yanki Margalit
Chairman and CEO
Aladdin Knowledge Systems, Ltd. (Nasdaq: ALDN)
It's
a growing issue of concern to businesses and their customers: identity
theft. In the United States alone, nearly 20 million American consumers
have felt its effects, leading to annual losses of $50 billion, according
to the U.S. Federal Trade Commission. And 2004 saw identity theft topping
the FTC's list of fraud-related complaints for a fifth year in a row.
Clearly, this is an issue which cannot be ignored.
ID theft, particularly phishing, is rapidly spreading worldwide,
straining the mutual trust between online enterprises and their customers
that is a prerequisite for secure online transactions. This, in turn leads
to significant financial losses and decreased customer usage of online
consumer and financial services.
The Problem with Passwords
Security in general – and the authentication of users in particular –
are critical components in enabling business and protecting sensitive
corporate information. Today, passwords are the primary tool for user
authentication – a term which essentially means “are you who you say you
are?”
Once, access to important applications was given via passwords as easy
as "open sesame." But in the Internet age, granting access via
phrases can be the harbinger of bad news.
Why a Password Isn't Good Enough
Unfortunately, passwords come with their own set of issues. Passwords
can be easily stolen, lost, shared or cracked. Due to the need to manage
multiple passwords and to ensure the effectiveness of passwords used,
organizations have adopted stringent password policies. This has translated
into more complex passwords and consequently, made them more difficult
to remember. “Passwords remain a fundamental security weakness,"
Gartner wrote in a recent report on system security, noting that this
was "regardless of the strength of the password policy.”
(Gartner Report, “Assess Authentication Methods for Strong System Security,"
August 2004)
The human factor plays a major role in password effectiveness. ATMs, the
web, cell phones, PCs – the need to authenticate never ends. To cope,
users are writing their passwords down, leaving them lying around here
and there, or using obvious passwords. It comes as little surprise that
for his/her computer alone, a typical user can have more than ten passwords!
In any case, chances are that most computer users are actually compromising
the security they were meant to improve – rather than being the guardian
of the gateway they once were, passwords today frequently become the key
to unsecured access.
And that's without considering the crackers. Whether for kicks, or for
profit, they're out there, looking for ways in. As Gartner boldly put
it in another recent report, "Passwords are no longer good enough
for PC security." Computer capabilities have advanced so much, they
say, that what once were "strong passwords" are now falling
victim to "inexpensive computer cracks."
One method of password cracking is called a “brute force” or “dictionary”
attack. In this type of attack, a computer runs all possible password
combinations until it finds one that matches the password's "hash,"
or the signature into which it has been encoded and encrypted.
A lost or stolen PC or laptop can give crackers access to a lot more than
just what is on that specific computer. Gartner notes that it is a real
possibility for crackers to extract administrator passwords from PCs,
theoretically opening access to other systems within the IT infrastructure.
Another issue is cost. Not only are passwords unsecure, they are also
expensive to manage. Dealing with a user forgetting his/her password(s)
may seem minor, but in actuality, it is no matter of chump change – a
1,000 employee organization can spend $150,000 a year or more on password-related
help desk calls.
Fitting 'Phishing' Into the Picture
2003-2004 saw the rise of 'phishing.'
Phishing is the sending of e-mails and links
to web sites which are designed to look like those of well-known, legitimate
businesses, financial institutions, and government agencies. They are
sent with the intent of deceiving Internet users into disclosing personal
data such as bank and financial account information, usernames and passwords.
When successful in accessing this information, the phishers then take
it and use it for criminal purposes, such as identity theft and fraud.
Called the “hottest, and most troublesome,
new scam on the Internet” by the FBI, phishing deceived nearly 11 million
users in the U.S. during the 12-month period ending April, 2005, according
to the Gartner research group. And with phishing attacks growing at a
monthly rate of 26%, according to the Anti-Phishing Working Group (APWG),
it’s no surprise that government regulators and leading institutions across
the globe are taking action to address this problem.
Identity Theft on the Rise
President Bush has signed the 2004 Identity
Theft Penalty Enhancement Act, which defined the penalties for identity
theft and provided mandatory sentencing enhancement for fraud crimes committed
using a stolen identity. Unfortunately, however, this has done little
so far to dampen the enthusiasm of identity thieves. Rather, evidence
suggests the numbers have been growing, with identity theft cases reaching
dramatic highs in the first half of 2005.
In recent months, major organizations
hit by identity theft (or situations which made them potentially vulnerable
to identity theft) have included such leading organizations as
Bank
of America and ChoicePoint.
Bank
of America, according to an Associated Press article, lost the computer
data tapes containing the personal information of 1.2 million federal
employees. These tapes listed the customer and account data from a federal
government charge card program.
In
the case of ChoicePoint, the AP reported that it was company itself which
was fooled into electronically delivering thousands of reports containing
customers' names, addresses, Social Security numbers, financial data and
other information to several individuals. These individuals, who posed
as representatives of debt collection, insurance and check-cashing businesses,
then changed the mailing addresses of over 700 victims, a step identity
thieves often take in order to gain access to credit card offers and other
mail.
Banks Get Hit the Hardest
Financial institutions remain the most
vulnerable and hardest hit victims of phishing and identity theft. According
to Anti-Phishing Working Group statistics, the financial services sector
is consistently the most targeted industry for phishing attacks, with
financial institutions representing 15 of the top 20 organizations targeted
by such attacks in 2004.
The identity theft phenomenon is clearly
taking a toll on the online banking industry. Financial Insights states
in a recent report that nearly 60% of U.S. consumers are concerned about
identity theft, while 6% of American consumers went as far as switching
banks in order to reduce the risk of falling victim to ID theft. Then
there is a JupiterResearch study which found that 27% of all online banking
customers use less online functionality due to security concerns, and
31% of all online users will not bank online at all, as a result of identity
theft fears.
The picture is clear: consumers are afraid,
and financial organizations must find ways to reassure them that their
information and their online transactions are secure – both inside and
outside of the organization.
The Threat Starts From Within
While phishing represents the most significant
external threat against customer data theft, the biggest threat organizations
face in protecting customer information comes from within. In a 2004 survey
conducted by the Computer Security Institute, nearly 60% of respondents
said that internal abuse of network access has occurred within their organizations,
the second-largest type of attack on computer systems after viruses. And
a 2004 Michigan State University study revealed that up to 70% of all
identity theft cases involve employees stealing personal data from their
companies.

The Problem in a Word: Passwords
When it comes to network and Internet
security, traditional password authentication in which a user provides
a user name and password, remains the method of choice for most financial
institutions. But despite its popularity, password authentication is not
ideal for banks or their customers. Customers often maintain several user
IDs, constantly changing passwords for a variety of online services and
applications, making personal password management unwieldy, not to mention
a logistical nightmare. Banks, meanwhile, must allocate significant resources
– particularly help desk personnel and IT administrators – to manage password
usage.
More importantly, the sharp increase
in ID theft and phishing is neutralizing the effectiveness of traditional
password authentication: customers feel more vulnerable than ever, while
banks are being exposed to unprecedented levels of fraud risk.
Password-based authentication poses security
problems for banks not only at the customer level, but at all network
infrastructure points, starting from within the institution itself. Employees
required to handle multiple passwords often either choose easy-to-remember
words and numbers, or write them down, thereby increasing the risk that
their access credentials will fall into the wrong hands. Without stronger
controls on internal networks, applications and data, financial organizations
are extremely vulnerable to internal ID theft attacks and losses.
Organizations
Turning to USB Strong Authentication to Protect Sensitive Data
Among the most popular and successful
identity theft solutions is strong authentication. Also known as two-factor
authentication, strong authentication involves the use of more than one
factor to identify users accessing private networks and applications.
According to the U.S. Federal Deposit Insurance Corp. (FDIC), strong authentication
“has the potential to eliminate, or significantly reduce, account hijacking,”
and is gaining traction as a legitimate form for safeguarding consumer
accounts. A recent JupiterResearch study found that that 38% of all online
banking customers feel that strong authentication alleviates their privacy
and security concerns.
Whether in the form of tokens,
smart cards or ATM cards, strong authentication combines 'something you
know' (a password, for example) with 'something you have,' (a token, for
example) in order to verify a user’s identity. In particular, USB strong
authentication tokens with built-in smart card technology are taking banking
security to another level. By enabling easy and secure implementation
of certificate-based security applications, these tokens provide banks
not only with strong authentication, but also with the foundation for
implementing end-to-end security and a range of secure online services
to customers.
Making
Secure e-Banking a Reality
With strong authentication, financial
institutions can make secure e-banking a reality. The most important features
organizations should consider when adopting a strong authentication solution
include:
-
Security – A strong
authentication solution must deliver the highest level of security,
including on-board generation of keys and secure storage of personal
credentials such as passwords and digital certificates.
-
Easy Deployment – The
solution must enable easy token deployment via automated distribution,
enrollment and personalization capabilities, and via user self-service
token enrollment and maintenance capabilities.
-
Ease-of-Use – The solution
should be user friendly; otherwise, customers will not be inclined to
take advantage of new online banking opportunities.
-
Easy Management – Each
financial institution needs to be able to manage an overall security
solution without requiring extensive changes and heavy investments in
IT infrastructure.
-
Portability – The solution
should be functional in a range of environments including home, work
and public locations, such as Internet cafes. In addition, it should
be fully portable and easy to carry.
-
Value Added Enabler
– The solution should allow financial institutions to provide value-added
offerings that include security services such as laptop security, credential
management and file encryption – all with the same token. In this way,
organizations can differentiate themselves from the competition, increase
user acceptance of tokens, and enjoy the flexibility of providing additional
security services in the future.
It will take a balance of new laws, consumer
education, aggressive law enforcement, and innovative security technology
to turn the tide of identity theft and phishing. We at Aladdin are
already seeing tremendous progress in these areas and are providing solutions
today to help curb these scourges of the Internet economy.
>>Aladdin Archive
Yanki Margalit
is the founder, chairman and chief executive officer of Aladdin Knowledge
Systems, Ltd. In 1984, he developed a handwriting-analysis software application,
founding Aladdin to market it.
Mr. Margalit then developed HASP, a system offering software security
without inconveniencing legitimate users. In 1993, Mr. Margalit took Aladdin
public on the NASDAQ stock exchange.
Today, Aladdin is a global leader in the software and Internet security
market, living up to its mission of "Securing the Global Village."
Visit the Aladdin website at
http://www.Aladdin.com
to learn about Aladdin security solutions.
|