RATING RISKS

The problem with these authentication schemes is that they solve yesterday's problem, says security guru Bruce Schneier, CTO and founder of Counterpane Internet Security. For example, two-factor authentication does nothing to prevent so-called "Man in the Middle" (MIM) attacks or Trojan horse exploits.

In an MIM attack, the scammer lures you to a fake web site where you enter your log-on information. He then logs onto your bank himself, enters your account info, and transmits information back to you via the phony site so you can complete your transactions and never know you weren't at your bank's actual site. He can then log back into your account at any time and have his way with it.

A Trojan horse attack uses a zombie PC to accomplish the same deed. The attacker is alerted when you attempt to log onto your bank. He waits until you've finished logging on, then "walks" into the bank with you, where he can do anything he wants with your money.

"Banks are paying far more attention to authentication than they should be," argues Schneier. "They need to worry about transactions, not individuals."

Naftali Bennett agrees. "Simple two-factor authentication represents a sledgehammer approach," says Bennett, CEO of Cyota, which provides Internet security services for 9 of the 12 largest U.S. banks. "We believe authentication should be based on the risk of a given activity."

Cyota's scheme involves highly sophisticated analysis software and a relatively low-tech communications device the telephone. Cyota's "e-vision" software analyzes every online transaction, examining factors such as the type of transaction and where it originated, then assigns a fraud risk score to each. This is similar to how credit card companies analyze purchase patterns and alert you if, say, your card is used to make purchases in different cities on the same day.

So if you're logging on from home to check your account balance, your risk score would be essentially zero. If someone logs onto your account from an IP address in Ghana and tries to transfer $10,000 to an account in the Caymans, the risk score would shoot through the roof. Depending on the score, the bank can approve the transaction, decline it, or call the customer and ask questions to determine whether everything's legit. At press time, the e-vision system was in trials at three major banks.

Cyota also fights phishers using another clever tactic it calls "dilution." When Cyota's early warning system detects a phishing attack against one of its client banks, its software automatically logs onto the phisher's site and begins feeding it bogus account information. Cyota's bots use a variety of Internet addresses, operating systems, and browsers they even "type" slowly to fool scammers into thinking they're a human being. By using multiple bots on each phisher site, they tie up the site's bandwidth so the bank's real customers are unable to log on. The bogus information dilutes the quality of the data the scammer collects, which in turn ruins the scammers' reputation on the identity black market.

Schneier proposes a radical solution banks and consumers might find difficult to swallow: make it harder for people to get credit cards. "Over the decades, the barriers to getting a credit card have become extraordinarily low," he says. "There's nothing you can do technologically to solve the threat. In two years, phishing will be quaint, and the criminals will have moved on to something else. The only thing you can do is to make fraudulent transactions less likely to happen."