< Day Day Up > |
In a perfect world, phisher spam would be turned away at your ISP's mail server and never despoil your inbox. But in the real world, phisher scams and other fraudulent email will occasionally get around even the savviest spam filters. And with pharming, DNS poisoning, and other more insidious threats on the rise (see Chapter 3, "Don't Buy the Pharm"), even savvy users who'd never fall for a phisher email can get nailed. So banks and other financial institutions are trying to make it harder for someone to spoof your identity when you log on, as well as make it harder for scammers to create bogus sites that look like your bank's. Banks and ISPs are hoping that "two-factor authentication" will do the trick. This scheme combines something you know (such as a password) with something you have (a card or other device). If you've ever withdrawn money using an ATM card and a PIN, you've used two-factor authentication. Hardware security tokens such as smart cards and computer dongles have been around for 20 years, but they've mostly been issued to employees at security-conscious corporations. By 2007, research firm Gartner, Inc. predicts up to 75 percent of financial institutions will employ some form of additional authentication, whether it's via software, hardware tokens, or an "out-of-band" authentication device such as a cell phone or pager. In September 2004, America Online and RSA Security introduced the AOL PassCode service, which employs a keychain fob that produces a new six-digit code every minute. Users log onto their accounts using both a password and the dynamically generated number. The PassCode service costs $2 to $5 a month, depending on the number of screen names on each account, plus $10 for the fob. E-Trade, Yahoo, and Sony Online Entertainment are eyeing similar technology. Another scheme put forth by RSA Security involves your cell phone. When you log into your bank account, the web site sends a text message containing a numeric code to your phone. You must enter this code, along with your password, in order to gain entry. So far, banks in Europe and New Zealand have implemented this plan, but no U.S. banks have publicly employed it. Palo Alto, California-based PassMark offers bank customers an easy-to-understand defense against phishers. After you enter your username, you're shown an image (say, a picture of your dog) and asked to enter a pass phrase (e.g., "bad dog, no biscuit") before you can log on. Such PassMarks can also be put in email, so you know the message really came from your bank (see Figure 7-4). annoyances 7-4. With PassMark's authentication scheme, bank customers must enter their username and a pass phrase before they can log in; the image confirms it's really their bank they're talking to.![]()
The idea here is that while a phisher scammer could easily create a bogus email message or web site that looks exactly like your banks' home page, they'd find it pretty hard to duplicate your dog (or whatever image you choose). As a second precaution, PassMark assigns a unique ID to every device you use to access your account, then makes sure the device and the account info match up before you can log on. |
< Day Day Up > |