Who Are You?

You just can’t trust a username/password combo to verify user identity. It’s time for two-factor.


All of these risk evaluation activities are invisible to the user 99% of the time, according to Amir Orad, executive vice president of marketing for Cyota. The company conducted a survey among end users that showed security was always their prime concern regarding online banking, but “no one is willing to move an inch” to implement more robust security mechanisms, Orad said. For the one percent of logins that surpass the threshold for a high-risk transaction, additional authentication mechanisms are implemented. These can include a series of challenge/response questions that are initially generated by the user.

These questions are not the typical requests for mother’s maiden name or other easily researchable information. Orad stated that while more obscure challenge/response questions are harder to crack, they can cause their own problems. Users may forget the answers, or even change them depending on their current mood or tastes. A question like, “What is your favorite cheese?” could generate a response of “Jarlsberg” on one day and “Gouda” on another. This can present login issues for the user.

Instead of challenge/response, the user could receive a phone call that requires his or her interaction prior to authentication. Other online banking solutions include PassMark Security, whose product, SiteKey, has been implemented by Bank of America. To gain a better understanding of two-factor authentication, you may want to view the excellent online demos provided by PassMark. These can be accessed at www.passmarksecurity.com/demos.jsp. Other products include Fraud Analyst from Digital Envoy (www.digitalenvoy.net) and WiKID Systems Inc.’s Strong Authentication System (www.wikidsystems.com).

Authenticating on Both Ends
The outbreak of phishing scams means that online transactions now require not only authentication of the user or customer, but also of the entity offering the service. One concept that consistently appeared during my research for this article is site validation, which allows users to verify that they are actually logging in to the site they intended, and not a phishing site. This is extremely helpful for online banking situations.

When registering for an online account, a user is prompted to select an image from a provided list or to upload an image of their own. This image appears whenever a user attempts to log in. During the login process, the user provides his login name only. At this point, his pre-selected image should appear. If it does, the user can confidently provide his password. If it does not appear, the user should not proceed, because he is more than likely at a phishing site.

Any communications from the user’s bank also include this pre-selected image. If an official-looking e-mail does not contain the pre-selected image, the user will know to ignore it, or at least not to act on any of the directives provided in the e-mail.

As hackers, fraudsters and other evildoers learn new skills, older security mechanisms quickly become insufficient. This is true for the username/password combination. Fortunately, there are many other robust and field-tested authentication options that can provide businesses with the level of security they need.

John Mallery is a managing consultant for BKD, LLP, one of the ten largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at jmallery@bkd.com.