E-Trade Rolls Out Two-Factor Identity Check

E-Trade announced last that it will roll out two-factor authentication for its retail customers. Explaining the move, an E-Trade spokesperson cited recent security breaches at ChoicePoint and Bank of America as examples of the risks customers face when it...

A crucial factor that makes this possible? Users often reuse account names and passwords to make their lives easier.

According to Lee, financial firms should make a concerted, industrywide effort to increase the security measures available for their customers, and the government should step in with better laws and enforcement.

"In some countries, like the United States, identity theft is difficult to prosecute and if successfully prosecuted, the penalties are not stiff," she says. "The criminal resumes the same criminal activities shortly upon release from any jail sentence. Stronger legislation and international cooperation would make identity-theft cases stemming from Web activities easier to investigate and prosecute successfully."

Meanwhile, Lee explains, it's best that the two factors in two-factor authentication be distinct from one another. For example, if the second factor were a digital certificate, a stolen laptop might have the certificate and the login information stored in the same place.

With a token such as the one E-Trade is using, however, it's highly unlikely that a hacker would be able to steal both the token and the login information. Lee says she hasn't seen any cases of this happening, adding that the tokens have been around long enough that prices have come down to a level where they're practical to deploy. "They've got price structures that fit most organizations," Lee says.

E-Trade's Klobuchar wouldn't disclose exactly how much E-Trade was paying RSA for the gadgets, which measure two inches by three quarter of an inch and can be attached to a key chain. "The cost of this device should not be an impediment to anybody who wants to use it," says Klobuchar. "They're not outrageously expensive."

Customers will still need to take security precautions, says Klobuchar, such as not giving out their login information, or picking easy-to-guess passwords. Taping the login ID and password to the security device is also not recommended. "We also recommend that they don't tape their device next to their taped-up password on the computer," Klobuchar says.

The device generates a new, random six-digit number every 60 seconds. The number is added on to the end of the user's normal password, making the password six digits longer and that much harder to guess. Also, a hacker who electronically steals this information with a snooping program won't be able to use it because the number almost immediately changes.

It's not a completely foolproof method, but it makes it much, much harder for hackers to get into an E-Trade account--meaning that they'll likely move onto easier targets.

"There's a deterrent effect," Klobuchar says. "That's really what this is about."

Klobuchar acknowledges that there might be some inconveniences associated with the device. It can be easily misplaced, for example, or a user with multiple accounts at various financial firms might eventually have to carry several of these devices around.

"We solve that problem by making it the customer's choice," says Klobuchar. "If they care about this, and they want this additional level of security, we're providing them with a solution. If there was no inconvenience whatsoever to using it, it wouldn't be much of a solution."