- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Dave Kearns provides the information you need to evaluate, install and maintain your corporate identity management system.
As I mentioned in the last issue, the Federal Financial Institutions Examination Council (FFIEC) has issued new guidance for how financial institutions should plan to authenticate customers' online identities by the end of next year. These guidelines, which actually carry the force of mandates, did not recommend specific methods of strong authentication but did review some possibilities. Those included digital certificates, smart cards, one-time passwords, USB plug-ins and biometric identification methods as being more in line with the guidelines than the simple username/password combinations currently in use. In particular, the FFIEC believes that stronger authentication is needed to combat so-called "phishing" attacks.
Security vendors such as RSA are quick to point to European financial institutions as being far ahead of their U.S. counterparts in using tools such as RSA's SecureID one-time password-generation device. But are these really as secure as we think they might be?
Rebecca Bace is the CEO of Infidel, a security consultancy. She's also a venture partner with Trident Capital, specializing in network security. She learned her trade on the front lines, during 16 years at the National Security Agency, where she became one of the world's leading experts on intrusion detection and prevention. She's also a neat lady with a droll sense of humor as I learned when we were panelists at the recent Thor Technology Advisory Council meeting. She's just updated a presentation she gave at the RSA Conference 2005 called "Phishing 2.0". You can read the short article where you'll quickly find out that so-called strong authentication can also be described as weak security in many instances.
The problem Bace outlines is the same problem that Dan Blum, Network World colleague and Burton Group senior vice president, highlighted in his Weblog: One-time password (OTP) solutions are very susceptible to a man-in-the-middle (MITM) attack. Simply put, someone intent on stealing the details of your financial transaction sets up as a proxy between the client and the financial Web site. By capturing and replaying the client's credentials and returning what appears to be legitimate responses the thief has, essentially, unlimited access to the client's account.
Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment