As I mentioned in the last issue, the Federal Financial Institutions Examination Council (FFIEC) has issued new guidance for how financial institutions should plan to authenticate customers' online identities by the end of next year. These guidelines, which actually carry the force of mandates, did not recommend specific methods of strong authentication but did review some possibilities. Those included digital certificates, smart cards, one-time passwords, USB plug-ins and biometric identification methods as being more in line with the guidelines than the simple username/password combinations currently in use. In particular, the FFIEC believes that stronger authentication is needed to combat so-called "phishing" attacks.

Security vendors such as RSA are quick to point to European financial institutions as being far ahead of their U.S. counterparts in using tools such as RSA's SecureID one-time password-generation device. But are these really as secure as we think they might be?

Rebecca Bace is the CEO of Infidel, a security consultancy. She's also a venture partner with Trident Capital, specializing in network security. She learned her trade on the front lines, during 16 years at the National Security Agency, where she became one of the world's leading experts on intrusion detection and prevention. She's also a neat lady with a droll sense of humor as I learned when we were panelists at the recent Thor Technology Advisory Council meeting. She's just updated a presentation she gave at the RSA Conference 2005 called "Phishing 2.0". You can read the short article where you'll quickly find out that so-called strong authentication can also be described as weak security in many instances.

The problem Bace outlines is the same problem that Dan Blum, Network World colleague and Burton Group senior vice president, highlighted in his Weblog: One-time password (OTP) solutions are very susceptible to a man-in-the-middle (MITM) attack. Simply put, someone intent on stealing the details of your financial transaction sets up as a proxy between the client and the financial Web site. By capturing and replaying the client's credentials and returning what appears to be legitimate responses the thief has, essentially, unlimited access to the client's account.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.