By Stephen H. Wildstrom The motivation of the folks who write viruses and launch other attacks on computers is murky. But the goal of phishers, people who lure you to phony financial sites on the Web in order to steal passwords and account information, is theft, pure and simple. They pull it off primarily by fooling their unsuspecting victims, rather than by exploiting flaws in software.
That may explain why phishing incidents continue to proliferate despite the concerted efforts of software publishers to make it harder. And it is why the time has come to attack the problem at its root: the inadequacy of passwords. For Web sites where the potential losses are large, such as online banking sites, the password, no matter how cleverly constructed, has become too dangerous to use by itself.
60-SECOND CODE. The issue is authentication -- proving that you are who you claim to be online. Even the strongest password can be stolen by phishing. So for real security, passwords should be supplemented with either a biometric, such as a fingerprint, or a code. In most cases, the latter is an electronic password that changes with each log-in and that's generated by a device you carry.
Biometrics work well on corporate networks, where the initial registration can be done in person, but they're problematic for online-only transactions. Code devices may have broader appeal. The best-known is the SecurID from RSA Security (RSAS), which looks like a key fob for opening your car door but has a little window that displays a different six-digit number every minute. To log in to a SecurID-protected system, you enter a user name, a regular password, and the number on your fob. If it matches the number the system expects, you're in.
The main drawback of the SecurID is cost, both for the fob and the technology required to maintain tight time synchronization between the device and the log-in server. To date, it has been used mainly for corporate accounts, but America Online (TWX) offers a version called PassCode to members who want greater security for their online transactions. It charges about $33 a year for the service.
GRID GUARD. Some European banks have begun offering a lower-tech alternative. They mail their customers a card or sheet that contains a series of scratch-off numbers, something like a lottery ticket. To begin a transaction, the customer scratches off the next available number and enters it on the log-in screen. If it matches the number the system expects, the customer gets into the system. When the numbers are gone, the customer gets a new card. At $10 a year, it's cheaper than the SecurID -- but may still be too pricey for mass use.
Entrust (ENTU), a Canadian security company, has come up with a very clever solution. IdentityGuard is a grid with a number labeling each of five rows, a letter for each of 10 columns, and a digit in every cell. This allows for many trillions of arrays to be generated randomly with a near zero probability of any two being alike.
When you log in to an IdentityGuard-protected system, you are asked to enter your user name, password, and the digit that appears in three or four cells. You look up the information on your array, which could be printed on an ATM or credit card, and enter it to log in.
OUNCE OF PREVENTION. Simple as this is, there are serious limitations. People won't carry a separate card for each of the Web sites they visit. Until we get a common log-in system -- something like Microsoft's (MSFT) failed Passport, but with broad industry support -- the use of IdentityGuard-type approaches will be limited to sensitive accounts such as financial institutions and health records.
Some financial institutions are toughening up their online security to protect both customers and themselves. Bank of America (BAC), for example, has contracted with VeriSign (VRSN) to develop a supplement to passwords -- possibly a code device -- for online transactions.
This is going to make doing business online slightly less convenient, but it's a necessary evil. The extra step is far less trouble than cleaning up after an identity theft. Wildstrom is Technology & You columnist for BusinessWeek