Customers of New Zealand's ASB Bank Ltd. have to have cellphones in hand before transferring large sums of money over the Internet from their accounts.
ASB was one of the first to use two-factor authentication through cellphones to help keep thieves out of on-line bank accounts, a security precaution that's now attracting the attention of businesses of all types and sizes, thanks to the popularity of mobile phones and personal digital assistants with wireless Internet access. Two-factor authentication requires two items -- a swipe card and a password, for instance -- to access a secure facility such as a website or intranet, but most computers and handhelds don't have a card reader. Instead, ASB customers enter their on-line banking user name and password as usual, but then automatically receive a text message or e-mail on their mobile phone containing a second one-time password (their cellphone information is kept on file for this purpose). The second password or "mobile token" must be used within three minutes to access the bank's website.
Most on-line fraud occurs when a thief steals a password by shoulder surfing -- literally looking over someone's shoulder -- or goes "phishing" by sending e-mails with bogus Web links that entice recipients to voluntarily surrender passwords to what they believe are legitimate secure websites but are really fakes. Proponents of two-factor authentication say it can thwart both types of thieves, reducing on-line fraud and identity theft, and creating greater confidence in e-commerce, electronic government and health initiatives, and mobile network access (a big worry for information technology departments as more workers access networks remotely).
Two-factor authentication is expected to become commonplace as banks, credit card companies, e-businesses, government agencies and other security- and privacy-conscious enterprises come under increasing pressure to combat on-line fraud and identity theft, said Stu Vaeth, chief security officer with Diversinet Corp., a Toronto-based mobile device security provider. A number of issues are fuelling the adoption of stronger security measures, he says, including a "dramatic" increase in electronic fraud, the spread of spyware that can track an Internet user's keystrokes, and new privacy legislation that puts the onus on companies to protect the privacy of customers.
Research firm International Data Corp. estimates the identity and access management market will grow to more than $3.5-billion (U.S.) by 2009 from $2.21-billion in 2003, driven by systems that require two or more factors to confirm a user's identity.
The mobile password service used by ASB, called Netcode, was developed by RSA Security Inc. of Bedford, Mass. The two-factor security system is meant to ensure fraudsters cannot raid bank accounts by pilfering a login name and password. It increases security, but it's also a source of business -- ASB customers pay 25 cents for each code and can only use it for the duration of their Internet session.
Diversinet has a package similar to RSI's that goes a step further. A program installed on the phone e-mails an encrypted password to the security system of a company that wants to verify the identity of a user. The security system replies with a mobile token the customer can use once to access a website or other on-line resource.
"The system can also provide integrated solutions for mobile data access to corporate networks and for mobile payment," Mr. Vaeth said. New security measures, such as mobile two-factor authentication, will become the norm for businesses and institutions of all sizes sooner rather than later, said Michelle Warren, a Toronto-based IT analyst with Evans Research. "Strong security is all about avoiding litigation, bad PR [publicity] and fines for non-compliance. It all goes to costs."
Still, it's a juggling act. While authentication using multiple factors is crucial to trust, companies don't want to force users and customers to jump though complex hoops -- especially when accessing things like e-commerce sites.
"If it gets too complicated, consumers will back off," Ms. Warren said.
Two-factor security using cellphones is attracting interest because it's affordable and easy to use. A company of any size and in any industry can use a mobile token system, according to Mr. Vaeth. For example, Diversinet says it is establishing pilot programs for consumer-oriented mobile token systems with three unnamed Canadian companies -- a financial institution, an Internet service provider and an e-commerce company -- and is in talks with several other North American financial institutions. It is also working with international mobile network operators on corporate pilot systems.
The projects use Diversinet's MobiSecure tokens and MobiSecure authentication service centre to enable two-factor authenticated on-line access. For Diversinet's two-factor authentication for the mass-market, there is a one-time fee of up to $20 to activate the mobile token on a device, and then a small monthly or annual fee for the service.
"With Diversinet MobiSecure, it is as easy as activating an on-line subscription to download a ring tone to your mobile phone," Mr. Vaeth said. "Once registered to the sponsoring company with your identity confirmed, you are ready to use the mobile token right away. Whether it be for one transaction a day or thousands a month, costs will remain the same per user."
Companies are taking these extreme steps because no less than the future of e-business is at stake, Ms. Warren said. "I may trust you, but if I don't trust your technology, I won't use it," she said.
"Then what?"
Two-factor authentication
Most PCs and PDAs don't have a card reader, so some new authentication systems use a cellphone to boost security.
1-Users enter their login and password for a website or network. The system then sends a temporary second password by text message or e-mail to their cellphone, using contact information it has on file.
2-Users have a few minutes to read and use the temporary password before it expires. People are given access once their login, main password and the temporary password have all been entered and verified.
Autor: Paul Mia
Quelle: The Globe and Mail, 28.04.2005
