Expert: Better ID checks won't beat fraud

Plans to supplement passwords with security devices won't solve the problems plaguing Web businesses, warns a crypto expert.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Plans to bolster online security with code-generating doodads, fingerprint readers or smart cards are not likely to solve the identity fraud problems currently plaguing database companies and online stores, a security expert has warned.

Two-factor authentication, or the use of a method in addition to a password to verify identity, could still be defeated by Trojan horses and phishing attacks, Bruce Schneier, a cryptographer and chief technology officer at network protection company Counterpane Internet Security, said on Tuesday.

"Since we have proposed the solution, the problems have changed," Schneier said in an interview with CNET News.com. "People are selling two-factor authentication as the solution to our current identity-theft problems, but it was designed to solve the issues from 10 years ago."

The well-known encryption expert, who has authored books on information security and terrorism, argued in a posting to his blog that e-commerce companies and security providers need to think more deeply about what two-factor authentication can solve.

"It's not going to prevent identity theft," he wrote. "It's not going to secure online accounts from fraudulent transactions."

Schneier's no-confidence vote comes a day after Microsoft renewed calls at the CeBit conference in Hannover, Germany, to supplement passwords with another identity check. It also comes on the same day that the U.S. Congress held a hearing on several high-profile data leaks that occurred in the past month.

A representative of Microsoft was not immediately available for comment, but the company confirmed that it did argue for further security checks at the German conference.

While his arguments seem to run counter to Microsoft's effort, Schneier stressed that the software maker's focus on improving security beyond passwords, for example with the use of key fob-size hardware tokens, is a good one.

"Doing away with passwords is a good idea," he said. "Tokens work great, with employees logging onto the corporate server."

However, what's good in a closed corporate network is not as useful on the "anything goes" Internet, Schneier said. Trojan horses can be created that let the attacker know when someone is logged into their bank account and, even with a second identity check, could insert new transactions into the session. Also, online thieves could take control of a server that routes Internet traffic and then develop programs to similarly insert fraudulent transaction into a banking session.

"The tactics will change," Schneier said.

That may be true, but that does not mean that enhancing security with a fingerprint-reading or code-generating device is a bad thing, said Chris Voice, chief technology officer at security company Entrust. Raising the bar for attackers will give some respite from attacks and make fraud that much harder to do, he said.

"You don't stand still just because the criminals are going to evolve," he said. "You still put the lock on the door."

Yet online service providers should look to more permanent solutions, Schneier said. While two-factor authentication does not solve the problem, security companies should still re-analyze the issues, he said.

"Focus on the problem: Fraudulent transactions," he said. "There are two strategies: You can make identities harder to steal, or you can make identities less useful. I think the first fails in the end."