Boardroom
Aladdin Knowledge Systems

COMBATING THE SCOURGES OF IDENTITY THEFT
AND PHISHING
Yanki Margalit
Chairman and CEO
Aladdin Knowledge Systems, Ltd. (Nasdaq: ALDN)

It's a growing issue of concern to businesses and their customers: identity theft. In the United States alone, nearly 20 million American consumers have felt its effects, leading to annual losses of $50 billion, according to the U.S. Federal Trade Commission. And 2004 saw identity theft topping the FTC's list of fraud-related complaints for a fifth year in a row. Clearly, this is an issue which cannot be ignored.

ID theft, particularly phishing, is rapidly spreading worldwide, straining the mutual trust between online enterprises and their customers that is a prerequisite for secure online transactions. This, in turn leads to significant financial losses and decreased customer usage of online consumer and financial services.

The Problem with Passwords

Security in general – and the authentication of users in particular – are critical components in enabling business and protecting sensitive corporate information. Today, passwords are the primary tool for user authentication – a term which essentially means “are you who you say you are?”

Once, access to important applications was given via passwords as easy as "open sesame." But in the Internet age, granting access via phrases can be the harbinger of bad news.


Why a Password Isn't Good Enough
Unfortunately, passwords come with their own set of issues. Passwords can be easily stolen, lost, shared or cracked. Due to the need to manage multiple passwords and to ensure the effectiveness of passwords used, organizations have adopted stringent password policies. This has translated into more complex passwords and consequently, made them more difficult to remember. “Passwords remain a fundamental security weakness," Gartner wrote in a recent report on system security, noting that this was "regardless of the strength of the password policy.”
(Gartner Report, “Assess Authentication Methods for Strong System Security," August 2004)

The human factor plays a major role in password effectiveness. ATMs, the web, cell phones, PCs – the need to authenticate never ends. To cope, users are writing their passwords down, leaving them lying around here and there, or using obvious passwords. It comes as little surprise that for his/her computer alone, a typical user can have more than ten passwords! In any case, chances are that most computer users are actually compromising the security they were meant to improve – rather than being the guardian of the gateway they once were, passwords today frequently become the key to unsecured access.

And that's without considering the crackers. Whether for kicks, or for profit, they're out there, looking for ways in. As Gartner boldly put it in another recent report, "Passwords are no longer good enough for PC security." Computer capabilities have advanced so much, they say, that what once were "strong passwords" are now falling victim to "inexpensive computer cracks."

One method of password cracking is called a “brute force” or “dictionary” attack. In this type of attack, a computer runs all possible password combinations until it finds one that matches the password's "hash," or the signature into which it has been encoded and encrypted.

A lost or stolen PC or laptop can give crackers access to a lot more than just what is on that specific computer. Gartner notes that it is a real possibility for crackers to extract administrator passwords from PCs, theoretically opening access to other systems within the IT infrastructure.

Another issue is cost. Not only are passwords unsecure, they are also expensive to manage. Dealing with a user forgetting his/her password(s) may seem minor, but in actuality, it is no matter of chump change – a 1,000 employee organization can spend $150,000 a year or more on password-related help desk calls.
 

Fitting 'Phishing' Into the Picture

2003-2004 saw the rise of 'phishing.' Phishing is the sending of e-mails and links to web sites which are designed to look like those of well-known, legitimate businesses, financial institutions, and government agencies. They are sent with the intent of deceiving Internet users into disclosing personal data such as bank and financial account information, usernames and passwords. When successful in accessing this information, the phishers then take it and use it for criminal purposes, such as identity theft and fraud.

Called the “hottest, and most troublesome, new scam on the Internet” by the FBI, phishing deceived nearly 11 million users in the U.S. during the 12-month period ending April, 2005, according to the Gartner research group. And with phishing attacks growing at a monthly rate of 26%, according to the Anti-Phishing Working Group (APWG), it’s no surprise that government regulators and leading institutions across the globe are taking action to address this problem.

Identity Theft on the Rise

President Bush has signed the 2004 Identity Theft Penalty Enhancement Act, which defined the penalties for identity theft and provided mandatory sentencing enhancement for fraud crimes committed using a stolen identity.  Unfortunately, however, this has done little so far to dampen the enthusiasm of identity thieves. Rather, evidence suggests the numbers have been growing, with identity theft cases reaching dramatic highs in the first half of 2005.

In recent months, major organizations hit by identity theft (or situations which made them potentially vulnerable to identity theft) have included such leading organizations as Bank of America and ChoicePoint.

Bank of America, according to an Associated Press article, lost the computer data tapes containing the personal information of 1.2 million federal employees. These tapes listed the customer and account data from a federal government charge card program.

In the case of ChoicePoint, the AP reported that it was company itself which was fooled into electronically delivering thousands of reports containing customers' names, addresses, Social Security numbers, financial data and other information to several individuals. These individuals, who posed as representatives of debt collection, insurance and check-cashing businesses, then changed the mailing addresses of over 700 victims, a step identity thieves often take in order to gain access to credit card offers and other mail.

Banks Get Hit the Hardest

Financial institutions remain the most vulnerable and hardest hit victims of phishing and identity theft. According to Anti-Phishing Working Group statistics, the financial services sector is consistently the most targeted industry for phishing attacks, with financial institutions representing 15 of the top 20 organizations targeted by such attacks in 2004.

The identity theft phenomenon is clearly taking a toll on the online banking industry. Financial Insights states in a recent report that nearly 60% of U.S. consumers are concerned about identity theft, while 6% of American consumers went as far as switching banks in order to reduce the risk of falling victim to ID theft. Then there is a JupiterResearch study which found that 27% of all online banking customers use less online functionality due to security concerns, and 31% of all online users will not bank online at all, as a result of identity theft fears.

The picture is clear: consumers are afraid, and financial organizations must find ways to reassure them that their information and their online transactions are secure – both inside and outside of the organization. 

The Threat Starts From Within

While phishing represents the most significant external threat against customer data theft, the biggest threat organizations face in protecting customer information comes from within. In a 2004 survey conducted by the Computer Security Institute, nearly 60% of respondents said that internal abuse of network access has occurred within their organizations, the second-largest type of attack on computer systems after viruses. And a 2004 Michigan State University study revealed that up to 70% of all identity theft cases involve employees stealing personal data from their companies.

The Problem in a Word: Passwords

When it comes to network and Internet security, traditional password authentication in which a user provides a user name and password, remains the method of choice for most financial institutions. But despite its popularity, password authentication is not ideal for banks or their customers. Customers often maintain several user IDs, constantly changing passwords for a variety of online services and applications, making personal password management unwieldy, not to mention a logistical nightmare. Banks, meanwhile, must allocate significant resources – particularly help desk personnel and IT administrators – to manage password usage.

More importantly, the sharp increase in ID theft and phishing is neutralizing the effectiveness of traditional password authentication: customers feel more vulnerable than ever, while banks are being exposed to unprecedented levels of fraud risk.

Password-based authentication poses security problems for banks not only at the customer level, but at all network infrastructure points, starting from within the institution itself. Employees required to handle multiple passwords often either choose easy-to-remember words and numbers, or write them down, thereby increasing the risk that their access credentials will fall into the wrong hands. Without stronger controls on internal networks, applications and data, financial organizations are extremely vulnerable to internal ID theft attacks and losses.

 Organizations Turning to USB Strong Authentication to Protect Sensitive Data

Among the most popular and successful identity theft solutions is strong authentication. Also known as two-factor authentication, strong authentication involves the use of more than one factor to identify users accessing private networks and applications. According to the U.S. Federal Deposit Insurance Corp. (FDIC), strong authentication “has the potential to eliminate, or significantly reduce, account hijacking,” and is gaining traction as a legitimate form for safeguarding consumer accounts. A recent JupiterResearch study found that that 38% of all online banking customers feel that strong authentication alleviates their privacy and security concerns.

 Whether in the form of tokens, smart cards or ATM cards, strong authentication combines 'something you know' (a password, for example) with 'something you have,' (a token, for example) in order to verify a user’s identity. In particular, USB strong authentication tokens with built-in smart card technology are taking banking security to another level.  By enabling easy and secure implementation of certificate-based security applications, these tokens provide banks not only with strong authentication, but also with the foundation for implementing end-to-end security and a range of secure online services to customers.

 Making Secure e-Banking a Reality

With strong authentication, financial institutions can make secure e-banking a reality. The most important features organizations should consider when adopting a strong authentication solution include:

  • Security – A strong authentication solution must deliver the highest level of security, including on-board generation of keys and secure storage of personal credentials such as passwords and digital certificates.
  • Easy Deployment – The solution must enable easy token deployment via automated distribution, enrollment and personalization capabilities, and via user self-service token enrollment and maintenance capabilities.
  • Ease-of-Use – The solution should be user friendly; otherwise, customers will not be inclined to take advantage of new online banking opportunities.
  • Easy Management – Each financial institution needs to be able to manage an overall security solution without requiring extensive changes and heavy investments in IT infrastructure.
  • Portability – The solution should be functional in a range of environments including home, work and public locations, such as Internet cafes. In addition, it should be fully portable and easy to carry.
  • Value Added Enabler – The solution should allow financial institutions to provide value-added offerings that include security services such as laptop security, credential management and file encryption – all with the same token. In this way, organizations can differentiate themselves from the competition, increase user acceptance of tokens, and enjoy the flexibility of providing additional security services in the future.

It will take a balance of new laws, consumer education, aggressive law enforcement, and innovative security technology to turn the tide of identity theft and phishing.  We at Aladdin are already seeing tremendous progress in these areas and are providing solutions today to help curb these scourges of the Internet economy.

>>Aladdin Archive
 

Yanki Margalit is the founder, chairman and chief executive officer of Aladdin Knowledge Systems, Ltd. In 1984, he developed a handwriting-analysis software application, founding Aladdin to market it.

Mr. Margalit then developed HASP, a system offering software security without inconveniencing legitimate users. In 1993, Mr. Margalit took Aladdin public on the NASDAQ stock exchange.

Today, Aladdin is a global leader in the software and Internet security market, living up to its mission of "Securing the Global Village." Visit the Aladdin website at
http://www.Aladdin.com to learn about Aladdin security solutions.