Passwords have been used for centuries but, according to some, their days are numbered. Bill Gates, for example, believes that arming everyone with yet more complex technology will make electronic transactions safer. While this may be true for those prepared or able to use such technology, thereís a lot more that communications networks can do to take the strain and keep things simple, argues Richard Baker, BTís chief identity architect.
Every day for the past 700 years, a password ritual has been enacted at the Tower of London. At seven minutes to 10 oíclock every night, the Tower is locked down by the Chief Warder who is then challenged by a sentry to provide the right password. The dialogue runs:
Sentry - Who goes there?
Chief Warder - The Keys
Sentry - Whose Keys?
Chief Warder - Queen Elizabethís Keys
Sentry - Pass Queen Elizabethís Keys. Allís well.
But all is far from well in the modern world. Passwords have become a currency amongst criminals who attack banks, businesses and individuals to steal cash and other assets.
In our digital world, the majority of electronic transactions and security procedures are íprotectedí by user name and password authentication.
Many people use the same password for everything while others use a different password for each system. Both approaches have serious weaknesses. The first enables a hacker who has successfully captured a password to tamper with not just one but all of a victimís electronic accounts. The second requires people to remember dozens of different passwords and change them regularly. Understandably, people often forget their passwords, write them down or simply enter the wrong one, increasing the burden on helpdesks.
Beyond passwords, there are approaches to authentication that have previously been considered a íGold Standardí. In reality, though, nothing is foolproof and there always has to be a trade-off between security, usability and cost. Thereís no point, for example, in a bank spending a fortune on a system that is too cumbersome for its customers to use ñ such a system might drive customers away.
An appropriate level of investment, however, is essential to manage the risks involved in a rapidly evolving threat landscape. Fraud, money laundering and the financing of terrorists are activities carried out by íprofessionalsí who work to a business case just like any legitimate organisation. Fighting them involves working to a business case that has the opposite objectives and ensuring you are sufficiently fleet of foot to outwit the bad guys.
Challenging the password
Authentication systems revolve around one or more of three things:
ï something you know, such as a password or PIN;
ï something you have, like a smart card or an electronic token usually in the style of a key-fob; and
ï something you are ñ for example, individual biometrics relating to fingerprints, voice patterns and iris scans.
Until now, passwords have ruled the roost because they are cheap to implement. But Bill Gates thinks weíve reached the limits of this simple technology and is advocating stronger measures based on new technologies [1].
Like many other companies ñ BT included ñ Microsoft believes in a ímulti-layeredí approach to security in which it becomes harder and harder to penetrate systems as the potential for damage to the organisation or its customers increases.
The software giant, however, tends to focus on measures that can be installed on the desktop or back-office server or literally put into a personís hand. The latter could be an electronic token or a hand-held card reader for use in the home in a similar way to the devices that read credit cards in shops.
This isnít the only way to address the security challenge. First, though, what are the pros and cons of the approach Microsoft is recommending?
Two-factor technology
While the majority of US banks still employ a simple approach to authentication based on user names and passwords, many organisations around the world now use ítwo-factorí techniques.
Typically, these involve tokens that generate a unique number that becomes useless after a time window of 30 seconds or so, or is limited to a one-off transaction. In the case of electronic tokens, the user enters this number as well as his/her user name and password. If a card reader is used, the number is read and submitted automatically.
The result is an enhanced level of security, but the technique isnít without its limitations. Citibank, for example, uses a two-factor system in the US, but it was successfully attacked by fraudsters in summer 2006 [2].
They used a particularly sophisticated form of íphishingí ñ a scam in which emails are sent asking people to visit websites to update details such as user names and passwords. The problem is that the websites are fakes. Customers who thought they were logging in to the real website at the bankís request were actually giving their login details to criminals.
Such scams are increasingly commonplace and have made it urgent for organisations to find a way to convince the public that the websites they are accessing are genuine.
Evolving risk
One of the challenges is to find a way of doing this that delivers acceptable security, is easy to use and is of acceptable cost to the organisation and its customers.
Achieving all three can be a challenge. In Holland, for example, people are prepared to buy hand-held card readers to access their bank account but research shows that people in the UK wouldnít be willing to pay for enhanced security.
Even if answers can be found, they may only be effective for a limited period of time. The banks, amongst others, are beginning to realise this. They face a number of challenges:
ï Securing their own websites and call centres
ï Confirming transactions made on other commercial websites
ï Checking that customers really are who they claim to be
ï Encouraging people to use online services rather than going to the bank.
The picture is constantly changing. The arrival of chip and PIN authentication has seen a shift in fraud patterns from straightforward over-the-counter credit card fraud to Cardholder Not Present (CNP) fraud ñ either online or over the telephone.
The regulations banks must meet are changing too. To prevent money laundering, for example, both the Financial Services Authority in the UK and the Federal Financial Institutions Examination Council in the US now require banks and other financial services organisations to validate every new customerís identity.
The FFIEC considers single-factor authentication including passwords and PINs to be inadequate for high-risk transactions but recommends a íreasonableí approach to risk. A recent report says: The method of authentication used in an internet application should be appropriate and reasonable from a business perspective in the light of foreseeable risks.
Crucially, it requires financial institutions to develop an ongoing process to align the extent of authentication with the level of risk involved in a class of transaction and ensure the most appropriate authentication technologies are used in each case.
A network approach
So if ëtwo factorí techniques are already showing signs of weakness, are there any alternatives?
One thatís been in use for some years is based on the analysis of peopleís behaviour patterns. Some credit card companies, for example, do more than check that the correct PIN is entered when a purchase is being made. They also look at the amount being charged and the storeís location to be sure these details fit with whatís normal. If they arenít, additional checks are made.
Phone companies ñ BT among them ñ apply similar checks to customersí calls. Have they suddenly started making more calls, or started calling premium-rate numbers for long periods? Anything suspicious prompts a call to the customer to make sure all is well.
BT plans to build on such multi-layered approaches as it deploys its new 10bn 21st Century Network (see panel). The network will include an evolving set of services that allow both BT and other organisations to create multi-layered defences against criminal activity based on perceived risk.
Still in development, the idea is to capture and use for security purposes the sorts of data that people disclose as they access online services ñ where they are connected to the network, which computer and web browser they are using and so on. This will create a pattern of normal behaviour for each user that can be used to increase the confidence that a user is who he/she claims to be.
The information will allow BT to assign a risk rating to each user session. If the user is connecting from his/her home address, the risk will be low but, if he/she suddenly starts connecting from a country where fraud is endemic, it will be high. It will be up to the organisation that uses BTís service to decide how it wants to respond to each level of risk. At which level will it begin to limit what users can do, for example, and at which will it prevent access completely?
Like other security measures, it wonít be perfect. Someone will eventually find a loophole that will have to be closed. However, like existing checks on credit card transactions, it doesnít require users to do, have or buy anything special.
In many ways, users and customers are the strongest weapon against hackers and fraudsters. You need to do everything you can to keep them on your side ñ alert to the threat and helping you defeat it. The clearer and more straightforward security checks are to complete, the more likely your users or customers will want to work with you.
Richard Baker is Chief Identity Architect at BT
BT Global Services is exhibiting at Infosecurity Europe 2007, Europeís number one dedicated Information security event. Now in its 12th year, the show continues to provide an unrivalled education programme, new products and services, over 300 exhibitors and 11,600 visitors from every segment of the industry. Held on the 24th ñ 26th April 2007 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.
References
[1] CNET News.com, ëGates: End to passwords in sightí, news.com.com/Gates End to passwords in sight/2100-7355_3-6039177.html
[2] Washington Post, ëCitibank Phish Spoofs 2-Factor Authenticationí, blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
[3] Lakshmi Sandhana, ëYour Thoughts Are Your Password, Wired News, April 2006, www.wired.com/news/technology/0,70726-0.html
[4] Federal Financial Institutions Examination Council, ëAuthentication in an Internet Banking Environmentí, www.ffiec.gov/pdf/authentication_guidance.pdf
Suggested pull quote
Single-factor authentication including passwords and PINs is inadequate for high-risk transactions - FFIEC report [4]
Panel:
A passing thought...
The ability to analyse usage patterns and issue alerts if they could be fraudulent is being built into BTís 21CN modernisation programme.
The company is also working on biometrics as a way of proving whether customers are genuine or not.
Biometrics are likely to become more widely used as the future unfolds. In summer 2006, for example, the Co-op Bank launched a pilot of a fingerprint identification system. At the moment, however, BT is looking at voiceprint analysis. A switch to fingerprint recognition would require large-scale deployment of new hardware, whereas voiceprint analysis could easily be deployed at consumer scale over currently-available networks.
Looking even further ahead, researchers in Canada are working on the idea of using a personís brain waves to prove their identity [3].
Instead of a password, they believe that sensors can pick up thought patterns to highly individual things such as a snatch of a favourite song or a picture of a loved one.
Now thereís food for thought!
Passwords - Friend or Foe?
Passwords have been used for centuries but, according to some, their days are numbered
