Online Identity Theft: Many Medicines, No Cure
As the incidence of online identity theft has steadily climbed in recent months, banks and online retailers have struggled to stay on top of the problem and to protect their customers, whose personal financial information and online account details are coveted by criminals. But as problems like phishing scams change from e-crime phenomenon to endemic online threats, technology companies--both large and small--are bringing products and services to market that they claim can end, or greatly reduce, the threat of online identity theft.
These are some of the technologies aimed at curbing online identity theft:
Antiphishing toolbars: These lightweight applications, or applets, were some of the first tools specifically created to stop online scams like phishing. These free programs have been offered to customers by EBay, Internet service providers EarthLink and America Online, and other companies, including GeoTrust and CoreStreet.
The programs are usually plug-ins adding an extra toolbar to a user's Web browser interface. The programs verify Web site URLs and warn about Web sites that hide their true addresses. Antiphishing tools are effective against phishing scams that use spam to direct Internet users to Web sites controlled by thieves, but designed to look like legitimate e-commerce sites. However, such tools do nothing to secure sensitive financial information online.
Antiphishing services: Phishing prevention services are designed to spot and thwart new threats, including brand monitoring services such as FraudProtect by MarkMonitor, Symantec's Online Fraud Management Solution, VeriSign's AntiPhishing Solution, and services by NameProtect.
Most of these services use a distributed network of sensors to monitor e-mail traffic, news groups, and Web domain registrations, spotting new scams, such as phishing attacks. The services promise to enable companies to move quickly to crack down on fraudulent Web sites that use their names and also give customers advanced warning about scam e-mail messages making the rounds.
Payer authentication and smart cards: Online security advocates often cite smart cards as a cure-all for online fraud. The cards combine traditional plastic credit cards with microprocessor chips that can store far more information about the cardholder than older, magnetic-strip cards. Among other things, smart cards can store PINs or biometric identifiers that could be used at the point of purchase to verify the purchaser's identity, making theft of an account number or credit card inconsequential.
Smart cards are ubiquitous in Europe, and the U.K. banking industry has launched a major, nationwide rollout of smart card technology through its "Chip and PIN" program, which will replace magnetic-strip cards and do away with signed receipts for "card present" purchases. But banking officials in the U.S. cite a number of obstacles to widespread smart card use, including an existing infrastructure of millions of card readers that do not support the new cards.
Fraud screening and prevention: Lacking strong authentication at the point of purchase, most credit card companies and merchants in the U.S. name fraud screening technology as their first and best defense against fraud. Companies in this space, including VeriSign, ClearCommerce, and CyberSource, use a variety of filters to analyze transaction patterns for individual consumers or groups of consumers, and to spot suspicious activity.
For example, companies might flag a pattern of rapid, high-value transactions and spot discrepancies between the geographical location from which the order was placed and the billing address, or look askance at transactions with different billing and ship-to addresses, according to Julie Ferguson, co-founder and vice president of emerging technologies at ClearCommerce.
Consumer authentication services: Recent deals between security technology companies and major ISPs and consumer software vendors could bring multifactor authentication technology into the mainstream.
In September, RSA Security and AOL announced a new program called "AOL PassCode" that will encourage AOL customers to use RSA SecurID tokens to protect account information. On the same day, VeriSign announced its Unified Authentication program, which it said will reduce the cost of "strong authentication," such as one-time passwords or hardware smart cards. In October, RSA announced the availability of SecurID for Windows, a secure token that will make it easier for users to log on and off to Windows machines using multifactor authentication, while VeriSign and AOL said they would investigate ways to extend the Unified Authentication program to AOL members.
Experts agree that the sum of those announcements is more and less expensive access to strong authentication technology--AOL's Passcode token costs only $9.95. Consumer strong authentication programs could also create an infrastructure that banks and online retailers build on to strengthen interactions with their own sites, according to Gil Danieli, vice president of technology at EverBank National Banking Group, an online bank.
For now, Passcode and SecurID for Windows haven't been expanded to protect access to online banking or e-commerce services, such as Apple Computer's popular ITunes, with which AOL has a relationship through its AOL Music service. But such applications aren't out of the question in the future, according to Ned Brody, senior vice president of premium services at AOL.