To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password.
For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she’s about to run out.
As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such “passwords-plus” systems.
Scandinavia countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication.
“A password is a construct of the past that has run out of steam,” said Joseph Atick, chief executive of Identix Inc., a Minnesota designer of fingerprint-based authentication. “The human mind-set is not used to dealing with so many different passwords and so many different PINs.”
When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords such as “1234” or a nickname.
Stevan Hoffacker follows those rules but commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times’ Web site and E-ZPass electronic toll statements.
In such cases, should hackers or scammers compromise one account, they potentially have one’s entire online life.
“This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it,” said Hoffacker, an information technology manager in New York.
But it’s difficult to remember dozens of strong passwords – so many sites now require them. Alternatives include writing them down on a sticky note attached to a monitor or in an electronic spreadsheet – practices security experts also deem unsafe.
With two-factor authentication, having a password alone is useless.
“We will never play the fear factor here, but still it stays a fact that with our products, ‘phishing’ (cracking a password code) is no longer an issue,” said Jochem Binst of Vasco Data Security International Inc.
The Belgian company issues devices the size of pocket calculators or keychains. You type your regular password into the device for a second code that is based on the time and the unit’s unique characteristics. That’s the code you type into the Web site.
Someone who steals your device won’t have your password; someone who steals your password won’t have your device.
MasterCard International Inc. has been testing similar systems in Britain, Germany and Brazil. Swipe a credit card with a smart chip into a special reader, enter your PIN and obtain a password good only once at Office Max, British Airways and a dozen other merchants.
In Singapore, bank customers wishing to designate new accounts for fund transfers must likewise obtain a second password – through a phone call, e-mail or mobile text messaging.
Biometric systems are similar, except a fingerprint or iris scan replaces one or both passwords.
In the United States, use of two-factor authentication remains limited.
U.S. banks and e-commerce companies have focused, for now, on making sure passwords are strong. EBay, for instance, now rejects attempts to create passwords such as “eBay” or “password.”
Before two-factor authentication becomes commonplace, laptops must come standard with biometric readers, or manufacturers must bring down costs for password-generating devices.
Outfitting 1 million customers with such devices could cost $20 million, while Internet fraud for those customers amounts to “tens of thousands at most,” said Tony Chew, director of technology risk supervision at the Monetary Authority of Singapore. Singapore banks thus limit dynamic passwords to fund transfers, he said.
Associated Press
Marie Jubran of Stockholm refers to a code from a scratch-off card that she uses to get access to her bank account.
Talk to us
> Give us your news tips.
> Send us a letter to the editor.
> More Herald contact information.