Posted by SecExtra on September 02nd, 2009

Using passwords to access online information is not secure enough, according to a new white paper from managed security company, Network Box. Authentication, who are you?, written by Network Box’s Internet Security Analyst, Simon Heron, argues that web-based services – particularly those that hold financial information – must increase security in order to protect their customers effectively.

Heron warns that identity fraud is increasing – particularly card-not-present (CNP) fraud – and yet secure access to the ever-growing number of web-based applications relies (for the most part) on the same techniques used since the beginning of IT security: user names and passwords. While a number of banks use multi-factor authentication in the form of card-sized number generators (a system that Heron argues is not sustainable on the basis that consumer would balk at carrying round the number of devices required to authenticate access to all their online accounts), most businesses still rely on user name / password combinations.

The problem is that consumers simply have too many passwords to remember, and so either use passwords that are simple to remember (and so easy to ‘break’), write them down, or rely on resetting them, using the ‘forgotten your password’ function on a website (which is often in itself insecure). Even the ‘verified by Visa’ system is not secure, says Heron: “The ‘verified by visa’ system is a basic two-factor authentication system, but if you forget your password, often all you need in addition to the credit card is your date of birth to reset the password – which is less secure than most single password systems.”

The paper also examines the pros and cons of an ‘Identity 2.0’ approach to online security: creating a single, secure identity that is recognised by a number of online entities with which a user interacts (such as Open ID), that could be authenticated in a number of ways. These systems are also not without their problems – privacy being a prime concern.

Heron says: “All companies involved in secure transactions must start working together to provide uniformity in their approach to security. This is becoming a major issue for consumers. If customers are to interact online and divulge confidential information, the company with which they’re doing business has a duty to secure that information.”

For more information on this paper visit here, For more information on security issues, see Network Box, or visit Simon Heron’s blog or follow Simon on Twitter.