As devices like the iPhone have demonstrated, a phone today is more than a phone: Beyond simple calls, handsets play music, take photos and serve up Web video of skateboarding dogs. Now banks and security researchers are hoping to squeeze another function into the wireless devices that people all over the world now carry: putting an end to identity theft.
At its annual security conference in San Francisco last month, security firm RSA showed off a phone with an unusual feature: When a Web user makes a purchase or performs a banking transaction online, the phone receives a wi-fi signal from the PC making the transaction. RSA's handset, built by manufacturer HTC, then displays the transaction and waits for the user to approve it before sending another signal back to the computer, allowing money to be transferred.
In pictures:
Gadgets for stopping identity theft
Video: Who's reading your mail?
That process is what security researchers call "two-factor authentication." In other words, to steal the financial identity of the gadget's owner and use it for financial gain, you'd have to obtain both his credit card information and his physical phone--hardly a simple task for cybercriminal organizations that typically collect their thousands or millions of victims through phishing schemes or corporate data breaches.
The banking industry is also buying into the idea of two-factor authentication. Many banks already offers security "tokens" to their high-end users, cards that generate changing passwords that are required to authenticate transactions. Last October, Bank of America combined a similar function with its customers' cellphones: A program available to all Bank of America customers called "SafePass" sends customers text messages to their phones when they bank online, requesting that they enter a given code to confirm their identity.
Because Bank of America's SafePass program uses text messages rather than the seamless wi-fi signals suggested by RSA's prototype handset, it's slower and costlier than RSA's future solution. But the program's adoption by customers is already in the "six digits," according to the bank's senior vice president of eCommerce, Doug Brown.
In pictures:
Eight ways to hack the web
Hacking without technology
"Security is on our customers' minds," Brown says. "The cellphone is ever-present, and there are about 140 million active texting users in the U.S. So it's an easy way to deliver that security."
To be sure, banks and credit unions have long offered credit monitoring by text message, sending customers notices when they spot suspicious transactions. But that serves only to detect identity theft quickly--not to prevent it. Banks and merchants still pay for the cost of that fraud and pass it on to customers, a total that amounted to around $45 billion last year, according to Javelin Research.
In fact, physically authenticated security goes beyond online banking or purchases. RSA has long offered SecurID tokens, similar to those used by high- end banking users, which allow corporations to add an extra layer of protection to their network or e-mail system--a new code appears on every employee's token every 60 seconds, foiling potential hackers.
In pictures:
How to keep data safe on the web
Cyber attack hot spots
More recently, the company has also begun integrating those tokens into multipurpose devices, such as USB drives and credit cards. RSA offers a more flexible, software version of that tool that fits neatly into smart phones. The company plans to integrate token software into every new BlackBerry sold by Research in Motion.
Two-factor authentication isn't a complete cure-all for identity theft, warns Zulfikar Ramzan, a security researcher for Symantec. Most two-factor authentication is vulnerable to a "man in the middle" attack, in which a phishing Web site or malicious software intercepts the temporary PIN generated by a physical token along with the user's password. But even then, Ramzan says, two-factor authentication could effectively disrupt the cybercriminal economy.
A phisher would have to use the stolen identities immediately, rather than the more common practice of selling them in bundles on the black market. "A cybercriminal can't sell a second-factor token that only lasts 60 seconds," Ramzan says. "The whole notion of those credentials as a commodity that can be stored would no longer be valid."
The challenge of bringing that level of security to online transactions, says Verisign's vice president of authentication solutions Fran Rosch, involves standardizing two-factor authentication across the Web. Users won't want to use a different token code to verify their identity on every site they visit. But Verisign, which owns the Web's .com registry, is making progress: Last February, it signed up its first major customer for a cellphone-based authentication program, Paypal. Since then, about 20 other banks and merchants have signed on.
Even so, convincing users to adopt new technology for preventing ID theft--even as simple as keying in a code from their cellphone--won't be easy, especially when the brunt of the crime's losses fall on banks and merchants rather than consumers, admits Marc Gaffan, RSA's Director of Identity Access and Assurance. That means simple innovations like RSA's use of wi-fi rather than text messages to authenticate transactions are key to getting users on board, he argues.
"Generally users aren't liable, so we have to come up with solutions that are extremely easy for them," says Gaffan. "If you can measure consumers' headaches associated with fraud and balance them against what users are willing to do from a convenience perspective, that's when you'll be able to convince them to solve this problem."
