Gartner has estimated that phishing attacks cost the US something in the region of $2.8 billion last year, a problem that is growing fast as proved by the statistic showing the average individual loss per attack has risen from $256 in 2005 to a staggering $1244 in 2006. Banks are taking these kind of figures very seriously indeed, as you might imagine, and one of the security solutions attracting their interest is the so called ‘two-factor authentication’ device.
This takes the form of the usual username and password style login, together with a second layer of user authentication. Some banks have chosen to adopt the ‘random digits from a long PIN’ approach whereby you choose an 8 digit number and after the first login stage are asked to input the 2nd, 4th and 7th digits (or whatever) in order to gain access to your account. Even if your username and password were compromised, the attacker would have to know your ‘long PIN’ as well in order to fully penetrate your defenses.
Of course, if the attacker had phished the username and password out of his victim the chances are pretty high he could have got that PIN data as well. Which is why the banks with a better understanding of risk tend to look towards hardware tokens when it comes to the second authentication factor.
And so it is that PayPal, one of the biggest targets of phishing attacks along with parent company eBay, is opting to roll out hardware based security keys to users who choose to take this $5 route (and free to business account holders) to increased security. And oh boy do they need it. Take a cursory look at the Google anti-phishing blacklist logs and you will see that between them they account for pretty much half of all phishing scams.
Based upon the VeriSign One-Time Password Token and looking for all intents and purposes like a new take on the old Tamagotchi craze, this small device is designed as a key-fob and simply calculates a new six-digit numeric password using a complex algorithm that is unique to your device, every 30 seconds. You can see a demo of it in action here.
The device is due to be rolled out to US PayPal and eBay customers shortly, making eBay transactions a whole lot safer. Of course, such hardware token based key fobs are no cast iron guarantee against phishing attack, as Citibank has already discovered.
Last year a Russian phishing gang managed to use a spoof site asking for the authentication token code along with the usual login details, and construct a ‘man in the middle’ attack on the Citibank accounts within the timeout period. As usual, this relies upon the gullibility of the victim in the first place, but it also goes to prove that any kind of security that requires stupid user input is only ever as clever as that stupid user. Not that I am knocking PayPal here, far from it, I applaud them for taking the phishing issue seriously enough to invest in current technology such as this in order to add a layer of protection that will do just that for the vast majority of its users.
I am just mindful that if you are of the ilk who believes you have won a fortune on a lottery with a ticket you never bought in a country you have never visited, then a clever key-fob is not going to save you from yourself…
