Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me? No. Really. I'm serious... Cheers, RAH -------- <http://www.nytimes.com/2004/12/24/technology/24online.html?oref=login&pagewanted=print&position=> The New York Times December 24, 2004 Banks Test ID Device for Online Security By JENNIFER A. KINGSON or years, banks gave away toasters to people who opened checking accounts; soon they may be distributing a more modern kind of appliance. Responding to an increase in Internet fraud, some banks and brokerage firms plan to begin issuing small devices that would help their customers prove their identities when they log on to online banking, brokerage and bill-payment programs. E*Trade Financial intends to introduce such a product in the first few months of 2005. And U.S. Bancorp says it will test a system, though it has not given a timetable. The devices, which are hand-held and small enough to attach to a keychain, are expected to cost customers roughly $10. They display a six-digit number that changes once a minute; people seeking access to their accounts would type in that number as well as a user name and password. The devices are freestanding; they do not plug into a computer. Some banks, like Wachovia of Charlotte, N.C., and Commerce Bancshares of Kansas City, Mo., already use these hardware tokens to identify employees and corporate customers, and say they are evaluating the technology for retail banking use. Others, like Fidelity Investments and Bank of America, are researching the matter. "Every single major bank is considering it," said James Van Dyke, principal and founder of Javelin Strategy and Research of Pleasanton, Calif., which advises financial services companies on payments and technology issues. Although there are drawbacks in terms of cost and convenience - as well as questions about what would happen if a customer lost the device or it were stolen - there is growing pressure from bank regulators to add safeguards of this type to online financial services. In a report last week, the Federal Deposit Insurance Corporation, which insures bank deposits, said that existing authentication systems were not secure enough and that an extra layer of security should be added to the sign-in process. "The financial services industry's current reliance on passwords for remote access to banking applications offers an insufficient level of security," the F.D.I.C.'s report said. Two-factor authentication, which typically includes a memorized password and a hardware security device, "has the potential to eliminate, or significantly reduce, account hijacking," it said. To be sure, there are many ways to add the kind of security that the agency is seeking, and any number of technology vendors eager to supply products. The F.D.I.C. evaluated some possible alternatives, including smart cards, which are plastic cards with embedded microprocessor chips; biometrics, which identify people by their fingerprints, voice or physical characteristics; and shared secrets, in which a customer is asked a question that, in theory, only he or she could answer. But the system that has so far taken root in the market is the one that relies on number-changing hardware tokens, which have the shape and feel of the plastic security devices that people click to unlock their cars. Several large banks in Europe and Australia - including Credit Suisse, ABN Amro and Rabobank - already issue these tokens to customers, sometimes making them bear the cost of the device. In the United States in September, America Online introduced a program, AOL Passcode, that lets subscribers buy the keychain device for $9.95 and use it for authentication purposes, at a subscriber fee of $1.95 to $4.95 a month, depending on the number of screen names linked to it. Proponents of these devices are aware that they present other problems. Financial companies are concerned about making online banking less convenient and about adding fees for the hardware token. Customers with accounts at several institutions may wind up with an unwieldy number of tokens or swamp call centers with questions about the new systems. Several foreign banks have made the tokens mandatory for online customers. E*Trade, which is expected to be the first United States financial institution to introduce the program for retail customers, will make it optional and charge for the device. Joshua S. Levine, chief technology officer at E*Trade, said the technology seemed to provide the "comfort that most people want." And "when you have your money at stake," he said, "you really want to feel comfortable." E*Trade has been testing its program for the last two months, giving the devices free to 200 interested customers. So far, the tests have attracted customers with high incomes who conduct many transactions and tend to be knowledgeable about technology, Mr. Levine said. "Based on the feedback these customers have been giving us," he added, "we feel it will be very successful." A hardware token is only one way to increase security. At E*Trade, customers who want to conduct wire transfers must wait for a confirmation number to be sent to their cellphones or personal digital assistants, then enter that number to complete the transaction, Mr. Levine said. People who sign up for the E*Trade hardware tokens and lose them will have to call customer service to authenticate themselves, he said. U.S. Bancorp plans to try out a system involving hardware tokens that will be based on technology from VeriSign, the Internet security company. The bank declined to add details. The urgency surrounding the issue is linked to an increase in "phishing," the practice of sending fraudulent e-mail messages en masse to bait people into disclosing sensitive information. Newer scams involve "malware," which can install itself on a computer through e-mail or pop-up ads, detect when someone starts to use an online banking program or make a credit card payment, and then record the person's keystrokes and capture account details. The victims do not even have to do something foolhardy like giving away account numbers or passwords. "We're just seeing new stuff out there all the time," said Dave Jevans, chairman of the Anti-Phishing Working Group, a coalition of companies in financial services and information technology. But he added: "I don't think people need to be any more scared than going to an A.T.M. at nighttime. They need to be cautious; don't do silly things." People who run antivirus software on their home computers, who have installed firewalls to guard against incursions, and who take other security precautions need not worry so much about the proliferation of online threats, security experts say. But they add that these people are probably not in the majority. Some bankers say they are leery about rushing to install new systems that may not solve all the problems. Concerns over phishing have "provoked some of the government agencies to come up with simple solutions to very complex problems," said John Carlson, a former regulator with the Office of the Comptroller of the Currency who is now a senior director at BITS, the technology arm of the Financial Services Roundtable, a trade group. "Consumer acceptance and ease of use are huge issues," he said. At Wachovia, which offers both hardware tokens and digital certificates to corporate customers, Joanne Young, the wholesale business manager for e-commerce, says that the certificates are easier to use, although unlike the tokens, they are not portable from one machine to another. When she telecommutes, "I always have to find my hardware token on my computer at home," Ms. Young said. "My kids are always moving it on my desk." -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com