Passwords No Longer Work to Protect Privacy
(ARA) – Most people have come to understand that it is important to choose a complex password and to change their passwords often in order to protect their privacy and information. But security professionals now believe that passwords simply don’t work anymore.
There are too many ways for passwords to be compromised for people to trust this thin layer of protection. The Internet is now filled with technologies specifically designed to capture your password. “Phishing” sites that mimic familiar sites and keystroke loggers that track the information you type are now part of the landscape of the Internet.
People are becoming more aware that it’s not good enough to simply be very careful with the passwords that are used for important accounts or Web sites. Most people use the same or very similar passwords across many Web sites and therefore, when a password is captured, it can be used to access many things.
A recent survey found that 70 percent of IT professionals thought passwords were not secure. These same people admitted that one in five companies had already had a security breach that allowed private information to get into the wrong hands. The U.S. Federal Trade Commission claims that consumers lost more than $5 billion to identity theft in 2007 and businesses lost far more.
“Consumers need to become more aware of the danger of relying exclusively on passwords to protect their personal information; and Web sites need to provide simple and inexpensive ways for consumers to protect themselves,” says Evan Conway, chief identity officer of Positive Networks, a company that specializes in working with companies and Web sites to ensure that privacy and information is protected.
One approach, he explains, to having a more secure site is a concept called two-factor authentication. The idea is that prior to allowing someone access to an account, a Web site or application checks two separate things for identity verification.
“Not only does the consumer need to have the password, but must also have an additional method to prove their identity,” says Conway. Sites that use Positive Networks’ PhoneFactor (www.phonefactor.com) technology, will instantly ring either the customer’s mobile or landline phone when someone signs onto an application or Web site. The password is verified just like normal and then the user must answer an instant automatic phone call to gain access. It only takes seconds and generally comes at no cost to the consumer. In additional to preventing unauthorized access, it proactively notifies a consumer if there is a fraudulent attempt to gain access being made.
Other approaches require consumers to carry a special physical “token” with them that provides a constantly changing additional password to verify. While generally quite secure, this approach can be expensive and requires consumers to carry an extra device. Biometric technologies such as fingerprint readers and retinal scans are no longer science fiction and have been implemented in some cases. While adding appropriate security, they also bring a high cost and require additional devices to be available to make the verification.
While the risk of a breach is expensive for consumers and companies, bad publicity is also driving companies to make these improvements. Stories develop almost daily regarding issues of identity theft and privacy loss caused by failures of businesses to protect their customers. The Wall Street Journal reported on April 29, 2008, that a series of national medical organizations, including health plans and medical facilities, had privacy breaches. Beyond the cost issues associated with these breaches, the loss of trust can provide additional challenges and legal issues for these types of organizations.
What is clear is that it will take a combined effort to protect your identity and privacy. Technology providers continue to offer solutions that are much easier for consumers and businesses. Businesses and Web sites must implement solutions and actively promote them to their users.
In the end, consumers must protect themselves by choosing to do business with organizations that offer solutions that adequately protect their privacy. It is becoming increasingly clear that passwords no longer offer a protection that can be trusted by consumers.
To learn more about the PhoneFactor service offered by Positive Networks, visit www.phonefactor.com.
Courtesy of ARAcontent
