Towards a uniform solution to identity theft
A high level comparison of all major two factor authentication solutions, with a close look at their vulnerability to phishing via the Man In The Middle attack.
e-businesses have identities too!
Everybody’s talking about identity theft. And many banks and other institutions are doing something about it, through a plethora of new security technologies. But identity is critical at both ends of most Internet transactions. Organisations as well as customers have identities; the scourges of phishing, pharming and website ghosting in effect compromise an organisation’s identity. Unfortunately, very few of the new authentication technologies can secure the identity of the organisation which issues them. This paper examines authentication solutions, and shows that only certain active devices combat phishing, pharming and web fraud, while also safeguarding customers against identity theft.
At the time this paper was written in late 2006, we knew of the proven vulnerabilities of TAN cards and event-based (OATH) One Time Passwords to Man-in-the-Middle attack. More recently, time-based One Time Password generators too have been attacked by organised cyber criminals (see The Register story), reinforcing our central message that only active personal authentication devices like smartcards offer truly robust Internet security.
|Lockstep WP01 UniformSolnIdTheft (2 1)||PDF, 104Kb|