Microsoft: Two-factor authentication would thwart phishers

Microsoft: Two-factor authentication would thwart phishers

Summary: Microsoft IT Forum: Banks are investigating whether they should force their customers to supply more identification, says Microsoft's head security strategist

SHARE:
TOPICS: Security
2

Banks are looking to bring down the number of phishing attacks by adopting two-factor authentication, which would force their users to produce two forms of identification, Microsoft said on Tuesday.

The software giant's chief security strategist, Scott Charney, said that companies had failed to adopt the technology as fast as he would have liked.

"We haven't had as much adoption as you would hope for," said Charney. "A lot of solutions for two-factor authentication are for enterprise spaces. If you get two-factor authentication to the consumer level, you reduce the phishing threat."

Phishing attacks are identity theft emails that are written to look as if they were sent from legitimate organisations. Companies such as eBay and PayPal and many of the UK's high street banks have seen their customers targeted by the fraudsters behind such scams.

Earlier this year, the National Hi-Tech Crime Unit estimated that identity fraud accounted for the majority of high-tech crime, which was thought to be worth billions of pounds per year.

"Banks are looking at [two-factor authentication]," Charney added. "The real issue is the consumer acceptance. This kind of security when implemented is not often viewed as friendly. There is a challenge in how you communicate this."

Earlier this month Howard Schmidt, former cybersecurity advisor to the White House, called for companies to implement two-factor authentication. He said that the technology was already available and that people had to supply more credentials for Internet transactions.

But the Association for Payment Clearing Services (APACS), which represents the banking industry, said on Wednesday that no decisions have been taken to go ahead with two-factor despite the rise in phishing attacks.

"The fact is it's a massive undertaking," said Tom Salmond, a managing consultant in the e-banking fraud liaison group at APACS. "It's under active consideration, but no decisions have been made at this time."

Richard Clarke, another former cybersecurity advisor to the White House, said earlier this month that online banking transactions cost just half of 1 percent of a physical transaction.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • From Tom:

    Here's the idea: If you want to login to your bank account, you would have to provide two different factors. One of them would be provided by a special hardware device, and would change about every five minutes.

    Now suppose the user has fallen for a phishing scam, and has be tricked into visiting a bogus Web site. If the victim can be tricked into entering one PIN number, why could he or she not be tricked into entering the second factor? In fairness, the attacker would only have a few minutes to steal the information and send it to a remote location. But in my opinion, that would not be too hard for an attacker to do.

    Tom
    Thomas L. Jones, Ph.D., Computer Science
    DrJones@alum.MIT.edu
    anonymous
  • i have the answer to these problems, i just need to get an interested part and phishing attacks will be a thing of the past
    anonymous