Secure sites must stop relying on single passwords as card-not-present (CNP) fraud increases.
According to a new whitepaper from Network Box's internet security analyst Simon Heron, web-based services – particularly those that hold financial information - must increase security in order to protect their customers effectively.
The paper, named ‘Authentication, who are you?', argues that identity fraud is increasing and yet secure access to the ever-growing number of web-based applications relies (for the most part) on the same techniques used since the beginning of IT security: user names and passwords.
Heron claimed that a number of banks use multi-factor authentication in the form of card-sized number generators, a system that he argues is not sustainable on the basis that consumers would balk at carrying around the number of devices required to authenticate access to all of their online accounts. However most businesses are still relying on user name/password combinations.
Heron said: “All companies involved in secure transactions must start working together to provide uniformity in their approach to security. This is becoming a major issue for consumers. If customers are to interact online and divulge confidential information, the company with which they're doing business has a duty to secure that information.”
He also claimed that the problem is that consumers simply have too many passwords to remember, and so either use passwords that are simple to remember, write them down, or rely on resetting them, using the ‘forgotten your password' function on a website - which he claimed is often in itself insecure.
Heron said: “The ‘verified by visa' system is a basic two-factor authentication system, but if you forget your password, often all you need in addition to the credit card is your date of birth to reset the password – which is less secure than most single password systems.”
The paper also examines the pros and cons of an ‘Identity 2.0' approach to online security, where a single, secure identity is created that is recognised by a number of online entities with which a user interacts, such as Open ID that could be authenticated in a number of ways.