Many medicines but no cure for online ID theft

Banks and online retailers are struggling to protect their customers from criminals who covet their personal financial...

Banks and online retailers are struggling to protect their customers from criminals who covet their personal financial information and account details. But as problems like phishing scams change from phenomenon to endemic threat, technology companies are launching products and services to end, or greatly reduce, the threat of online identity theft.

There are five main technologies aimed at curbing online identity theft:

Antiphishing toolbars

These lightweight applications were some of the first tools designed to stop online scams like phishing. AOL, eBay and others offer these programs free to customers. Usually plug-ins adding an extra toolbar to a user's web browser, the programs verify website URLs and warn about websites that hide their true addresses.

Antiphishing tools are effective against the use of spam to direct internet users to websites controlled by thieves but designed to look like legitimate sites. But such tools do nothing to secure sensitive financial information online.

Antiphishing services

Designed to spot and thwart new threats, phishing prevention services include MarkMonitor's FraudProtect, Symantec's Online Fraud Management Solution, VeriSign's AntiPhishing Solution and services by NameProtect. Most use a distributed network of sensors to monitor e-mail traffic, newsgroups and web domain registrations, spotting new scams such as phishing attacks.

Antiphishing services promise to allow companies to move quickly in cracking down on fraudulent websites that use their names and also give customers advanced warning about scam e-mails making the rounds.

Payer authentication and smartcards

Online security advocates often cite smartcards as a cure-all for online fraud. The cards contain chips that can store far more information about the cardholder than older, magnetic-strip cards. Among other things, they can store PINs or biometric identifiers that can be used at the point of purchase to verify the purchaser's identity, making theft of an account number or credit card inconsequential.

Smartcards are ubiquitous in Europe, and the UK banks have recently rolled out  a chip and PIN smartcard programme to replace magnetic-strip cards and do away with signed receipts for "card present" purchases. Obstacles to the widespread use of smartcards in the US include the inability of existing card readers to support them.

Fraud screening and prevention

Without strong authentication at the point of purchase, most US companies turn to fraud screening technology as their first and best defence. Companies such as VeriSign, ClearCommerce and CyberSource use a variety of filters to analyse transaction patterns for individuals or groups, and to identify suspicious activity.

For example, companies might flag up a pattern of rapid, high-value transactions and spot discrepancies between the geographical location from which the order was placed and the invoice address, or look askance at transactions with different invoicing and delivery addresses, according to ClearCommerce co-founder and vice-president Julie Ferguson.

Consumer authentication services

Recent deals between security technology companies and major ISPs and software suppliers could bring multifactor authentication technology into the mainstream. Since September, AOL has encouraged its customers to use RSA SecurID tokens to protect account information. And RSA has released SecurID for Windows, a secure token that will make it easier for users to log on and off Windows machines using multifactor authentication.

Consumer strong-authentication programs could also create an infrastructure that banks and online retailers build on to strengthen interactions with their own sites, according to Gil Danieli, vice-president of technology at online bank EverBank National. For now, SecurID for Windows doesn't protect access to online banking or e-commerce services, but such applications aren't out of the question in the future, according to Ned Brody, senior vice-president of premium services at AOL.

Paul Roberts writes for IDG News Service

Read more on IT risk management