A Closer Look

A New Key to Fighting Identity Theft

By Mike Musgrove
Washington Post Staff Writer
Sunday, August 28, 2005

With identity theft and other crimes on the rise, America Online and E-Trade have each taken a strategy from the corporate world to make customers feel safer.

Both are inviting their users to try out a different way to log in to their sites. In addition to typing a user name and password, they can obtain a key-chain-sized token with a tiny screen that displays a new six-digit number every minute.

That number acts as an extra, one-time password by matching up with an identical number generated at the same time by a computer at AOL or E-Trade's offices. Both the token and the computer had their clocks synchronized at birth, ensuring that each would generate matching random six-digit numbers at the same intervals.

The idea here is to ensure that password theft has no value. Each six-digit number's utility expires once it's used, but without it a regular user name and password alone won't log a customer in.

AOL and E-Trade's devices should be familiar to many workers who must connect to their corporate networks from home or on the road. These tokens, in use for about two decades, were originally invented as a check system to make sure security guards were making their rounds.

RSA Security, the Bedford, Mass., company that makes these tokens, says that more than half of the companies on the Fortune 500 use the device today, with about 15 million of them deployed.

America Online started offering its AOL PassCode last September, and E-Trade rolled out its Digital Security ID in March. So far, E-Trade says it has about 20,000 users; AOL would not share figures on how many subscribers use its widget.

New York-based E-Trade will give a Security ID free to customers with $50,000 in assets with the company or who make at least 15 trades per quarter. Those with fewer assets or activity must pay $25 for the token, a sum that E-Trade says just covers its costs.

America Online's PassCode costs $9.95 upfront, plus $1.95 to $4.95 a month, depending on the number of screen names the device secures.

RSA says that consumers will be seeing more of these tokens in the future -- perhaps issued by banks, although the company would not name other firms with plans to offer them to customers.

Andrew Weinstein, an America Online spokesman, said the device is "still in the early adopter stage." Most users so far have been subscribers who run businesses online through their AOL accounts or who conduct many financial transactions through AOL, he said. (The company turned to RSA because AOL employees who need to log on to AOL's corporate networks from afar use the same devices.)

Greg Framke, executive vice president of technology at E-Trade, said he started looking for a better security solution when the company noticed some customers had been victims of identity theft through "phishing" attacks, where hackers attempt to trick users into giving away their passwords.

Framke rates the RSA device as the equivalent of "a wall with razor wire," but added that he doesn't necessarily think the device is a permanent security fix. "I think that in two or three years, we will have something completely different, something more elegant."

That might be a good move. The Stamford, Conn., research firm Gartner conducted a survey and found that devices like the RSA token are unpopular with consumers -- even the ones who say they want more security options.

What's more, they might not be offering the right kind of protection. Avivah Litan, a fraud analyst at Gartner, said these tokens mainly offer a "placebo effect" to users who want to feel more secure. While purveyors of malicious software would be happy to steal your AOL and E-Trade passwords, they could use many other tricks. If a hacker gets the right type of spy program installed on your PC -- for example, a keystroke logger that records every tap of the keyboard -- it might not matter whether he or she scores your AOL password.

Litan said a login token could help more if users have to enter its six-digit number whenever they conduct a high-value transaction, just to make sure that their accounts are not hijacked. But then again, that might be the sort of added complexity that would make the prospect of using these things even less appealing.


© 2005 The Washington Post Company