To access her bank account online, Marie Jubran opens a Web browser and types in her Swedish national ID number along with a four-digit password.
For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out.
As more Web sites demand passwords, scammers are getting more clever about stealing them. Hence the need for such "passwords-plus" systems.
Scandinavian countries are among the leaders as many online businesses abandon static passwords in favor of so-called two-factor authentication.
"A password is a construct of the past that has run out of steam," said Joseph Atick, chief executive of Identix Inc, a Minnesota designer of fingerprint-based authentication. "The human mind-set is not used to dealing with so many different passwords and so many different PINs."
When a static password alone is required, security experts recommend that users combine letters and numbers and avoid easy-to-guess passwords like "1234" or a nickname.
Stevan Hoffacker follows those rules but commits a different faux pas: He uses the same password everywhere, including access to multiple e-mail accounts, Amazon.com, The New York Times' Web site and E-ZPass electronic toll statements.
In such cases, should hackers or scammers compromise one account, they potentially have one's entire online life.
"This is one of these things that if I stop and think about it, it is not good, but I do my best not to stop and think about it," said Hoffacker, an information technology manager in New York.
But it's difficult to remember dozens of strong passwords -- so many sites now require them. Alternatives include writing them down on a sticky note attached to a monitor or in an electronic spreadsheet -- practices security experts also deem unsafe.
Software such as Symantec Corp's Norton Password Manager and Apple Computer Inc's Keychain help store passwords in secure, encrypted form. But if you compromise the master password, you're out of luck. Your entire collection is gone.
Many sites, meanwhile, will e-mail passwords insecurely -- without encryption -- if you forget. A site called BugMeNot.com even encourages users to share passwords for nonfinancial sites like newspapers.
The tools of password harvesting are many:
Keystroke recorders secretly installed at public Internet terminals can capture passwords, as can "phishing" e-mails designed to trick users into submitting sensitive data to fraudulent sites that look authentic. There are computer viruses programmed to harvest passwords as well as software that guesses passwords by running through words in dictionaries.
Though analysts have no hard figures on password-specific fraud, they blame insecure passwords for unauthorized financial transfers, privacy breaches and even the hacking of corporate networks.
With two-factor authentication, having a password alone is useless.
"We will never play the fear factor here, but still it stays a fact that with our products, phishing is no longer an issue," said Jochem Binst of Vasco Data Security International Inc.
The Belgian company issues devices the size of pocket calculators or keychains. You type your regular password into the device for a second code that is based on the time and the unit's unique characteristics. That's the code you type into the Web site.
Someone who steals your device won't have your password; someone who steals your password won't have your device.
MasterCard International Inc has been testing similar systems in Britain, Germany and Brazil. Swipe a credit card with a smart chip into a special reader, enter your PIN and obtain a password good only once at Office Max, British Airways and a dozen other merchants.
In Singapore, bank customers wishing to designate new accounts for fund transfers must likewise obtain a second password -- through a phone call, e-mail or mobile text messaging.
Biometric systems are similar, except a fingerprint or iris scan replaces one or both passwords.
In the US, use of two-factor authentication remains limited. RSA Security Inc has several products, including RSA SecurID, but they are primarily issued to employees for remote network access and to customers with high-value portfolios.
"There's a delicate balance between maintaining security but also providing customers with ease of use," said Doug Johnson, senior policy analyst at the American Bankers Association.
Gartner analyst Avivah Litan said banks are "all afraid of making the first step. They don't want consumers going to other banks because it's too hard."
US banks and e-commerce companies have focused, for now, on making sure passwords are strong. EBay, for instance, now rejects attempts to create passwords such as "ebay" or "password."
‘UNACCEPTABLE’: The foreign ministry said that China’s behavior broke international law, while Johnny Chiang was worried such balloons could be used against Taiwan A suspected Chinese surveillance balloon flying over the US was yesterday condemned by officials in Taipei and sparked calls for the government to plan countermeasures. The Pentagon on Thursday said it had detected a Chinese surveillance balloon flying over the country. Beijing has said the balloon is a civilian meteorological device that drifted into US territory after being blown off course. The National Security Bureau and Ministry of National Defense should investigate whether surveillance balloons could be used against Taiwan and prepare to respond to such acts, Chinese Nationalist Party (KMT) Legislator Johnny Chiang (江啟臣) said. US Secretary of State Antony Blinken’s postponement
INTELLIGENCE VALUE: While the US was working on recovering the balloon’s remains, China said that it reserved ‘the right to make ... necessary responses’ US President Joe Biden’s administration lauded the Pentagon for shooting down an alleged Chinese spy balloon off the US Atlantic coast on Saturday, but China angrily voiced its “strong dissatisfaction” at the move, and said it might make “necessary responses.” The craft spent several days flying over North America before it was targeted off the coast of the southeastern state of South Carolina with a missile fired from an F-22 plane, Pentagon officials said. It fell into relatively shallow water just 14m deep. US Secretary of Defense Lloyd Austin called the operation a “deliberate and lawful action” that came in response to China’s
RISK FACTOR: ASEAN issued a statement saying the cross-strait situation ‘could lead to miscalculation,’ but it is willing to facilitate dialogue to ensure stability in the region The Ministry of Foreign Affairs yesterday welcomed a joint statement by ASEAN leaders voicing concerns that the situation across the Taiwan Strait could affect regional stability. The statement was issued after the ASEAN Foreign Ministers’ Retreat ended on Saturday in Jakarta. It was the first major meeting since Indonesia assumed chairmanship of ASEAN this year. Attendees of the meeting reiterated their determination to promote “sustainable peace, security, stability, and prosperity within and beyond the region,” the statement said. They expressed concerns about developments across the Taiwan Strait and their “implications on regional stability,” the statement said. The cross-strait situation “could lead to miscalculation, serious
THINK TANK VISIT: The former US Indo-Pacific official said that a capture of Taiwan’s outlying islands by China rather than a large-scale attack is a grave security concern The US and Taiwan can deepen their relations on many fronts, former head of the US Indo-Pacific Command Philip Davidson said yesterday while visiting President Tsai Ing-wen (蔡英文) at the Presidential Office. Davidson is leading a six-member delegation from the National Bureau of Asian Research, a US-based think tank. They arrived on Monday and are scheduled to depart tomorrow. Tsai met with the delegation yesterday morning, welcoming the organization on its first visit to Taiwan since the start of the COVID-19 pandemic, the office said in a statement. She thanked Davidson, a retired admiral, for paying close attention to matters regarding the Taiwan