Information Age: News, analysis & insight for IT & business leaders

Forrester believes that Schneier's argument is misleading in two ways: He gives more credit to the attackers and their techniques than is currently due, while downplaying the effectiveness of solutions. And he addresses transaction fraud but not identity theft.

First, he attributes to attackers capabilities that we haven't seen - at least not yet. He doesn't go far enough in assessing whether these hypothetical attacks are feasible and practical, or whether being able to protect against only some forms of attacks is a fruitless endeavour or not. Then he singles out one-time password tokens as not being immune from a real-time phishing attack, while conceding but then ignoring the fact that other two-factor methods offer more protection.

Accounts protected with one-time password tokens can potentially be compromised in real-time phishing attacks, yet other methods are more robust. It greatly complicates matters for phishers if the two-factor authentication solution works either out of band (by phone or SMS) or if the website influences the PIN being used (such as with Entrust IdentityGuard or PIN/TAN sheets where the website identifies which TAN to use).

Phishing sites would have to coordinate the challenge from the website, pass it along to the user, and then pass the user's response back. This is both harder to do and easier for security managers to detect.

Forrester's second point of contention with Schneier's view is that it blurs the distinctions between improper access and improper transactions, and, therefore, between identity theft and fraud.

The two are related, but nonetheless quite different threats. He then goes on to focus only on fraud. Fraud should not be the main focus, nor should it be addressed in isolation of identity theft and privacy concerns for several reasons: fraud is dependent on improper account access, which in itself is adequate to steal personal information; fraud is not the only - nor in many cases even the main - goal of attacks, given that the customer data has become more valuable than the actual financial assets; and privacy and identity theft concerns are as important to consumers as the security of their funds.

Yet fraud is a problem that directly hits companies' bottom lines and is an immediate result of their authorisation, while identity theft injures the customer alone through outside mechanisms.

This is why lawsuits that customers file against banks to recover funds stolen through online fraud are likely to succeed, but actions seeking compensation for identity theft face a tougher prospect.

So what motivates an organisation to protect customers' privacy and stop identity theft, instead of just stopping fraud? That is where things are getting interesting. Laws such as the California Senate Bill 1386 now mandate customer notification in the event of personal information theft, which is causing more public awareness and distress over such incidents.

It is likely that new regulations and liability laws; bad publicity on a company's customer retention and stock price; and class action lawsuits will be the market drivers that push companies to focus on privacy and identity theft.

The information in this article comes from Jonathan Penn's report: "Strong Authentication: Not perfect but the best single option we've got", Forrester Research Inc, March 2005.