Is this the death of passwords?
Hackers have an arsenal of ways to steal your passwords, so researchers want to protect your data with something else.
This post comes from Bob Sullivan at partner site Credit.com.
Is it possible that your next password might be as simple and subtle as the way you type or hold your smartphone? If you hate trying to fill out those CAPTCHA forms with impossible-to-decipher characters, a new strategy for telling the difference between people and computers might give you some hope.
Secrets are used to keep our stuff safe on computers; for nearly three decades now, that secret has chiefly been a password, or in security lingo, "something you know." Advanced security systems can deploy an added layer, such as a token (or at banks, a debit card), which is "something you have." And really high-tech systems involve biometrics, such as a retina or fingerprint scan, known as "something you are."
So far, none of these techniques has proven robust enough to stop hackers’ endless efforts to steal critical information, whether it’s millions of Target credit card numbers to access to computers that control national infrastructure. Passwords are notoriously unreliable -- too hard for users to remember and too easy for determined criminals to guess. Tokens get lost. Fingerprints can be replicated.
In other words, to cyberthieves, credit card numbers and other personal information is still “something you steal.”
A key that can’t be hacked?
The continued race to stop high-tech crooks has led researchers to try yet another security frontier – and this time, they hope to be creating something that is so unique that it cannot be copied, yet is so easy to use that it doesn’t have to be remembered. They are trying a strategy known as “something you do.”
All computer users type at a unique speed, creating a pattern that is perhaps more personal than the way they sign their name. Smartphone users tilt their phones when they type, or scroll, or watch, in very personal patterns. It’s now possible to measure these things people do, turn the patterns into an algorithm, and create an authenticator that users simply can’t forget. It’s also so unique, researchers hope, that criminals won’t be able to impersonate it.
William Scheckel is chief marketing officer at one of the companies trying to solve this riddle: Oxford BioChronometrics, which spun out of the ISIS Software Incubator set up by Oxford University. He says the method has real promise.
"Phone manufacturers can identify you based on information from the gyroscopic device in your handset," Scheckel said. "Say your bank uses this technology and you hand your phone to another person. Using this method, the bank would shut the (transaction) down."
Oxford BioChronometrics puts together a number of these “something you do” patterns into a mathematical formula it calls electronically Defined Natural Attributes, or e-DNA. Scheckel says that using the set of highly personal characteristics creates an authentication tool that’s hard to defeat.
“The information is so specific to you it can’t be hacked,” he said.
That’s a bold claim, sure to be tested. Many "unhackable" login strategies have been foiled by criminals. One potential method: a "man-in-the-middle" attack, which essentially enables a criminal to trick a user into logging in, then lets the hacker joy-ride into the now-authenticated account to steal money or commit other forms of ID theft.
But it’s pretty clear that passwords are passé. Several high-profile hacks in recent years -- including companies such as LinkedIn -- have seen millions of users’ passwords exposed. Researchers have used those hacks to prove that passwords are terribly insecure anyway, with a high percentage of users opting for obvious "secret" words like "password" or "123456."
"Simple passwords are too easily hacked and there’s too much incentive for hackers to try. Identity theft is a growing problem because it’s profitable and simple passwords make it easy as well," Scheckel said.
If you're worried about identity theft, you should monitor your financial accounts regularly for charges you don't recognize. You should also keep an eye on your credit -- you can monitor your credit scores for free every month on Credit.com. Any major, unexpected changes in your scores could signal identity theft and you should pull your credit reports (which you can get for free once a year at AnnualCreditReport.com) to confirm.
Telling computers and humans apart
He wouldn’t disclose clients the Oxford-born company is working with, though he said it was working on a “proof of concept” test with a “major household name.”
But he would talk about the interesting side benefit of Oxford BioChronometrics’ product: It is particularly good at discriminating between real people and “bots” that try to automatically log in to websites around the Web and wreak havoc -- bots which have typing patterns that are obviously computer-generated. Right now, most websites use CAPTCHA forms to root out annoying bots, but they mostly annoy real people. So in May, Oxford BioChronometrics began offering a free plugin called NoMoreCAPTCHAS to WordPress users that Scheckel says eliminates the need for CAPTCHA tests. A brand-name travel company that struggles with bots scraping its site for data is right now testing the system, he said.
Forget worries about credit card hacking: If the firm can reduce the number of times users must guess what those squiggly characters are, the entire Internet will cheer.
More from Credit.com
- How to use free credit monitoring
- How to protect yourself from identity theft
- Signs your identity has been stolen
VIDEO ON MSN MONEY
All hackers need to do then is develop a means to scan a particular user's behavioral characteristics while computing, run it through an algorithm array generator, and wait for a strike that opens the door. As long as you have "information in-information out" it can and will be hacked. I foresee them attempting to use imbedded chips in the human body as a "personal identifier" to control functions and security. Even these will not be foolproof. All these researchers do is invent another way to create a "cash-cow" they can exploit for profit in a big and fast way. When that "cow" dries up - as they always do - they invent a new "cow". I have said for three decades that there will be a concept called "bio-electronic-automated-scanning-technology" or BEAST, for short, that will be implanted into humans that will not only contain their financial and other personal information, but their physical and emotional status. This technology will also be able to control physical and mental functions of the human body by interacting with nerve centers and impulses controlling everything from pulse rate, to metabolic function, to emotional state, and even life-and-death. Yes, they will be able to switch you to "off" like a light switch. Scary? Well, its coming! And, there is nothing we can do about it because it is going to be part of a logistical attempt to deal with human nature and the natural progression of things - simply put, "cause-and-effect".
It's so simple, that hackers will ever think to try it---Oh, wait...
Copyright © 2014 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.
RECENT ARTICLES ON IDENTITY THEFT
Occupy Wall Street bought and forgave the student loan debt of more than 2,700 Everest College students.