A little-known organization of 55 of the world's largest banks
has finally become fed up enough with the online thieves known as
"phishers" that the banks are doing something about it.
The group is called Identrus LLC, and it proposes that online banks
use so-called digital certificates to identify themselves and their customers
on the Internet. But will this by itself be enough to stop the con games?
Financial Institution or Hackers' Piggy Bank?
As I explained in my
May 3 column, phishing is an international sport.
High-tech criminals, many based in Asian or Eastern European countries,
send out millions of e-mails that look exactly like messages from
respected Western financial institutions. When end users click the
links in these messages, their browsers are directed to phony Web sites
that look exactly like online banks, but are designed by hackers to steal
their passwords.
Wells Fargo Bank on June 8 became the first bank to
announce the widespread adoption of SimpleSign, which is
an Identrus solution to one part of this problem:
• Banks As "Certificate Authorities."
In the Identrus system, a financial institution becomes its own
registration authority for digital certificates. This means it can
issue such certificates for itself and also to known customers with whom
it has a trusted banking relationship.
• Authenticating a Banking Document.
Using Adobe Acrobat version 6, the bank can create PDF (Portable Document
Format) files that are "signed" with its digital signature.
• Real-Time Validation.
All of the above technology has been available for some time. What's new is
that any copy of version 6 of the free Adobe Reader will automatically recognize
a PDF file encoded with the Identrus system. Using the Internet, the Reader
contacts the certificate authority online to verify that the
signature in the document matches the identity of the author. The Identrus
system uses worldwide standards, such as X.509 certificates and the
Online Certificate Status Protocol (OCSP), so as to interoperate with
as many existing banking networks as possible.
• Signed, Sealed and Delivered.
The receiving party can digitally "sign" the document, if it's set up
with data-entry fields to do so. Once the signed PDF is sent back to the
financial institution, Adobe Reader will check the authenticity
of that signature online. In this way, contracts and other documents
can be guaranteed to be tamper-proof without relying on mere passwords,
which can be guessed or stolen.
Enormous Potential
With heavyweights such as Bank of America, Citicorp, J.P. Morgan Chase and
many others supporting Identrus, the sky is the limit
from here on out.
The "Identrus Global I.D." program has, so far, been used primarily to ensure
the security of business-to-business financial transactions, not consumer
online banking. For example, Sixt AG, one of the largest car-rental companies
in Europe, uses the system to transact millions of dollars of
leasing transactions annually with the Royal Bank of Scotland, entirely
replacing paper documents.
But the potential of Identrus to secure the communications between banks,
credit-card companies, online auction services and consumers is enormous.
With proper education and implementation, end users could receive letters in
PDF form from their financial institutions and be certain that the document
hadn't come from a "phisher." Financial communications could be conducted
in both directions with security. Any data a customer entered into a PDF form
could be encrypted before transmission back to the bank, and verified against
the customer's own digital certificate upon receipt.
Conclusion
It won't be next week or next month when we'll be able to say that phishing
is obsolete and people don't have to watch out for it any more.
But the technology is available to put an end to it reasonably soon —
if computer users will insist on the proper tools being put into place.
An Executive Tech Update. I wrote in the
May 17 installment of Executive Tech that the U.S.
government's new Medicare prescription-drug Web site was a great
example of how not to build a search engine for consumers.
Reader Charles J. Tarr, an attorney in Santa Rosa, Calif., writes, "A little
known law in California — to which pharmacies cringe — is that
if you are on Medicare, any pharmacy that accepts Medi-Cal (which is
virtually every pharmacy) must sell drugs to a senior at the same price that
the State of California pays, which is generally a fraction of the
retail price. Not some silly 10 to 20 percent discount. Perhaps other states
have such statutes."
Funny, that's one more thing I didn't see at the Medicare site. For being the
first to e-mail me a tip that I printed, I'm sending Tarr a gift certificate
for a book, CD, or DVD of his choice.