I've been lamenting about the inherent weaknesses in "password" protection for well over 18 months. Consumers know it is not safe. But what they don't know, is that a possible replacement for passwords, something called "device fingerprinting" is just as lame.
So I will LAMEnet some more...
Prior to bringing you the following article/study, let me provide you with two quotes...one from Symantec and another from Avivah Litan, distinguished analyst at Gartner Research.
Then ask yourself. If the problem is the browser, why introduce a so-called solution which relies on the browser? Are we taking two steps backwards when it comes to online security? Sure seems that way. I think it's been proven that you don't plug a hole in a dyke by sticking your finger in it.
Again, in order to provide a secure environment, financial transactions MUST be conducted outside the browser space. It is NOT a recommendation. It is FACT. Read these two quotes, read the story and then take two steps backwards and see the forest through the trees...
"The truth is that 'fingerprint' security technology is no longer effective," said Rowan Trollope, senior vice president of product development at Symantec. "The bad guys figured out how to get around our technology."
Speaking of device fingerprinting, Avivah Litan, a Gartner VP and analyst who focuses on financial fraud...said "the technology has limits...it's not foolproof at all," "If a cyber criminal takes over
your browser, it won't work."
Editor's Note: Got it? Okay...here's the latest word on how we can secure online transactions!
Users Prefer Device Fingerprinting to Passwords
Study finds 70 percent of respondents say they'd be willing to have their PCs and mobile devices authenticated by an online merchant before completing a transaction.
The latest data protection and information security survey conducted by the independent Ponemon Institute suggests that consumers would be willing to let Big Brother encroach a bit on their individual computing devices in exchange for more online security and lot less memorization of pesky user names and passwords.
Of the 551 participants who responded the Traverse City, Mich.-based researcher's online survey, 70 percent said they'd be willing to have their computers authenticated by an online merchant before purchases are completed and 75 percent of those surveyed said that computer authentication is preferred because it's more convenient than remembering passwords or answering pre-selected questions.
According to a 2007 password study by Microsoft, the average person has 6.5 Web passwords, each of which is shared across almost four different Web site. The study also found that each user has about 25 accounts that require passwords and he or she types an average of eight passwords a day.
If this particular study and it's relatively small sample size is indicative of how the majority of consumers feel, so-called device fingerprinting software and technology developed by the likes of Los Altos, Calif.-based ThreatMetrix will soon find a much larger market with e-tailers, online payment processors and even social networking and e-dating sites.Editor's Note: Take a step backwards here...look up...see the forest?
"Actually, I did find the responses a little surprising," said Larry Ponemon, chairman and founder of the Ponemon Institute. "The responses were overwhelmingly positive and it's clear people are becoming more comfortable with technology that can authenticate their machines."The idea of allowing a third-party Web site to use a software that would then report back the IP address, browser and physical location of a PC or mobile device still strikes some as an invasion of privacy. However, the notion of divulging personal information such as a mother's maiden name or the last four numbers of a social security number apparently bothers Internet users even more."The thing I've learned over a number of years is that timing is everything," said Tom Grubb, vice president of marketing at ThreatMetrix. "I really feel like it's the right time for this technology.
The timing is right? The only thing I see good timing for is to review Symantec's take on device fingerprinting one-more-time...
"The truth is that 'fingerprint' security technology is no longer effective," said Rowan Trollope, senior vice president of product development at Symantec. "The bad guys figured out how to get around our technology."