In a perfect world, phisher spam would be turned away at your ISP’s mail server and never despoil your inbox. But in the real world, phisher scams and other fraudulent email will occasionally get around even the savviest spam filters. And with pharming, DNS poisoning, and other more insidious threats on the rise (see Chapter 3, "Don’t Buy the Pharm“), even savvy users who’d never fall for a phisher email can get nailed. So banks and other financial institutions are trying to make it harder for someone to spoof your identity when you log on, as well as make it harder for scammers to create bogus sites that look like your bank’s.
Banks and ISPs are hoping that “two-factor authentication” will do the trick. This scheme combines something you know (such as a password) with something you have (a card or other device). If you’ve ever withdrawn money using an ATM card and a PIN, you’ve used two-factor authentication.
Hardware security tokens such as smart cards and computer dongles have been around for 20 years, but they’ve mostly been issued to employees at security-conscious corporations. By 2007, research firm Gartner, Inc. predicts up to 75 percent of financial institutions will employ some form of additional authentication, whether it’s via software, hardware tokens, or an “out-of-band” authentication device such as a cell phone or pager.
In September 2004, America Online and RSA Security introduced the AOL PassCode service, which employs a keychain fob that ...