Gartner has estimated that phishing attacks cost the US something in the region of $2.8 billion last year, a problem that is growing fast as proved by the statistic showing the average individual loss per attack has risen from $256 in 2005 to a staggering $1244 in 2006. Banks are taking these kind of figures very seriously indeed, as you might imagine, and one of the security solutions attracting their interest is the so called ‘two-factor authentication’ device. This takes the form of the usual username and password style login, together with a second layer of user authentication. Some banks have chosen to adopt the ‘random digits from a long PIN’ approach whereby you choose an 8 digit number and after the first login stage are asked to input the 2nd, 4th and 7th digits (or whatever) in order to gain access to your account. Even if your username and password were compromised, the attacker would have to know your ‘long PIN’ as well in order to fully penetrate your defenses.
Of course, if the attacker had phished the username and password out of his victim the chances are pretty high he could have got that PIN data as well. Which is why the banks with a better understanding of risk tend to look towards hardware tokens when it comes to the second authentication factor.
And so it is that PayPal, one of the biggest targets of phishing attacks along with parent company eBay, is opting to roll out hardware based security keys to users who choose to take this $5 route (and free to business account holders) to increased security. And oh boy do they need it. Take a cursory look at the Google anti-phishing blacklist logs and you will see that between them they account for pretty much half of all phishing scams.