This is Part 2 of a two-part post from our sponsor, Cosentry. Read Part 1 here.

“On the Internet, nobody knows you’re a dog.”

This comic is from 20-odd years ago, when the best way to access data on a remote system was to copy the files from host to host using IP addresses and SLIP protocols. Back then, it was pretty much true: no one knew your identity, and all of your private information was locked in a file folder in an office somewhere. We interacted by meeting face to face, calling on the phone or writing letters. Our signature was our validation and forgery was a felony.

Today, things are a little trickier, and identity theft is a big business. Back in September of this year, two men from Estonia created phony web traffic that tricked digital ads, as the con artist skimmed millions with “botnets” as marketing budgets skyrocketed. In March, a ring of more than 120,000 hijacked computers flooded websites with fake traffic which cost advertisers more than $6 million per month by generating more than nine billion illegitimate ad impressions.

Some might debate the classification, but this is identity theft on a massive scale. False click-throughs to ads are becoming harder to tell apart from real human website traffic. In a sense, this even passes the Turing test: We can’t tell whether a visit is a human or a machine. Everyone, bad or good, has access to powerful programming languages and great open source code.

Chameleon and other sophisticated Botnets mimic the activities of humans to generate legitimate-looking human traffic, getting legitimate checks for great amounts of money. Middle men in the ad business can be victims as well, often having no idea where the traffic comes from. As web advertising revenue becomes one of the largest industries in the world, the creation and management of Botnets will became even more attractive—not just for DDOS attacks and generating revenue from false web traffic, but also for sophisticated phishing attacks.

To prevent this type of spoofed identity, the future of authentication and security is to tie this kind of information back to a multifactor identification system or systems. Multifactor authentication is usually accomplished by having two or more methods of confirming your identity, with some examples being:

• Something you know (login and password combination, account number and pin, etc.)
• Something you have (ID badge, passport, etc.)
• Something you are (biometrics like fingerprint, face, iris, retina) read by a scanner and confirmed in a data base

The future of online and commercial identification and authentication will be the use of these technologies in an easy and transparent way. Our current “state-of-the-art security” for most online sites is the combination of a difficult password and a login ID which often is just our email address. The user ID and password combination is a horrible and antiquated system that is neither secure nor particularly efficient. 

The most common problem at help desks today is, “I can’t get access to the system.” These calls often result in a new, impossible-to-remember password (that will be forgotten tomorrow). Many help desk operators build portals to help offload this busy work. Which is a little like fixing cavities, in that it doesn’t get at why it was a problem in the first place. Brushing and flossing your teeth is a way better method for dealing with tooth decay, and identification and authentication for security will be a better and easier solution once we have widespread adoption of multifactor, biometric-based identification and authentication.

About the author: Kevin Dohrmann is the CTO at Cosentry.

About the sponsor: Cosentry is the trusted leader in Midwest Data Center Services, providing solutions that allow our customers to focus on their core business, knowing that their IT Infrastructure is operating at the highest level of reliability, performance, and security.