Safety is most often a state of mind. If we think we're safe,then certainly we must be safe, regardless of the danger lurkingwithin the next iceberg. Who can blame us? With phishing, pharmingand virus attacks working on our psyches like water rising in theTitanic's engine room, we want to believe that something, anything,can protect us once and for all. Lawmakers and regulators haveheard the public's cry for safety and they are gathered in capitolsacross the country to deliver us from evil by requiring creditunions to utilize dual authentication. Legitimate consumers willget physical tokens and passwords to guarantee their identities toevery legitimate financial institution. And we will be safe, safe,safe, for no one can fake a random number or a fingerprint or aretinal scan! Or can they? Hollywood has sold millions of movietickets demonstrating that all of these mechanisms can be duped.Mission Impossible? Not really. Let me explain why: What passesover the Internet and is stored on Web database servers is neverthe actual random number, fingerprint or scan. It's data, which canbe intercepted, manipulated, and replaced. No matter that the datastarted out authentically, it's vulnerable to misuse in far toomany ways. Let's review the key points of vulnerability:Surrendering the Prize. In spite of Herculean efforts to educatemembers, an astounding number continue to respond to phishingscams. All the protection in the world can't completely prevent thesimple act of consumers handing over the account numbers, passwordsand other personal information needed to defraud them. Data Entry.Yes, the number is random and your password unique, but onceentered, even a medium-level hacker can easily “piggy-back” youronline session and have a field day in your name. This is oftenaccomplished with code installed on your computer that hides itsmalicious activity even while it's happening. Hopefully, someonewill discover that you really didn't buy two plane tickets toBulgaria! Re-Directing Traffic: Few hackers sit on data lineswaiting to pounce on financial transactions. They're smarter thanthat. They prefer to redirect traffic from legitimate financialsites to their own illegal sites that look and feel like theoriginal. This is called “pharming” and it can be remarkablyeffective at capturing authentic information for illegitimatepurposes. The Site: Your institution's Web site offers its ownopportunities for worms and trojans to redirect personal data toanother site. Your Web developer may have dishonest motives, ormore often, he or she may just be sloppy about updating the formsand other code that delivers web site functionality. Sometimes, theWeb hosting service is the culprit. The recent iframeDOLLARS.bizand bestcounter.biz exploits actually paid Webmasters to insertmalicious code onto visiting PCs. We're talking back doors, spywareand adware, among other exploits. At six cents per visitor,thousands of Web sites were compromised! Storage: Most losses ofpersonal data held at financial institutions' Web sites were theresult of improper storage. Verifying procedures and conductingperiodic checks are the latest critical paths for keepers of creditunion web site databases. If non-credit union keepers of personalfinancial data could be held to the same high standards, ourmembers might stand a chance! As you can see, dual-factorauthentication is not the reinforced hull that would have saved thegreat Titanic from tragedy back in 1912. Rather, dual-factorauthentication represents a few extra lifeboats that would havehelped more of the 2,200 passengers survive the boat's demise.While mandating dual-factor authentication will help and even makeus feel safer, it won't make the Titanic an “unsinkable ship.” Thebest ways to protect your members' assets and trust continue to bevigilance, attention to detail, and relentless pursuit of potentialbreaches. In our experience protecting credit unions fromInternet-based fraud, the members themselves are your best earlywarning system. A recent phishing exploit at one institution wasshut down a few hours after members alerted staff to irregularitieson the Web site. The few hours could have been reduced stillfurther had the institution paid closer attention to its members'alerts!