Most online accounts used to manage money andinvestments use multiple factors for authentication, that is,they use a password plus some other way to prove the customer iswho they say they are.

This is mandated by regulation, the institution's ownsecurity and risk management policies, by business partnersdemanding adherence to industry best practices and/or by theconsumers themselves.

Passwords are used everywhere, and they are important keys inprotecting valuable assets. Unfortunately, research based onactual breaches has shown that users will generally select weakpasswords, those that are simple and easy to guess, if allowed.

One recent breach that included the disclosure of a large numberof users' passwords shows that a hacker had a one-in-seven chanceof guessing the user's password simply by going through a list ofthe top 10 most often used passwords.

Other information that hackers frequently collect, such as namesof spouses and birthdates, are often used to optimize a list ofpossible passwords for brute force attacks.

Hackers will stop at nothing, short of the value of the assetsthey are after, in order to obtain someone's password. Tacticsinclude phishing, social engineering to reveal or resetpasswords, exploiting systems or system users to install spywareand keylogging programs, and cracking passwords by looking upstolen hashes or guessing them using optimized brute forceattacks.

Do Not Store Passwords in Databases

Databases should never be used to store passwords. Rather theyshould store the hashes, or hash values, that are created by thecharacters in a password. That way, if a hacker breaches adatabase, he won't find the passwords, only the hashes. Althoughthere are tools that can convert hashes to passwords, not storingpasswords in the clear does add another layer of protection.

Implement Systems that Support Passwords with 12Characters or More

Research at Georgia Tech shows that effective passwords aregenerally 12 characters or longer, and eachadditional character vastly increases the work a hacker, orhis home supercomputer, must do to deduce the password.

Financial institution's systems should support long, complexpasswords. Some financial institutions support no more than eightlowercase letters or numbers for accounts that containhundreds of thousands of dollars in assets.

This is due to the fact that when these financial institutionscreated their password systems, hackers did not have the moderntools they now can easily access that allow them to easily guesspasswords. If a password is 12 or more characters, it isexponentially harder to break than one with fewercharacters.

Do Not Use the Same Password for Financial Accounts asSocial Networking Sites and Others

People often use the same password for managing their money asthey do to log in to their social networking sites. They should usea different password for each site they interact with.

While it's not possible to stop the user from using the samepasswords for separate sites, it is possible to educate users aboutthe harm in doing this and to force their passwords to expire everythree months.

Keeping a password history and forbidding the use of oldpasswords increases the chances that a password will be unique andunusable by hackers who may have obtained a user's password toother websites.

Ensure that Systems Employ Multiple Factors ofAuthentication

Passwords should be only one part of the authenticationprocess. Hardware or software tokens, smart cards, secretanswers to security questions, or biometrics like fingerprints canalso be used as an additional factor.

Out-of-Band Authentication andAuthorization

Out-of-band verification of authentication andauthorization can be used to help prevent fraudulenttransactions. These types of verification include the useof email, SMS (text messages sent to mobile devices), andphone calls to voice numbers.

However, these can all be defeated by hackers with theright knowledge and tools. Hackers may hijack the email account,they may use mobile malware to steal SMS messages withtransaction authorization, or they may change or reroute theuser's phone numbers that the financial institution hasto contact the customer.

Luckily, some new products and services offer methodsfor OOB verification that are much more resistant to attacksthan traditional methods like email, SMS, andphone. There are products that banks and credit unions coulduse that work similar to a token. The best devices never connect tothe Internet.

That way, they can never become corrupted or compromised. Thesedevices constantly change their passwords every few seconds. Theuser must carry the miniature device with him and input thatpassword into the financial institution's portal in addition toinputting a username and password. The IBM ZTIC, products fromCronto, and services likethose from Ardeun aregood examples of solutions that serve as another layer ofprotection.

Dell SecureWorks has developed a list of best practices to helpprotect your financial assets by protecting your passwords.

Security Tips for Financial Institutions and ServiceProviders:

• Support long, complex passwords
• Implement policies prohibiting short, simple, common, andre-used passwords
• Fortify websites against attacks like SQL injection and protectpassword hashes against reverse lookup
• Use additional factors for authentication such as secretanswers to security questions, security tokens, etc.
• Use out-out-of band verification of authentication andauthorization
• Implement strong OOB solutions to defeat hackers whohave hijacked your customer's email, mobile device and/or phonenumbers
• Offer complimentary security software like anti-virus and toolslike Trusteer's Rapport to your customers
• Prominently place fraud alerts andeducation regarding computer security and social engineeringscams like phishing on your customer portal

Security Tips forCustomers:

• Use a separate, dedicated computer to manage financial accountsonline; don't use it for normal Web surfing, email, socialnetworking, etc.
• Use anti-virus and other security software to prevent passwordsfrom being stolen by spyware and viruses
• Passwords should include as many random characters as possible.If a password is 12 or more characters, it is exponentially harderto break than one with fewer characters.

• See if your financial institution offers a software toollike Trusteer's Rapport to help protect online sessions withmoney management services
• Look for a financial institution that supports long, complexpasswords
• Avoid using simple, easy-to-guess, and easy-to-crackpasswords
• Don't use the same password for different sites or onlineservices

• Use software like KeePass (free, open source,multi-platform) or hardware security tools like IronKey tosecurely remember and manage online passwords. IronKey is portableand automatically logs users into their accounts on any computer tocircumvent keyloggers and phishing attacks.

Don Jackson is a director in the Counter Threat Unit atDellSecureWorks in Atlanta.