No doubt all the breaches of customer data this year have forced you to defend your security strategy. And no doubt you\u2019re being pushed to improve security without increasing costs or scaring away users in the process. You might be hoping the pressure will subside as the breaches become distant memories, but both the federal and state governments aren\u2019t likely to give you that break. CIOs at retailers must analyze the current security measures they take for data in three areas: in transit online, at the point of sale and where it is stored. The analysis of each area should determine how data is secured, accessed and utilized, and what the risk is at each step, says John Pironti, principal security consultant at Unisys. At the same time, CIOs of financial services companies must work around the fear that outwardly visible\u2014and constraining\u2014security measures could send customers fleeing into the arms of a competitor. When They\u2019re Buying, Who\u2019s Watching? Of the three security areas, the point of sale is perhaps the least risky. While it\u2019s possible for properly equipped crooks to compromise computerized point-of-sale systems, it\u2019s simply easier for the bad guys to buy or steal information on the Internet than to physically invade a POS location or to shadow customers to get their credit card number, PINs or other data, says Matt Curtin, founder of the security consultancy Interhack. The popularity of credit cards has also made it hard to justify any significant form of authentication at the point of sale. Credit card companies have long limited consumers\u2019 liability to $50, relying on fees paid by merchants to cover the cost of fraud, which is involved in about 1 percent of all transactions, says Avivah Litan, vice president and research director for payments and fraud at Gartner. And credit card companies depend on sophisticated fraud-detection systems that can reveal patterns of fraudulent use after very few transactions, limiting the losses. Some retailers would love to drop credit cards, because of their high fees. That\u2019s why Piggly Wiggly Carolina, a South Carolina\u2013based grocery chain, has debuted a payment system from Pay By Touch in which customers use a finger scan and an ID number to establish their identity at a sales terminal. No credit card information is needed at the sales terminal, because the user identity is matched at a service provider\u2014Pay By Touch\u2014and the charge is then deducted from a linked bank account, says Piggly Wiggly VP of Information Services Rich Farrell. The use of a second authentication factor (the PIN) also helps secure the new Blink card, a wireless card from Chase Card Services that uses radio frequency to transmit cardholder information to a sales terminal. The technology limits the card\u2019s wireless range to just two inches, so thieves can\u2019t use portable readers to snatch account numbers over the air, says Tom O\u2019Donnell, a senior VP at Chase. The Vulnerable Database Gartner\u2019s Litan expects thieves to increasingly target the systems that store customer data as more and more financial and retail systems are linked together. Standalone host systems (often aging mainframes) weren\u2019t originally built to defend such networked connections, so "more and more companies are centralizing security again," returning to the single security architecture approach that worked well for mainframe systems, says Jeffrey Margolies, lead for Accenture\u2019s security services and identity management practice. CIOs should consider these two basic approaches to secure stored data, Pironti advises: Encrypt data that is not being used; and better manage access so a rogue insider doesn\u2019t have the privileges necessary to steal data. Most CIOs also need to acquire a thorough understanding of the flow of customer data and its potential weak spots, such as the use of unencrypted backup tapes, Pironti says, rather than rely on technological fixes. "In the short run there\u2019s a higher expense to process thinking, but in the long run it\u2019s cheaper," he says.On the Web, No One Knows You\u2019re a Crook Analysts warn that electronic data theft is growing fast, even as other types of data theft stay level or decline. A Gartner survey, for example, shows phishing attacks grew 28 percent in 2005. In addition, increasing numbers of online thefts and hacking attempts are being perpetrated on behalf of organized crime, which has started hiring hackers, says Litan. To combat phishing attacks, bank regulator Federal Deposit Insurance Corp. plans to issue guidelines for online banking this fall that require authentication beyond user IDs and passwords. The agency isn\u2019t dictating what technologies companies must use, giving the financial and retail industries a chance to develop their own standards and technologies. Two-factor authentication\u2019s success in the physical world has made it the choice of technology to protect online transactions as well. "It minimizes the theft of identity online," notes former national security adviser Richard Clarke, now chairman of security consultancy Good Harbor Consulting. Several companies are experimenting with two-factor authentication approaches. For example, Bank of America is deploying a system from PassMark Security that requires the user to answer a personal question from a rotating set and to choose from a collection of pictures supplied by the bank, with only one picture matching the "validator" picture the customer selected when opening the account. And online bank ING Direct rotates personal questions to provide a second challenge when the user logs in. Some banks and online retailers are using technology from such companies as Actimize, Corillian, Cyota and The 41st Parameter that creates a profile of user access, noting the IP addresses from which users log in, the time zone and so forth. If a thief logs in from Argentina posing as a customer from Delaware, the profile won\u2019t match and the bank can issue an additional challenge question to verify the identity. (That extra step allows access by legitimate users who are traveling.) Still, any data\u2014even biometric information such as fingerprints\u2014that\u2019s stored as an authentication mechanism is vulnerable: If a thief breaks into a bank\u2019s systems, he gets the validating data along with everything else. Such systems can also be vulnerable to "man in the middle" attacks, where communication between the customer and the company is intercepted, Clarke notes. That\u2019s why some companies are trying token-based methods, such as scratch cards, where customers scratch off a protective covering on a card to reveal a one-time access code. In the United States, E-Trade Financial is implementing the high-tech version of this approach using RSA Security\u2019s lipstick-sized SecurID device, which produces new, one-time codes every 60 seconds and displays them on a small LCD screen. Users enter the code showing on the screen when logging into their investment accounts. If the device is stolen, a phone call from the customer flags it as invalid, so a thief could not use it. And even if the consumer\u2019s computer has been hacked and a keylogger installed to steal passwords, the code\u2019s ever-changing nature means a thief would still be stymied, says Joshua S. Levine, E-Trade\u2019s chief technology and operations officer. But token-based authentication makes many companies nervous, analysts say, because of the implementation and support costs. They also say that consumers won\u2019t tolerate having more than a very few such devices. Alternatives do exist, of course. Canadian cash-card provider SolidPay, for instance, uses cell phones for two-factor authentication. It has deployed StrikeForce Technologies\u2019 software, which calls customers\u2019 cell phones and prompts them to enter their PIN on the phone\u2019s keypad when they try to, for example, transfer money to their cards. And to combat device proliferation, RSA plans to launch a form of federation service this fall that would let consumers use the same SecurID authenticator device for accounts at multiple companies. Some analysts believe such systems are inevitable. The federal government\u2019s requirement that passport holders, transportation workers and government employees all use smart card IDs will create a critical mass of adoption for a standard token, says Good Harbor\u2019s Clarke. He ultimately envisions ID cards that everyone carries, just as most now carry a driver\u2019s license and a credit or debit card. (The concept of a national ID card has long faced strong opposition, although efforts to standardize state ID cards may achieve the same result, but more palatably.) The Slow Road to Security Wary of the cost of token-based authentication and of annoying customers with extra steps such as answering validation questions, financial providers are implementing fraud-detection systems similar to what credit card companies have long used, Litan says. For online access, most are focusing on methods that don\u2019t require user action (for example, checking a user\u2019s current location against his profile of usual access locations). A second low-impact approach\u2014this one designed to limit the damage caused by phishing attacks\u2014is the use of server-side certificates to verify that users have in fact reached the bank or retailer they intended to contact, suggests David Meunier, CSO of CUNA Mutual Group, which provides processing services to credit unions. This approach means that the browsers should have SSL and Validation turned on, enabling the browser to display the certification results, so users will know if they have arrived at their intended site and not a sinister look-alike. (Students at Stanford University recently released such software for the Mozilla Firefox browser.) Meunier acknowledges, however, that this technology would not stop phishing via e-mail (which has no similar widespread certificate standard in place as of yet). Another browser-security option according to Chris Novak, senior security consultant at Cybertrust, is a browser plug-in that detects password or account entry fields and scrambles them with a key known to both the browser and the legitimate server. Considering the small number of browser types in wide use, it should be straightforward to distribute such a plug-in if the financial industry agreed on a standard for it, he says. Given the fractured nature of the financial services and retail industries, analysts agree that it\u2019s likely that improved security for customer data will come from efforts that combine numerous techniques such as those mentioned above. While government regulation could push reluctant companies to implement more-intrusive technologies such as two-factor authentication for at least some online transactions, public pressure is the more likely way slow-moving companies will be spurred on, especially if consumers view security as an asset rather than as a barrier to commerce.