Andrew Rolfe of E-Commerce Times makes a good argument for out-of-band communications. The basic idea is that an on-line transaction must be authenticated using some other channel (i.e. not the Internet); the phone is the obvious choice. The financial institution would place a call to an phone of record to verify a transaction. The possibility of an attacker hacking the phone number database is there but this method significantly raises the level of difficulty over today's attacks.

Cryptography is also improving. According to Vipul Gupta of Sun Microsystems:

Something that is here today will not be good enough for tomorrow. About five years ago, DES was ruled inadequate. Now we are moving from RSA to a new deployment of ECC. We are also working on new hashing and key algorithms to AES (advanced encryption standard). All these various components are vital to full security.

These options are promising but there are still challenges.

Klein argues for a comprehensive identity strucuture that poses real hurdles, both technical and legal. One of the reasons PKI is not more widely used is the difficulty in setting it up and administering it. Federated identity management is getting better but it is also difficult to manage, especially when there are fine-grained policy details to worry about.

Finally, Gupta hits on the biggest challenge:

Attackers go after the weakest chain in the link, and that is the end user. Security education is falling behind. We have to strengthen our efforts in educating users about security