Brian Krebs at the Washington Post recently wrote about a new software tool developed by Trusteer and provided by ING to help its customers bank online more securely, even when using PCs that may be compromised by spyware.

At an incremental level, this approach may prove valuable. After all, if the tool is any good, it should prevent the theft of some financial account information, while also providing a sense of security for those ING customers who use it.

As a solution to the larger problem, though, this approach falls short for a number of reasons:

1. Installing the application is one more step that a user has to take (and know to take) just to conduct what should be a simple yet secure web transaction.
2. New software applications, however well designed, introduce the potential for new vulnerabilities and compatibility issues.
3. Additional software means another layer of troubleshooting for the vendor, the user, PC consultants, etc.
4. PC security is a broader issue than just protecting the transmission of usernames and passwords. An application such as the one from ING might mask the larger problem that a user’s PC is unpatched and infested with a variety of badware applications.

Again, I don’t mean to criticize the ING/Trusteer application itself, as it might be a useful tool. Rather, it’s important to note that the long-term solution lies in software producers and website owners protecting users more transparently and holistically. This includes approaches such as:

1. Providing users with real-time, user-understandable notice of risky websites (see, for example, Google’s and Yahoo/McAfee’s search results warnings and Firefox’s anti-phishing warnings).
2. Designing software, websites, and hosting services with security in mind.
3. Making automatic software updates easy and unobtrusive (without abusing the user’s trust by using this capability to push unwanted software or features).
4. Educating users about online privacy and security.
5. Using the collective knowledge of Internet users to gather intelligence about, and react to, rapidly-changing threats.
6. Providing full disclosure to users about the privacy and security implications of applications and websites before the user commits to using them (see, for example, our Badware Guidelines).

There’s still a lot of work to be done in helping users maintain their privacy and security online. I hope that the software from Trusteer and ING will be successful in thwarting some identity theft attacks, but more than that, I hope that in a few years, this software won’t be needed.