[Clips] Banks Seek Better Online-Security Tools

R. A. Hettinga rah at shipwright.com
Thu Dec 1 16:55:53 EST 2005 

--- begin forwarded text


 Delivered-To: clips at philodox.com
 Date: Thu, 1 Dec 2005 16:54:00 -0500
 To: Philodox Clips List <clips at philodox.com>
 From: "R. A. Hettinga" <rah at shipwright.com>
 Subject: [Clips] Banks Seek Better Online-Security Tools
 Reply-To: rah at philodox.com
 Sender: clips-bounces at philodox.com

 <http://online.wsj.com/article_print/SB113339543967610740.html>

 The Wall Street Journal

 December 1, 2005

 Banks Seek Better Online-Security Tools
 New Software Adds Layers
  To Verify Users' Identities;
  Ease of Use Remains Worry
 By RIVA RICHMOND
 DOW JONES NEWSWIRES
 December 1, 2005; Page B4

 More banks, driven by rising online identity theft and regulators'
 concerns, are shopping for security technology to help ensure those logging
 into accounts are the customers they claim to be.

 But while banks want security that is stronger than standard user names and
 passwords, they also don't want the technology to turn off customers by
 diminishing the convenience of online banking.

 Software makers are aiming to help banks strike a tricky balance between
 security and convenience, with several, including Corillian Corp. and
 Entrust Inc., recently introducing systems that raise the bar for risky or
 suspect transactions. The software works behind the scenes to apply extra
 security measures when there is unusual or questionable activity -- say,
 account access from a cybercafe in Prague or a large money transfer that
 isn't a normal bill-payment routine.

 The emergence of these products reflects the industry's concerns that email
 identity-theft scams, called "phishing," and hacker programs that steal
 consumers' account information could hurt online banking, which is valued
 by banks as a low-cost way of doing business.

 In the U.S., the Federal Financial Institutions Examination Council, a
 group that sets standards for banks, credit unions and thrifts, in October
 urged that online-banking security move beyond simple passwords by the end
 of next year. Its recommendation carries the force of regulation because
 banks' failure to comply would earn them black marks from bank examiners.

 Many of the new products would help banks respond to the FFIEC, which
 didn't endorse specific security technologies but encouraged banks to
 choose measures appropriate to the risk. Other suppliers of software for
 tightening security include closely held firms Cyota Inc., New York, and
 PassMark Security Inc., Menlo Park, Calif.

 "The banks are being pushed to bring in stronger authentication, but match
 it to the risk of the transaction and to the user experience and their
 desires," said Chris Voice, a vice president at Entrust, of Addison, Texas.
 Authentication is a security measure for verifying a customer or
 transaction.

 Industry analysts think banks will employ several techniques to weigh risk
 and verify identities. One way is to halt any transactions from certain
 computers or countries with a high fraud risk. In addition to a user name
 and password, some of these new security systems add a fairly obscure
 personal question, such as "What was your high-school mascot?" Some also
 allow banks facing a suspicious transaction to send an extra four-digit
 security code for use online to a customer's cellphone.

 The idea is similar to credit-card-fraud systems that trigger phone calls
 to cardholders when they detect unusual activity, while letting the vast
 majority of transactions through without incident.

 Corillian, of Hillsboro, Ore., already provides the technology behind the
 online-banking operations of many banks and credit unions. Woodforest
 National Bank, which has 190 branches in Texas and North Carolina, is
 rolling out Corillian's security technology during the first half of 2006.
 Corillian also has sold the technology to three credit unions and says it
 is in talks with three of the top-10 U.S. banks.

 "The key to keeping this channel open is keeping it secure," said Charles
 Manning, president and chief information officer of Woodforest, which
 operates most of its branches inside Wal-Mart stores.

 Corillian's Intelligent Authentication package, launched Oct. 25, tracks
 the behavior of online-banking customers and builds histories of their
 habits to create "access signatures." Its files don't include personal
 information. But they do track the characteristics of the computers and
 Internet-service providers that a customer typically uses. It also records
 the normal geographic locations and the times of day a customer prefers to
 bank online, flagging exceptions for scrutiny.

 Meanwhile, security-software maker Entrust unveiled a major new version of
 its IdentityGuard product on Nov. 8 that offers a menu of user-verification
 methods banks can choose from to beef up security on transactions they deem
 risky. It has sold IdentityGuard to Miami-based Commercebank NA, a unit of
 Mercantil Servicios Financieros of Venezuela, and a number of European
 banks. European customers of Entrust's software include Schufa Holding AG,
 a German credit-reporting company, and the Swedish government.

 For low-risk transactions, such as a payment to a utility company, banks
 may be content to verify that the user is connecting via a previously
 authorized computer. In more risky situations, or if the computer check
 fails, Entrust's system can ask preset security questions or add extra
 one-time passcodes that customers determine with a wallet-sized card.

 Entrust also uses ideas similar to those from PassMark, which supplies
 security software to Bank of America Corp. Its system displays a photo of a
 local bank site that is preselected by the customer, so he can be confident
 he isn't visiting an impostor site.

 --
 -----------------
 R. A. Hettinga <mailto: rah at ibuc.com>
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 _______________________________________________
 Clips mailing list
 Clips at philodox.com
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list