[Clips] Banks Seek Better Online-Security Tools
R. A. Hettinga
rah at shipwright.com
Thu Dec 1 16:55:53 EST 2005
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Thu, 1 Dec 2005 16:54:00 -0500
To: Philodox Clips List <clips at philodox.com>
From: "R. A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Banks Seek Better Online-Security Tools
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://online.wsj.com/article_print/SB113339543967610740.html>
The Wall Street Journal
December 1, 2005
Banks Seek Better Online-Security Tools
New Software Adds Layers
To Verify Users' Identities;
Ease of Use Remains Worry
By RIVA RICHMOND
DOW JONES NEWSWIRES
December 1, 2005; Page B4
More banks, driven by rising online identity theft and regulators'
concerns, are shopping for security technology to help ensure those logging
into accounts are the customers they claim to be.
But while banks want security that is stronger than standard user names and
passwords, they also don't want the technology to turn off customers by
diminishing the convenience of online banking.
Software makers are aiming to help banks strike a tricky balance between
security and convenience, with several, including Corillian Corp. and
Entrust Inc., recently introducing systems that raise the bar for risky or
suspect transactions. The software works behind the scenes to apply extra
security measures when there is unusual or questionable activity -- say,
account access from a cybercafe in Prague or a large money transfer that
isn't a normal bill-payment routine.
The emergence of these products reflects the industry's concerns that email
identity-theft scams, called "phishing," and hacker programs that steal
consumers' account information could hurt online banking, which is valued
by banks as a low-cost way of doing business.
In the U.S., the Federal Financial Institutions Examination Council, a
group that sets standards for banks, credit unions and thrifts, in October
urged that online-banking security move beyond simple passwords by the end
of next year. Its recommendation carries the force of regulation because
banks' failure to comply would earn them black marks from bank examiners.
Many of the new products would help banks respond to the FFIEC, which
didn't endorse specific security technologies but encouraged banks to
choose measures appropriate to the risk. Other suppliers of software for
tightening security include closely held firms Cyota Inc., New York, and
PassMark Security Inc., Menlo Park, Calif.
"The banks are being pushed to bring in stronger authentication, but match
it to the risk of the transaction and to the user experience and their
desires," said Chris Voice, a vice president at Entrust, of Addison, Texas.
Authentication is a security measure for verifying a customer or
transaction.
Industry analysts think banks will employ several techniques to weigh risk
and verify identities. One way is to halt any transactions from certain
computers or countries with a high fraud risk. In addition to a user name
and password, some of these new security systems add a fairly obscure
personal question, such as "What was your high-school mascot?" Some also
allow banks facing a suspicious transaction to send an extra four-digit
security code for use online to a customer's cellphone.
The idea is similar to credit-card-fraud systems that trigger phone calls
to cardholders when they detect unusual activity, while letting the vast
majority of transactions through without incident.
Corillian, of Hillsboro, Ore., already provides the technology behind the
online-banking operations of many banks and credit unions. Woodforest
National Bank, which has 190 branches in Texas and North Carolina, is
rolling out Corillian's security technology during the first half of 2006.
Corillian also has sold the technology to three credit unions and says it
is in talks with three of the top-10 U.S. banks.
"The key to keeping this channel open is keeping it secure," said Charles
Manning, president and chief information officer of Woodforest, which
operates most of its branches inside Wal-Mart stores.
Corillian's Intelligent Authentication package, launched Oct. 25, tracks
the behavior of online-banking customers and builds histories of their
habits to create "access signatures." Its files don't include personal
information. But they do track the characteristics of the computers and
Internet-service providers that a customer typically uses. It also records
the normal geographic locations and the times of day a customer prefers to
bank online, flagging exceptions for scrutiny.
Meanwhile, security-software maker Entrust unveiled a major new version of
its IdentityGuard product on Nov. 8 that offers a menu of user-verification
methods banks can choose from to beef up security on transactions they deem
risky. It has sold IdentityGuard to Miami-based Commercebank NA, a unit of
Mercantil Servicios Financieros of Venezuela, and a number of European
banks. European customers of Entrust's software include Schufa Holding AG,
a German credit-reporting company, and the Swedish government.
For low-risk transactions, such as a payment to a utility company, banks
may be content to verify that the user is connecting via a previously
authorized computer. In more risky situations, or if the computer check
fails, Entrust's system can ask preset security questions or add extra
one-time passcodes that customers determine with a wallet-sized card.
Entrust also uses ideas similar to those from PassMark, which supplies
security software to Bank of America Corp. Its system displays a photo of a
local bank site that is preselected by the customer, so he can be confident
he isn't visiting an impostor site.
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list