--- begin forwarded text
Delivered-To: [EMAIL PROTECTED] Date: Thu, 1 Dec 2005 16:54:00 -0500 To: Philodox Clips List <[EMAIL PROTECTED]> From: "R. A. Hettinga" <[EMAIL PROTECTED]> Subject: [Clips] Banks Seek Better Online-Security Tools Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] <http://online.wsj.com/article_print/SB113339543967610740.html> The Wall Street Journal December 1, 2005 Banks Seek Better Online-Security Tools New Software Adds Layers To Verify Users' Identities; Ease of Use Remains Worry By RIVA RICHMOND DOW JONES NEWSWIRES December 1, 2005; Page B4 More banks, driven by rising online identity theft and regulators' concerns, are shopping for security technology to help ensure those logging into accounts are the customers they claim to be. But while banks want security that is stronger than standard user names and passwords, they also don't want the technology to turn off customers by diminishing the convenience of online banking. Software makers are aiming to help banks strike a tricky balance between security and convenience, with several, including Corillian Corp. and Entrust Inc., recently introducing systems that raise the bar for risky or suspect transactions. The software works behind the scenes to apply extra security measures when there is unusual or questionable activity -- say, account access from a cybercafe in Prague or a large money transfer that isn't a normal bill-payment routine. The emergence of these products reflects the industry's concerns that email identity-theft scams, called "phishing," and hacker programs that steal consumers' account information could hurt online banking, which is valued by banks as a low-cost way of doing business. In the U.S., the Federal Financial Institutions Examination Council, a group that sets standards for banks, credit unions and thrifts, in October urged that online-banking security move beyond simple passwords by the end of next year. Its recommendation carries the force of regulation because banks' failure to comply would earn them black marks from bank examiners. Many of the new products would help banks respond to the FFIEC, which didn't endorse specific security technologies but encouraged banks to choose measures appropriate to the risk. Other suppliers of software for tightening security include closely held firms Cyota Inc., New York, and PassMark Security Inc., Menlo Park, Calif. "The banks are being pushed to bring in stronger authentication, but match it to the risk of the transaction and to the user experience and their desires," said Chris Voice, a vice president at Entrust, of Addison, Texas. Authentication is a security measure for verifying a customer or transaction. Industry analysts think banks will employ several techniques to weigh risk and verify identities. One way is to halt any transactions from certain computers or countries with a high fraud risk. In addition to a user name and password, some of these new security systems add a fairly obscure personal question, such as "What was your high-school mascot?" Some also allow banks facing a suspicious transaction to send an extra four-digit security code for use online to a customer's cellphone. The idea is similar to credit-card-fraud systems that trigger phone calls to cardholders when they detect unusual activity, while letting the vast majority of transactions through without incident. Corillian, of Hillsboro, Ore., already provides the technology behind the online-banking operations of many banks and credit unions. Woodforest National Bank, which has 190 branches in Texas and North Carolina, is rolling out Corillian's security technology during the first half of 2006. Corillian also has sold the technology to three credit unions and says it is in talks with three of the top-10 U.S. banks. "The key to keeping this channel open is keeping it secure," said Charles Manning, president and chief information officer of Woodforest, which operates most of its branches inside Wal-Mart stores. Corillian's Intelligent Authentication package, launched Oct. 25, tracks the behavior of online-banking customers and builds histories of their habits to create "access signatures." Its files don't include personal information. But they do track the characteristics of the computers and Internet-service providers that a customer typically uses. It also records the normal geographic locations and the times of day a customer prefers to bank online, flagging exceptions for scrutiny. Meanwhile, security-software maker Entrust unveiled a major new version of its IdentityGuard product on Nov. 8 that offers a menu of user-verification methods banks can choose from to beef up security on transactions they deem risky. It has sold IdentityGuard to Miami-based Commercebank NA, a unit of Mercantil Servicios Financieros of Venezuela, and a number of European banks. European customers of Entrust's software include Schufa Holding AG, a German credit-reporting company, and the Swedish government. For low-risk transactions, such as a payment to a utility company, banks may be content to verify that the user is connecting via a previously authorized computer. In more risky situations, or if the computer check fails, Entrust's system can ask preset security questions or add extra one-time passcodes that customers determine with a wallet-sized card. Entrust also uses ideas similar to those from PassMark, which supplies security software to Bank of America Corp. Its system displays a photo of a local bank site that is preselected by the customer, so he can be confident he isn't visiting an impostor site. -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
