Banking on Tight Online Security
By Richard Newman
April 9, 2006
Bank security isn't what it used to be.
For one thing, bankers have discovered that surveillance cameras are cheaper than uniformed guards, and are a pretty good deterrent to robbers.
Also, as consumers do more of their banking electronically, bankers have learned they must guard the vaults against thieves who would hijack passwords and PIN numbers to steal money.
A tiny software company in Hackensack, Green Armor Solutions, is one of a number of firms swarming into the identity theft prevention niche as government regulators urge financial institutions to beef up their online banking security.
CEO Joseph Steinberg, a former technology consultant, and Shira Rubinoff, a psychologist, have come up with a security system called Identity Cues Two Factor which they say will satisfy regulators and that is easy for consumers to get used to.
The market seems ripe for such a product.
The government has determined that the customary ways to access a bank account online, by entering a log-in name and secret password, are not enough to prove the identity of a user. Hackers and others have figured out ways to steal or guess passwords and other personal information which could be used to commit identity theft crimes. So new standards issued late last year by federal regulators, urging banks to add security features that can double-check the user's identity, have sent banks and credit unions scrambling for software. And that created opportunities for companies like Green Armor.
The banking industry has been resistant to the new standards, fearing they will make online banking more complicated for consumers and will slow growth of that important part of the business.
But the financial institutions do have "the flexibility to select the technology that works well for the bank and for their customers," said Viveca Ware, director of payments policy for Independent Community Bankers, a trade group.
Some banks may offer customers different levels of security, depending on their needs and their comfort level with online banking, said a spokesman for the Federal Deposit Insurance Corp.
One of Steinberg's main sales pitches is that "our products are extremely easy for end users," he said.
Two-year-old Green Armor counts six credit unions among its customers: Hartford Healthcare Credit Union, Sterling Van Dyke Credit Union, State Police Credit Union, Metropolitan District Employees Credit Union, Fairfield County Federal Credit Union and Homeport Federal Credit Union.
The system the credit unions bought double-checks the IDs of their online bank customers without requiring any additional log-in steps, Steinberg said.
It works something like this:
In addition to the customary entry of a name and password, the program also electronically tags each computer that the customer routinely uses, so the computer's identity can be checked along with that of the user.
If the online banking customer wants to use a strange computer, say, while away on vacation, access to the account is denied until an offline ID check is completed. That check would involve the automated e-mailing of a one-time password to a user's cellphone or some other separate device, such as a "hard token," Steinberg said.
The computer ID check along with the log-in and password provide the "two-factor" authentication that government examiners will want to see, Steinberg said.
The program also addresses the problem of "phishing."
Passwords and other personal information often are stolen by computer hacks known as phishers who create phony e-mails and Web sites which claim to be from legitimate financial institutions or electronic payment processors. But they are really out to trick people into giving up their secret passwords and other personal information.
As a defense against phishing, Identity Cues Two Factor produces for each online banking customer a pop-up image, generally a colored square with a word or number inside it. This visual cue is summoned automatically before a password is entered, and could not be duplicated by a phisher, Steinberg said.
Rubinoff drew upon her psychology background to devise and test these cues, making sure they are memorable and would likely be missed by the user if they were absent. The idea is that the absence of the cue would immediately suggest that something is wrong, and that the Web site or e-mail is a fake, she said.
Getting consumers to be able to recognize a phishing attack when they see one, "is a social engineering problem," she said.
Green Armor has patents pending on Identity Cues Two Factor and on two other more narrowly focused products, "Identity Cues for E-mail," and "Identity Cues for Web sites." The prices on the software licensing agreements start at around $20,000, Rubinoff said. Maintenance and support agreements are optional.
Green Armor's main competitors include RSA Cyota Consumer Solutions and PassMark, among others.
Another New Jersey-based start-up, Strike Force Technologies, is also selling online banking security systems to banks and credit unions.
All of these firms expect to benefit this year from the government's push to improve online security.
"The market is white hot, red hot, whatever color you want to use" said Jordan Byk, a vice president at Strike Force
This story originally appeared at: http://tinyurl.com/rwdk6