Do Not EnterBy Matt Hines | Posted 2006-10-22 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Financial institutions are creating multitiered solutions to protect online banking customers from fraud and phishing.
With criminals stalking their operations and customers, Wells Fargo and SVB Silicon Valley Bank can't afford to fool around with online security.
Just as riflemen rode shotgun on Wells Fargo stagecoaches in the 19th century, today, Wells Fargo and SVB Silicon Valley Bank executives are relying on whatever weapons they can get their hands on to help keep the bad guys at bay.
The most significant trend in the online business world over the last year has been the shift among hackers and other criminals from attacks aimed at disabling corporate infrastructure to threats that specifically look to steal companies' money and customer information.
In mid-October, London's Metropolitan Police Computer Crime Unit announced that the e-mail addresses, credit card numbers and transaction histories of approximately 83,000 U.K. consumers had been found on a PC recovered by law enforcement authorities in the United States. According to London police, the files were stolen from computers at an unnamed U.K. bank using a Trojan horse back-door virus that recorded individuals' passwords.
"Security has always been a cornerstone of what we've done as a business, and that's obviously changed over time and will continue to change as threats evolve, so we continue to work hard to do everything we can to protect customers without getting in the end user's way," said Jim Smith, executive vice president of Wells Fargo's Internet Channel and Products group, in San Francisco.
The benefits of achieving success in defeating today's criminal threats are hard to quantify in dollars and cents, as the return on investment for companies such as Wells Fargo and SVB Silicon Valley Bank are measured by the companies' ability to stave off potential attacks and the number of customers who remain willing to do their business over the Web. If successful in their endeavors to keep users protected and banking online, the companies also hope to keep their brick-and-mortar overhead expenses from rising to pre-Internet levels.
The other goal in allaying online attacks is the banks' desire to keep their names out of national headlines for failing to adequately protect customer data, a fear that is increasingly driving adoption of new IT defenses faster than the fear of the threats themselves, security analysts said.
Wells Fargo maintains some $500 billion in assets and provides banking, insurance, investment, mortgage and consumer finance services to more than 23 million customers. The company offers a 100 percent security guarantee that its users won't fall prey to online threats such as phishing schemes, keylogger programs and pharming attacks.
At the core of the bank's Web applications defense effort is a best-of-breed approach that aims to provide fail-safe coverage for Wells Fargo and its customers by protecting online transactions at every level. By employing technologies from a wide array of providers, said Smith, the bank is able to use the most effective tools for each security function while protecting against loopholes that might exist in any single product.
Since Wells Fargo launched its online banking operations in 1995, its Web sites have been fully encrypted, including customer password input, processing and management features. The bank has offered two-factor authentication in its Commercial Electronic Office business portal since 2000.
Among the many tools employed by the company are applications from fraud detection and authentication software specialists Bharosa, along with other products from vendors including Actimize, Quova and RSA Security. The various products are used in unison to provide real-time risk analysis for all Wells Fargo's customers' online transactions, Smith said.
Bharosa offers two enterprise products. Its Tracker software analyzes users' online account and device information to look for unusual behavior and help verify their identities, while Bharosa's Authenticator application creates a unique "virtual token" to help encrypt user password or PIN information each time a user session is launched.
Read the full story on eWEEK.com: Banks to Lawless Phishers: Do Not Enter.