= Subscriber content; or subscribe now to access all American Banker content.

The FutureNow List

When The FutureNow List debuted a year ago IT security emerged as a spending priority, with the lion’s share of investment made in secure authentication. But as the first signs of the subprime crunch gave way to a crisis and yet another rogue trader got his 15 minutes of fame—this time it was Societe Generale’s Jerome Kerviel—information technology leaders were already turning their attention to risk management and compliance. Timing is everything: Prompted by recent events, politicians and regulators edge toward a sea-change in regulatory oversight.

For many players, the hard work completed in the areas of risk management and compliance will position them well for what new rules and regulation come their clients’ way. Take No. 2-ranked Archer Technologies, whose customers, including American Express and JPMorgan Chase, now make their customized risk management and compliance applications available to each other through Archer’s central repository. Or consider No. 7-ranked Fortent’s foray into creating a centralized database of rules and updates from 154 sources, which also helps banks prove they notified everyone necessary about changes to regulations. And innovations by TriGeo, ranked No. 1, give small and mid-sized banks a fighting chance to catch insiders who might be stealing customer data or intellectual property, while Perimeter eSecurity earns recognition for advancing its managed security services into the compliance realm.

No doubt, risk management and compliance have grabbed many headlines of late. But The FutureNow List casts a far broader net, recognizing 10 companies that set themselves apart for the security innovations they brought to market in the past year in a number of important categories, and the contribution these products will make to improving security within financial services organizations. These companies and categories are TriGeo (network), Archer Technologies (IT risk management), WhiteHat Security (Web application security), Application Security Inc. (database), Citi Global Transaction Services (authentication), FireEye (enterprise), Fortent (compliance), Perimeter eSecurity (MSSP), MXI Security (endpoint), and TriCipher (authentication).

No security review is complete without touching on consolidation. There were a few big ones in the past 12 months, especially in the burgeoning area of data leak prevention and application security. Noteworthy among them are IBM’s deal to acquire Watchfire, and HP’s purchase of SpiDynamics. On the data loss prevention front, Symantec grabbed Vontu, RSA bought Tablus, and TrendMicro captured Provilla. Google got Postini, while Patchlink and SecureWave merged. In other deals, Verizon knocked out CyberTrust and WebSense bought SurfControl.

Expect consolidation to continue, and The FutureNow List players to gain more attention and drive adoption in the market.



CEO: Michelle Dickman

Category: Network

Status: Private

Why They Matter: A graphical interactive tool that allows teams to explore network with point-and-click simplicity

Claim to Fame: $9,000 price point appeals to regional banks

Rivals: Cisco, LogRhythm, RSA

When describing InSight from TriGeo Network Security, CEO Michelle Dickman compares it to peeling back layers of an onion. The graphical interactive tool allows users to go deeper into network log data with each click of the mouse, which allows them to uncover and zero in on a single suspicious activity among millions with a few clicks—instead of wading through pages and pages of a report. “There’s a new level of visibility,” she says.

Insight is the first business intelligence product for network management and security, Dickman says. It utilizes an in-memory, associative technology to gather disparate device and system information from across the entire enterprise and dynamically link the data into an interactive view of the organization. Insight allows IT teams to discover the unknown and unpredictable relationships in network and application data often buried deep beneath layers of common network activity.

Once isolated, the suspicious activity can be researched and IT defense measures put in place to thwart future events. For instance, one bank client discovered a janitor regularly plugging into a USB port; another discovered a husband and wife sharing access privileges.

Insight is available as an add-on to TriGeo SIM, a security information and event management solution that proactively defends the network by combining real-time log management analysis, event correlation, endpoint security and automated remediation. The combined solution lets IT managers turn their network “insight” into correlation rules and network monitoring filters that react instantly to new occurrences of suspicious or malicious activity.

This ability to discover and react with rules is critical, Dickman says, since “you can’t write a rule for everything [beforehand]. This is a visual tool to look for unusual relationships. And then you can write a rule.” For instance, one banking client noticed heavy data logging at night; executives figured the computers were probably automatically running and updating programs and systems and that audit levels needed to be lowered so as not to red flag so many benign events.

But when they “peeled back the onion” they found that 130 workstations were logging onto the Internet at 3 a.m. every night. They were bots, controlled by an outsider. The bank dealt with the immediate problem, but it also wrote a rule that effectively killed any Internet connection attempt between 1 a.m. and 7 a.m.

TriGeo was started in 2003 and today about half of its clients are financial institutions. The company targets mid-sized companies specifically and prices its offering as low as $9,000.

Mark Nicolett, a research vp at Gartner, has been following TriGeo and its 20 or so competitors for the past three years, and says that the company’s focus on smaller financial institutions and its low price point have made it popular. “They seem to have many regional banks, and a very satisfied customer base.”

Besides the price point, he attributes the satisfaction with the fact that it’s the only one of 21 companies he tracks in the space to offer out-of-the-box network access control functionality. “They do a good job with out-of-the box functions, and that’s important for smaller institutions,” which might have just one or two people dedicated to security and not much time or desire to fiddle with products.

Still, he says, TriGeo is smaller than other companies in the space and its challenge going forward will be to grow as quickly as necessary to keep up. That’s partly a function of its customer base: efficiently reaching lots of geographically dispersed small customers is no easy task.

That said, InSight should give TriGeo an important boost, says Nicolett. “Adding log capability is not unique. But TriGeo is now competitive in a wide array of situations.” -Michael Sisk




CEO: Jon Darbyshire

Category: IT Risk Management

Status: Private

Why They Matter: Collaboration always yields better results

Claim to Fame: GRC framework installed at 37 of top 40 US banks; runs open exchange of 50+ user-built applications

Rivals: OpenPages, Brabeion (UK), Flexeye

Great minds don’t think alike. They share.

That’s the driving force behind Archer Technologies’ SmartsSuite Framework, a new risk and compliance package that organizations like American Express and the Depository Trust & Clearing Corp. are using to help themselves—and other Archer clients.

Borrowing the Salesforce.com model and applying it to the risk governance market, Overland Park, KS-based Archer has brought together users from more than 80 Fortune 1000 companies to share the custom tools they build from Archer’s base application suite of seven automated GRC management programs. Morgan Stanley, Mass Mutual and Wells Fargo are clients of Archer, which now serves 37 of the nation’s top 40 financial services institutions.

Normally these Fortune 1000 companies are loathe to surrender competitive advantage, but the firms have built and posted more than 50 tools on Archer’s new application exchange Web site, all freely available to other licensed Archer users. Why be so generous to the potential enemy? Everyone’s IT staffs are burdened by the “continuous” audits required by new risk and compliance mandates, says Yankee Group program manager Andrew Jaquith. “Probably between 15 percent and a quarter of your security staffs are involved in audits all the time,” he says. “It’s a tax, frankly.”

The submitted applications from clients, or their vendors, can be “as simple as managing firewall change requests, proxy change requests and VPN security,” says Archer founder and CEO Jon Darbyshire, “all the way to business continuity planning, and audit and fraud loss reports.”

The SmartSuite Framework of automated risk assessment made its debut last fall, after Archer executives visited more than 50 clients to see what tools clients were constructing. DTCC developed its own key controls management engine that provided a daily-summary dashboard reporting back to the company’s top five executives. DTCC CISO Jim Routh was sold enough to chair Archer’s development of the application exchange.

Amex chipped in with an application that documented managed-risk memos, “which is a very specific process that any regulated company has to go through,” Darbyshire says. “[It is] something we never thought about building.” -Glen Fest



CEO: Stephanie Fohn

Category: Web Application Security

Status: Private

Why They Matter: Integration of Web-application firewall with industry-leading vulnerability scanner

Claim to Fame: Web site vulnerability testing integrated with Web-application firewall from F5 Networks

Rivals: Cenzic, Watchfire (IBM), SPI Dynamics (HP)

Last August, a large segment of customers from the Bank of India became the victims of a massive phishing expedition. They had inadvertently downloaded more than 20 pieces of malware, Trojans and keystroke loggers that relayed sensitive information back to Russian gangs.

How could they have been so careless? By visiting the Bank of India Web site, where hacker-planted malware was automatically downloaded to users’ PCs. “They didn’t even have to log in,” says WhiteHat Security CEO Stephanie Fohn.

The customers and the bank had fallen victim to one of the most dangerous and common exploits on the Internet: cross-site scripting (XSS). The pernicious vulnerability renders firewalls and authentication schemes powerless, and has been discovered on the home pages of Google, PayPal and Microsoft’s Hotmail service. Once discovered, the bank’s IT staff likely went through a process that nearly all their U.S. counterparts have experienced: a scramble to correct that vulnerability, along with other ones detected when they brought the pros in to check the code.

WhiteHat’s Sentinel Web-application vulnerability testing tool delivers analysis as a software-as-a-service subscription, and now explores more than 600 public-facing Websites for vulnerabilities related to XSS, SQL injections or improper escalation of privileges. Sentinel auto-scans for vulnerabilities and scrubs the results through a human analyst to shave down false positives.

But WhiteHat’s new partnership with F5 Networks automatically feeds that list of detected vulnerabilities into F5’s web-application firewall, protecting the site while giving developers some breathing room while they fix the bugs. “I like WAFs because they provide Web security experts one more option to get their job done,” CTO Jeremiah Grossman writes in his WhiteHat blog.

“I mean, consider the thousands of issues posted on sla.ckers.org, or XSSed.com, or in the WhiteHat Sentinel database. Is anyone really under the impression these will get fixed one at a time or anytime soon? And we’re just talking about the XSS. What about the rest?”

WAF technology has been around for more than a decade, but has fewer than 1,000 deployments, Grossman estimates. But that’s likely to change. PCI standards that go into effect in June specifically recommend Web application vulnerability testing and firewalls. WhiteHat’s Sentinel business has helped the company triple its customer base over the past 18 months, with CAGR revenue growth of more than 100 percent annually since 2006, according to Fohn. -Glen Fest


James Van Dyke

Principal, Javelin Strategy & Research

Mobile person-to-person payments and transfers (mobile P2P) offer an important potential income-generating step for financial institutions on the path to full mobile banking and eventual “mobile wallet” merchant payment capabilities, but institutions will have to overcome the security concerns that worry would-be users.

While still a niche product, demand is growing. One in 10 consumers surveyed said he’d be likely use mobile P2P, if available, with speed and convenience as primary incentives. However, security concerns remain a leading deterrent; 63 percent of consumers said enhanced security would encourage them to use mobile payments. Even tech savvy consumers, while interested in mobile P2P, strongly fear the loss of personal information (62 percent) and fraudulent transfers (52 percent).

Mobile person-to-person payments or money transfers are an emerging application, with marginal current adoption and most FI models still in beta. A few dominant players will dive into the market early to attempt to gain a corner on market share, while the majority of FIs will wait until competitive forces increase, betting that they won’t be passed by.

P2P transfer services offer the first mobile-specific revenue opportunity for FIs in the mobile channel, with much larger transactional prize further in the future. Mobile P2P transfers can improve ROI because there is less physical servicing infrastructure to maintain; check and cash processing costs are reduced; labor costs are decreased; and there is an ability to leverage existing processes, networks and settlement ecosystems for the new service.

Though mobile P2P can be a modest revenue generator, it is likely that many, if not most FIs, may initially offer this service as a loss leader to spur adoption of mobile banking and payments and to selectively waive fees through the use of compensating balances and other tiered services. Hence, the focus for mobile P2P for the majority of FIs should be on extra fees and revenue from cards and banking accounts, as well as younger customers enticed with the service. Regardless of the early “wow” factor, dominant players will pay an initial premium to entice new users and carve out market share.

Consumers have security concerns about mobile payments and mobile banking in general. Interacting with friends and family removes an element of the security risk for new mobile users. At the same time, it accustoms consumers to using mobile channels for financial transactions. And with repetition comes ease, comfort and speed.



CEO: Toby weiss

Category: Database

Status: Private

Why They Matter: A holistic database solution that includes vulnerability scanning, assessment and real-time monitoring

Claim to Fame: DbProtect has been adopted by 1,000 enterprises worldwide

Rival: Imperva

In the early days of the Internet the worms and viruses were surely bothersome events that gummed up the works and cost money to prevent. But now those once joy-riding hackers—out merely for the thrill of a successful denial of service attack—have gone pro and are looking to steal database information.

“It’s been a major security shift,” argues Toby Weiss, CEO of Application Security Inc., and has made necessary the DbProtect solution that his company offers. “It was about worms, now it’s about data theft, and this has happened because the money is in the database. And the cost to responding to these attacks is very high.” So far 1,000 enterprises globally use DbProtect including four of the world’s top five banks. About 40 percent of Application Security’s clients are in the financial services industry.

DbProtect is a comprehensive database solution that discovers enterprise database assets; assesses and prioritizes their level of specific risk; recommends and guides mitigation; and monitors and audits all activity in real time. The product also defines repeatable best practices and demonstrates compliance. Weiss claims DbProtect is the only offering that incorporates all critical elements to secure the database: vulnerability scanning, assessment and real-time database monitoring. This holistic approach, versus a piecemeal one, sets DbProtect apart from competitors, he says.

Besides the shift in the type of online threat, Weiss says another powerful driver behind his product’s adoption is the escalating compliance issues faced by banks and the need to implement multiple controls to satisfy government auditors.

For instance, for Sarbanes-Oxley DbProtect provides fine-grained policies and reporting to support corporate auditing efforts. To cope with the Payment Card Industry (PCI) data security standard, DbProtect provides access controls, testing, real-time monitoring, and activity alerts to limit access to cardholder information. To comply with Gramm-Leach-Bliley, DbProtect helps protect against unauthorized access of customer records and to demonstrate the integrity of non-public personal information. And, finally, DbProtect helps comply with Basel II, which requires companies to publish the details of risky investments and risk management practices, by monitoring for any potential threat to the risk management protocol. -Michael Sisk



CEO: Paul Gallant

Category: Authentication

Status: Public (A division of Citigroup)

Why They Matter: In-house development at Citi is alive and well and GTS’s new product, Secure Authorization Services, could be licensed to other banks

Accounts payable in a small corporate, much less a multinational, is a maelstrom of transactions, a blizzard of money movement. Somehow, it all must to be accounted for. Earlier this year, Citi’s Global Transaction Services, which had 2007 revenues of $7.8 billion and employs 27,000, rolled out a tool that shines a light on each individual exchange in the whirlwind of global transactions.

Called Secure Authorization Services, Citi in effect takes the IdenTrust-compliant digital identity it issues to corporate clients and surrounds it with Web services, document generation, secure storage and messaging, content and workflow management tools that were developed in-house in less than a year. Secure Authorization Services uses the IdenTrust rules set, but everything else surrounding it is Citi-built. All told, it creates a precise and easily followed record of the life of a transaction, from start to finish. Citi launched the service in January.

It can be compared to tracking changes in a word-processing document, says Hilary Ward, global product manager for Citi Managed Identity Services. In this case, though, the product creates a traceable process—an audit trail—for individual payments that an observer can follow. At the moment it is used for payment authorization, but the solution and its components are transferable and reusable for anything that needs a high level of authorization assurance.

“Let’s say you run a de-centralized treasury environment. Someone in a subsidiary is initiating a payment. You need to ensure that even though they’re authorized, that they are that authorized person,” Ward says. The tool compiles an objectively verifiable record of the payment—who’s authorizing it, who’s checking it, who’s releasing it, when and where it’s released—from the start to the time the bank gets the payment instruction.

Managed Identity Services decided to build the product as clients’ payment processing became increasingly electronic, showing the need for new ways to tie individuals to the instructions for which they are responsible. Because the digital identity here is interoperable, it can be used and relied upon for digital signing of payments across multiple banks in multiple regions.

Clients range from healthcare firms to manufacturers, from cosmetics giant L’Oreal to big pharma’s Merck. Creating this kind of brightly lit electronic pathway for payments, Ward says, adds visibility and control for Citi clients in keeping payment instructions intact. “It’s a better mousetrap,” she says. -Michael Dumiak



CEO: Ashar Aziz

Category: Enterprise

Status: Private

Why They Matter: Sniffing out stealth botnet attacks

Claim to Fame: FireEye Botwall

Rival: Damballa

Worse than the known threats to the network are the unknown threats says Zane Taylor, vp of worldwide operations at FireEye Inc., a pure-play anti-bot vendor whose recently launched FireEye Botwall 4000 Series appliances sniffs out stealth botnets that gather information quietly and under the radar of conventional network surveillance.

Botnets are increasingly pervasive, with Trojans like Storm and CoreFlood carrying sophisticated malware into corporate America and using it to commandeer corporate assets. Security researchers at rival firm Damballa say that 40 percent of the world’s computers are bots, and that bots send more than 7 million messages per day. These bots, or remotely controlled computers, pose a great threat to the security and integrity of the enterprise. As part of their mission to secure customer data from theft, banks and other financial institutions must protect their own corporate assets and intellectual property from outside attacks.

Of course, the industry is well aware of the botnet threat. But it’s also gotten so used to “noisy” intrusions from worms and viruses, says Taylor, that it’s easy to be lulled into a false sense of security when everything seems quiet. Today, the most dangerous bots want to do just that—be as quiet as possible. So even when all seems well, botnets with sophisticated malware may be present, like sleeper cells, only occasionally calling out to a bot master controller and exchanging very low-level packet information.

These infrequent exchanges are just blips in a security monitoring program, easily overlooked. But all the while they are gathering information about the architecture, slowly accumulating codes and passwords, and when an attack is finally ordered, they have all the keys to the kingdom, making the intrusion all the more devastating.

Taylor explains that FireEye’s Botwall is designed to fill this security gap, catch these bots on the fly before they launch all-out attacks—to catch “zero-day” infections. FireEye’s innovation is its underlying virtual victim machine engine which replicates a physical machine in a virtualized environment to play forward an actual attack underway. Thus, customers do not speculate that an attack is occurring but rather can catch it in sequence. FireEye’s solutions do not predict or assume an attack based on anomaly or signature-based approaches, which are useless for unknown, zero-day attacks. Instead, FireEye solutions actually see the attacks and provide the intelligence to block the takeover.

One key aspect of Botwall is the absence of false positives, says Taylor. A system that generates a lot of false positives ultimately lulls people into ignoring all alerts. “It’s like the boy who cried wolf,” Taylor says. -Michael Sisk



CEO: Sandra Jaffee

Category: Compliance

Status: Private

Why They Matter: Compliance “legs and regs” aggregation, with ability to audit distribution

Claim to Fame: Fortent Inform

Rivals: i-flex (Mantas), SAS Institute

The large volume of compliance “legs and regs” isn’t the problem for most banks; it’s that their employees are only human. A 2007 TowerGroup report found that more than two-thirds of big banks’ compliance costs were “people-related” issues, manual processes slowing down compliance reporting and auditing. Fortent, for its part, estimates that employees involved in tracking regulations accounted for 25 percent to 35 percent of compliance costs at $5-billion-plus asset banks where up to 100,000 employees might be affected by a single directive.

Last year, Fortent launched Web-based Inform, a content information management platform that offers financial services compliance officers a dashboard summary of government and regulatory updates from 154 entities. Inform gives the execs a one-stop view, and runs an auto-distribution tool that enforces required notification to workers needing to know new rules. “There’s so much coming out of various regulators, it’s very hard to keep on top of it,” says Ted Weissberg, Fortent’s group executive for information and training. “What [banks] do is just hire people to stay on top of that, but [they] don’t have an efficient means of doing it.” One client already on board with Inform: Wells Fargo.

The coverage involves all touchpoints of compliance beyond Fortent’s niche in anti-money laundering, and is more than just a desktop data dump.

The reports are meta-tagged with more than 95 criteria for sorting by compliance topics, lines of business, document type, etc. The Inform engine conducts alert tracking and delivers summaries and regs analysis from Fortent researchers, instead of, say, linking to a 20-page enforcement report when a few ‘who-when-how much’ bullet points would suffice.

Fortent claims a unique position in a market in which regulatory requirements are often presented only as vague legal summaries rather than helpful interpretation, says Inform product manager Ian Rosen. The company is also promoting Inform’s audit-trail capabilities, in which the send and receive trail is authenticated and documented for reporting purposes.

“The problem with read receipts from an IT perspective is that they are not totally secure…and not guaranteed [delivery] through typical Outlook-based email systems,” according to Rosen.

What is guaranteed: Regulations will get tougher in ’08. “The whole subprime issue is going to drive the regulatory environment,” says Weissberg. “Not just new regulation, but in driving attention to existing ones.” -Glen fest



CEO: Brad Miller

Category: Managed security service provider

Status: Private

Why They Matter: Perimeter provides the broadest base of managed security services to its customers, expanding the realm of MSSP pure-plays into compliance, messaging and other areas

Claim to fame: Signed more than 2,000 small and mid-tier bank customers

Rivals: SecureWorks, Solutionary

The managed security service provider business continues to grow as banks have become more comfortable with outsourcing security functions, deciding that many intensive IT compliance requirements are more than they want to handle in-house.

Getting much of this outsourced security work is Perimeter eSecurity, a Connecticut-based MSSP with more than 2,000 bank customers that’s been on an acquisition tear in the past several years—with more deals in the works—thanks to more than $100 million in funding from Goldman Sachs and other venture investors. Securing its spot on The FutureNow List is Perimeter’s January 2008 acquisition of SECCAS, which extended its MSSP offerings into the arena of outsourced messaging compliance for financial institutions coping with SOX, SEC and FINRA regulations.

Perimeter uses a wide lens to scope out acquisitions. In addition to SECCAS in January, last summer Perimeter merged with USA.NET, a provider of secure eMessaging services. “Where we have been very different is not focusing on a single product segment, but focusing on providing the broadest range of security technology services,” says Brad Miller, CEO of Perimeter. “Most banks have already done the basics [in terms of security]. So, in my view, if you’re an MSSP that only does the basics, you’re going to run out of runway very quickly.”

The typical managed security service providers offer external management of edge systems like firewalls, intrusion detection and intrusion prevention, VPNs, penetration testing and vulnerability management and security intelligence systems.

Perimeter is a pure-play MSSP, in the same category with the highly regarded SecureWorks and Solutionary, all of which have a strong focus in financial services. In its Q4 analysis of the MSSP market, Forrester predicts these “specialist MSSPs will…shift to higher-value services, including compliance consulting and helping clients with security metrics and benchmarks,” in order to compete with market leaders such as IBM, VeriSign and Symantec. -Rebecca Sausner



CEO: Lawrence Reusing

Category: Endpoint

Status: Private (A division of Memory Experts International)

Why They Matter: 1) Flash is where it’s at. 2) Can be misplaced and not be a scandal. 3) Can use them as secure keys on a distributed mobile network.

Claim To Fame: Married biometrics and hardcore cryptography to a flash drive for secure storage

“It looks like a flash drive. The computer can’t tell any different. But there’s a whole lot of hidden functions the device does when you send data to it.” And that’s how Larry Hamid, CTO at Montreal-based MXI Security, begins to describe the Stealth MXP, the latest in a standout series of biometric-enabled USB sticks. While there are other biometric flash drives on the market now for ten bucks—the devices first trickled into the marketplace four or five years ago—even if they work properly they won’t be in the same league as this one. Three-factor authentication is on the menu here (bio, password and digital), and a whole crypto suite along with the ability to issue portable security tokens. On-board browsers are a possibility, as are remote access clients. Importantly, it makes no footprint. No drivers, no software installation and no administrator rights are required on the host computer.

It may look like a fingerprint reader married to a USB stick, but these are the Cadillacs of bio-enabled flash drives. Its stout security is what makes it interesting to bank executives, including clients JPMorgan Chase, Citigroup, Bank of Montreal and Scotia Bank. But what brings it to the next level is that MXI Security is really creating a portable security platform and plans to develop applications around the product. “It’s all about the portable desktop,” Hamid says. “If all your data is on the device, including your whole operating system, you can go anywhere.”

That’s probably farther down the line. Flash memory at that scale looks like the future; right now it’s still expensive and not expansive. The largest plain-vanilla flash drive available is 64 GB and costs $5,000. Right now, bankers are using the 4GB of fully encrypted storage space to carry around sensitive files without fear of leaving them in the rental-car glove box. Banks are also starting to deploy whole-disk encryption on workstations so, instead of a password to boot the machine, you may need a bio-enabled USB stick. Still, MXI is going to be well positioned going ahead as the portable desktop—make that the really secure, really portable desktop. -Michael Dumiak



CEO: John Desantis

Category: Authentication

Status: Private

Why They Matter: Prevents man in the middle, man in the browser attacks, cheaper and more secure than OTPs

Claim To Fame: ID Tool ToGo, a secure, portable strong authentication device that’s not an OTP

Rivals: EMC’s RSA Security Division, VeriSign, Entrust

Malware like silentbanker and Prg, the insidious Storm worm and CoreFlood botnet, have made quick work of many consumer bank accounts lately, the source of man-in-the-middle and man-in-the-browser attacks that many authentication systems are powerless to prevent.

But authentication methods are not the front-page news they used to be, back when compliance with FFIEC guidance was the biggest headache facing bank technologists. Most institutions are introducing incremental advances or new layers to the authentication systems they cobbled together way back when. TriCipher CEO John DeSantis crystallizes the state of the authentication market perfectly when he says, “Every six months we’re going to hear about a new authentication method. There’s going to be continual churn in the methods people propose, so you better put an infrastructure in place that can handle a lot of methods.”

TriCipher boasts “a lot of methods,” all supported by its PKI-enabled TriCipher Armored Credential System. In June 2007, the 4.0 iteration of TACS included one of the more innovative authentication tools of the year, “ID Tool ToGo,” a thumb-sized hard drive that when plugged into a USB port launches a secure browser directly from the drive. The user then enters a username and password, and enters a secure online banking zone that prevents both man-in-the-middle and man-in-the-browser attacks. The device is more secure and cheaper than OTP tokens, DeSantis says, but even with a self-provisioning feature it’s not meant for mass adoption.

“The lowest risk transactions are things that consumers do with their online banking accounts, so authentication based on cookies in the browser or lightweight authentication are still sufficient for large masses connecting to the online banking account,” he says. “As you move up the spectrum, that’s where we see this stronger second factor has been adopted.”

TriCipher claims about five million credentials in the market, the ID Tool ToGo accounts for between 10 and 20 percent of new issues, DeSantis says. Look for 2008 to be another big one for TriCipher as it forays into the single sign on market, promising to integrate more than 100 applications like WebEx, Salesforce.com and others behind their Myonelogin portal. -Rebecca Sausner (c) 2008 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com