On the Question Of Internet Security, A Three-Sided Debate

As banking and commerce begin evolving on the Internet, security remains a big question, and perhaps the biggest obstacle to a true market breakthrough.

The answers, so far, seem to be pretty much in the eyes of the beholders.

Interviews with experts from both information security and banking backgrounds reveal three distinct schools of thought:

*Believers, who are ready to put their faith in data encryption and associated technological protections.

*Skeptics, who are unmoved by the safety supposedly afforded by complex mathematical algorithms.

*Realists, somewhere in the middle, who are applying the bankerly discipline of risk management.

The Internet being a world of action, philosophies don't preclude any of the groups from pushing forward.

The Believers rally around what has become the standard defense of Internet commercial security - that an on-line credit card purchase would be safer than the standard practice of handing the same card over to a waiter to complete a restaurant transaction.

Not to be outdone by cliche, First Virtual Holdings chief scientist Nathaniel Borenstein said, Internet security is "like putting a bank vault door on a grass hut. You've really made sure people aren't going to come in the door, but unfortunately they can put their finger in a hole in the wall and get in."

Accordingly, San Diego-based First Virtual created an Internet commerce system in which financial data travel off the Net and down a private pipeline instead.

And what about all those bankers who are jumping on the Internet bandwagon, which in the past might have been seen as too wild a ride ? They have turned into risk-balancing entrepreneurs.

"Security is the No. 1 priority, but it's not something we should let hold us back," said Debra B. Rossi, senior vice president of electronic payment solutions at Wells Fargo Bank in San Francisco, which is pursuing one of the most aggressive Net-banking strategies.

Wells and others leading this charge have decided they have the technology and the opportunity to build customer trust in a new communications medium, and the benefits of being first outweigh the risks of data insecurity or marketing timidity.

In that regard, the risk-management school seems to lean away from the skeptics and toward the believers.

One who would be counted in the latter camp, Netscape Communications Corp. president James Barksdale, invokes an analogy worthy of a realist: "Is airline flying safe? We're convinced it is, even though we still have tragedies."

More than a dozen bankers, technology experts, and opinion leaders voiced opinions for this article that were all over the risk-assessment map. But virtually all agreed on one thing: that the public perceives the system as insecure.

"We cannot exist if the mass market cannot be convinced it is secure, and rightly so," Mr. Barksdale said in a speech in January at the RSA Data Security Inc. conference in San Francisco.

"Unease over security is a major impediment to consumer acceptance," said Evan Hendricks, editor of Privacy Times, a Washington-based newsletter. "People cannot be confident that information about their transactions won't be used for purposes other than what they expect."

Ted Spooner, president of Interactive Solutions Corp., an Internet- banking system developer in Beaverton, Ore., answered those concerns at a recent Financial Institutions Marketing Association conference by taking off from the restaurant analogy.

"If I gave (the waiter) a card on which he couldn't read the numbers, would that make you more comfortable?" Mr. Spooner said. "That's what SSL (the "secure sockets layer" in Netscape software) does - it encrypts the data so that you can't read it.

"The perception has not yet been created that it's more secure than what we do today, but the reality is that it is."

Among those most adamant in insisting that security is adequate are top executives at the major banks that have invested significant resources to bring on-line banking to their customers, and technology entrepreneurs who have parlayed their security and payment products into big dollars.

Wall Street has helped validate these executives' faith in on-line securability through the resounding success of initial public stock offerings by companies like Netscape and Cybercash Inc.

"Encryption works fine," said Michael McChesney, chairman and chief executive of Five Paces Software and of Secureware, companies that were closely associated with the launch of the highly touted Internet-only bank, Security First Network Bank of Pineville, Ky.

"If you look hard enough, you can find an anecdote or situation where an encryption system was flawed, but you can't find anyone who lost any money on it," said Mr. McChesney, who has been doing government contract work on high-level data security for many years. "The fear was spread by pundits and the media who just wanted an interesting angle on it."

But even people who feel confident about security on the Internet said it is a constant concern requiring perpetual vigilance. As electronic commerce and security threats to it grow more sophisticated, they said, safety mechanisms must keep pace.

"Security is a moving target," said Edward R. Berryman, vice president for electronic commerce at Unisys Corp. "Although we feel reasonably good about the alternatives today, that doesn't mean we're just going to sit pat."

Noting that no system is fool-proof, Mr. Berryman pointed to the U.S. Treasury's recent redesign of the $100 bill to thwart counterfeiting.

"Just as the U.S. government attempts to stay ahead of the forgers, we're going to have to do that as well," Mr. Berryman said.

To explain the problem of Internet security, experts point to the system's origin as a medium of open exchange for academics and researchers. It was purposely designed with minimal barriers. Adapting this open network for electronic commerce poses a reengineering challenge.

"The Internet is only as strong as its weakest link," Mr. Berryman said. "The issue for banks is to find out what they can do in order to create business out of this wonderful new access net, but also to protect clients' rights."

Dominick Cavuoto, a director at KPMG Peat Marwick who advises banks about on-line services, said encryption and fire wall protections make the Internet "fairly secure."

But he tells his banking clients to stay on their toes. "As fast as you will go, that's as fast as people will go to try to break it," Mr. Cavuoto said of network security.

Though the risk of intrusion may be small, security experts warn that bankers are right to take any risk seriously, since malicious meddling has the potential to tarnish an institution's name and reputation.

"The worst example is when somebody goes into your home page, where you're selling flowers or something, and before you know it, some hacker has replaced your nice message and is advertising pornography," said David Zimmerman, director of Internet banking for Unisys.

Mr. Zimmerman said "the right suite of products" should allow bankers to feel safe doing business on the Net, but the potential for trouble is ominous. "Our concern is that all banks get robbed sooner or later," he said.

Most experts agreed that no technology provides a panacea. However many safeguards may be placed on an institution's computer system, they said, potential problems lurk everywhere, from the lack of security in a customer's personal computer to the ignorance or greed of bank employees.

"The way to think about security is not only as a product or technology, but as a policy which is implemented throughout an organization," said Humphrey Polanen, general manager of the Internet commerce group at Sun Microsystems.

"Much of it depends on human behavior," Mr. Polanen said. "It requires training and awareness of personnel. It's really a mind-set, a policy, which then becomes guidelines that get implemented."

Nick DiGiacomo, corporate vice president at Science Applications International Corp., San Diego, and head of its At Your Service electronic commerce consulting group, urges service providers to pay attention to "internal architecture" as well as technology.

"I tell clients to focus on where their weaknesses are now, and where they will be if they change the distribution system," Mr. DiGiacomo said. "It's as much a human resource and network-system management problem - there is high turnover in those fields, and those people get access to sensitive information" and perhaps even encryption expertise.

"People tend to focus on the strength of encryption, but if encryption is going to be cracked, people will steal something more valuable before they go after credit card numbers," Mr. DiGiacomo said.

On the technology itself, the experts differed somewhat over whether SET, the Secure Electronic Transaction protocol recently agreed to by Visa and MasterCard, will have a significant impact on security. Most thought the guidelines would not only boost security, but also bolster public confidence in the system.

But Mr. Borenstein of First Virtual called SET "a small part of the solution."

"I think they have seriously underestimated the scope of what is needed," he said.

Taher El-Gamal, Netscape's chief scientist, said banking applications will not be fully secure until digital signatures are in place. These would serve to authenticate the identities of buyer and seller. RSA Data Security's spinoff, Verisign Inc., is pushing digital signatures particularly hard, claiming to be the only company fully dedicated to this technology.

"The real question is, what do you need security for?" Mr. El-Gamal said. "I think we already have adequate security for the classes of things that bankers and their customers need to do - including checking balances and getting a list, say, of the last 50 transactions."

But for transactions of higher value, and hence risk - Mr. El-Gamal used the example of a $200,000 fund transfer - current security offerings fall short.

"We're working on new systems that will allow such things," Mr. El-Gamal said. "We need to prove later that this transaction did come from the right consumer and the right bank."

As the risk-management philosophy would dictate, the sensitivity of the data should determine the level of security necessary.

"You have to measure the size of the business problem versus the cost of the technological solution," said Diogo Teixeira, president of Tower Group in Wellesley, Mass. "There's no perfect security anywhere, there's no channel where fraud doesn't occur. There are bank robberies, but that doesn't mean people stop using branches."

"Sending E-mail, you can feel just about as secure as you do putting letters in a mail box," said Gytis M. Barzdukas, product manager in Microsoft Corp.'s consumer systems division.

But with more sensitive information, Mr. Barzdukas said, "I think you should use some sort of encryption technology. Once you do, the chances of its being tampered with are minimal."

Mr. Barzdukas said he enjoys window-shopping on the World Wide Web, but would not make an on-line purchase. "Personally, I'm not comfortable today putting my credit card number on the Internet," he said.

Jeffrey Kutler contributed to this article.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER