On-Line Banking: Microsoft Paves Way, With 128-Bit Codes, for Secure

Microsoft Corp. has unveiled its approach to on-line banking security and named several banks around the world ready to put it to the test.

Through what it calls Server Gated Crypto, or SGC, Microsoft systems will allow for 128-bit encryption in Internet communications between banks and their customers.

The strength of data encryption-the scrambling of messages to prevent interception and abuse-is defined by the length of the digital key. The 128-bit codes recently authorized for export from the United States are exponentially more difficult to crack than 40- or 64-bit alternatives.

Microsoft began touting its 128-bit intentions in June, soon after receiving U.S. export approval. But Microsoft was not as quick as Netscape Communications Corp. to accommodate actual transactions via Web-browsing software.

While a Netscape spokeswoman characterized Microsoft's SGC announcement this week as "old news" and "catching up," a Microsoft official claimed it offers "the first open, end-to-end solution for Internet banking" in part because of its compatibility with Netscape's market-leading Navigator browser.

"This means that international banks can build computer infrastructures based on the Microsoft BackOffice family that interoperate with a wide range of popular client software," said Michael Dusche, the Redmond, Wash., company's worldwide financial services industry manager.

Mr. Dusche said Microsoft sought to take the "high road" by enabling SGC to operate not only with the 3.02 and 4.0 versions of its Internet Explorer and Microsoft Money 98, but also with Navigator 4.0.

"We hope this is perceived as a high-level approach to enable Internet banking and make it ubiquitous," Mr. Dusche said in a press briefing.

Microsoft, he said, came around to this open point of view after initially working only with its own browser.

"As unlikely as it is that all banks would use the same software, it is even more farfetched that all customers would use the same Internet browser," Mr. Dusche said. "If a client comes in with Navigator 4.0, our software will interoperate with it as if it were an Internet Explorer client."

Executive vice president Dudley Nigg of Wells Fargo Bank, one of those endorsing SGC, deemed it "truly a step forward" because of the interoperability.

Like Netscape, Microsoft is relying on Verisign Inc. of Mountain View, Calif., for the digital certificates that assure the validity of bank- servers and customer-clients in an on-line transaction.

SGC, which Microsoft invites banks to download from its World Wide Web site, is technically an extension to the Secure Sockets Layer, a transaction security protocol that has its roots in Netscape. A "handshake" takes place between the server and client to engage the 128-bit encryption. If it is not present, the two computers will settle on the highest level of mutually available security.

Mr. Dusche took a critical shot at Netscape, saying its servers do not interoperate with Microsoft Internet Explorer. But Netscape spokeswoman Chris Holten called that a nonissue because Verisign certificates assure compatibility.

Mr. Dusche said banks that activate SGC this week can expect to be encrypting at 128 bits within a month. Among those that have signed on are Wells, Inverlat of Mexico, ASB Bank of New Zealand, Bank of New Zealand, Banca Nazionale del Lavoro of Italy, and Nedcor of South Africa.

Several international technology companies said they would build SGC into their systems.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER