To spot signs of fraud, banks are looking at how people navigate through their Web sites.
One new application, from Business Signatures Corp. of Redwood Shores, Calif., monitors what happens after a user logs in. By midyear it will be able to block suspicious transactions.
Another, from Corillian Corp. of Hillsboro, Ore., takes a different tack. To spot criminals planning to create imposter Web sites, it looks at which pages people view on a bank’s site. This application has been available since last year, and the company said it has proven highly effective against phishing.
“Monitoring Web site traffic lets the financial institution see what types of requests are being made of their Web site,” where the requests come from, and what software the Web surfer is using, said Jim Maloney, Corillian’s chief security executive, in an e-mail. “This information can be used to detect patterns of activity that lead to fraud.”
Corillian’s Fraud Detection System monitors visitors to a bank’s public Web pages to determine who is clicking them in search of information on loans or different types of accounts, and who may be collecting data to create phony sites that could be used in online scams. The bank can use the data to prevent a spoof site from going live.
Mr. Maloney said a top-10 financial institution that began using the software this year virtually eliminated “successful phishing attacks related to its online banking service.” The company, which he would not name, said phishing incidents using its name had declined more than 90%, he said.
Peter Relan, the chairman and chief executive of Business Signatures, says his product, Fraud Prevention Solution, was designed to do a similar task, but after a customer has logged in.
Online banking customers are “creatures of habit,” he said. By building a history of their online banking sessions, his software can determine when seemingly innocent behavior departs from the customer’s habits.
For example, adding a payee to online bill pay may not be suspicious by itself. But if a customer habitually checks balances before paying bills, adding a payee without doing so could mean a criminal has accessed the account — especially if the new payee is to receive a substantial sum.
Mr. Relan said two banks and a brokerage are testing his software now. (He would not name them.) The software can only issue warnings now, he said, but by midyear customers could use it to block suspicious transactions.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said it is too soon to tell how effective Business Signatures’ software might be.
There is interest in it, though, Ms. Litan said. “Their stuff’s a little unproven” but one company using it is “intrigued,” she said.
This approach has been used in other situations, Ms. Litan noted. For example, many companies use software to monitor what their employees do online or keep records of when they access sensitive data.
But “the flip side of this is you lose your privacy,” she said. “Good fraud detection is very invasive to someone’s privacy.”
One problem is that Business Signatures would probably have to store all the data, she said. “It would be very difficult for a bank to run this inside the firewall, because of the storage implications.” But many banks “are averse to having that much information at a service provider,” Ms. Litan said.
George Tubin, a senior analyst at TowerGroup Inc., a Needham, Mass., market research unit of MasterCard International, discounted the privacy issue.
“The way information is kept is only good for the [Business Signatures] application,” he said. Business Signatures’ approach of profiling individual users’ habits could be more effective than trying to define generally suspect activities, he said.
“If somebody walks in a store and they keep their eyes down and their hands in their pockets and look suspicious,” the store’s owner might think that person is a thief, he said. “But maybe you have a couple of customers where that’s just their personality.”
Bruce Cundiff, a research analyst for Javelin Strategy and Research of Pleasanton, Calif., said that the Business Signatures software “definitely makes sense,” but he warned that anti-fraud software that runs behind the scenes does only half the job. Many banks want their security systems to be visible to reassure customers, he said.
“How much value is an invisible solution if half of what I’m dealing with is consumer perception?”
