Financial companies that are tightening their online security this year to comply with federal guidelines have typically focused on multifactor authentication technology, but they have Igor to thank for a second option - transaction monitoring.
The Federal Financial Institutions Examination Council said this month that multifactor authentication, which requires users to enter more than the standard username and password combination, is just one option for protecting financial companies' Web sites. "Layered security" working behind the scenes could also be considered adequate, the agency said.
So who, or what, was Igor?
Igor was the username of an especially hard-working con artist who bedeviled PayPal Inc. several years ago. In its campaign to stop Igor, PayPal developed a variety of techniques, including some of the financial industry's earliest technology for monitoring online transactions, which it unveiled in 2000 - and named after its old nemesis.
PayPal never did catch Igor. But the online person-to-person payments company thinks that because it became so adept at thwarting him, he gave up and moved on to easier prey.
That was critical, because had it not stopped Igor, PayPal would have become a prime target for other scammers using the same techniques.
The Igor transaction-monitoring software "was, basically, the reason we survived," said Max Levchin, a co-founder of PayPal and its chief technology officer from 1998 to 2002. (He has since moved on to found and become chief executive of the online photography company Slide Inc.) PayPal is a unit of eBay Inc.
Avivah Litan, a vice president and research director at Gartner Inc. in Stamford, Conn., said that Igor-style transaction monitoring meets the examination council's guidelines, which were spelled out this month in a frequently-asked-questions document. "One of the big points they've addressed in the FAQ is saying indirectly that transaction monitoring is one viable solution," she said.
The guidelines did not explicitly name transaction monitoring, because the council wants to avoid making specific recommendations to banks. But when the agency said there were alternatives to improved authentication, Ms. Litan said, "there's nothing else besides back-end transaction monitoring. You either do back-end transaction monitoring or front-end authentication."
Banks and others have long used transaction monitoring to detect credit card fraud, and in recent months they have started to use it to protect deposit accounts as well.
Cyota Inc. of New York began offering transaction-monitoring software for deposit accounts in April 2005, and Washington Mutual Inc. began using it in December. (RSA Security Inc. of Bedford, Mass., bought Cyota in December and now sells the software as part of its Adaptive Authentication product.)
More recently, U.S. Bancorp of Minneapolis began using software from Entrust Inc. that monitors online banking sessions. The software was developed in late 2005 by Business Signatures Corp., which Entrust, of Addison, Tex., bought last month. Citigroup Inc. and H&R Block Inc. began using the same software earlier this year.
Ms. Litan said PayPal has been "a role model for best practices in fraud prevention," but its "techniques are just now being adopted by financial institutions."
She said the key to transaction monitoring is that it operates behind the scenes, looking for what criminals may not realize are red flags. "Transparent, back-end fraud detection is effective, because if the crooks don't know what you're doing, they can't beat it," she said.
PayPal believes Igor had hundreds of other accounts in addition to a primary account; his typical scam involved creating a fake sale and then having one account pay another using a stolen credit card account. Igor would withdraw the cash before PayPal realized the card was stolen, which left the payments company on the hook once the transaction was reversed.
Some early anti-fraud software tried to spot risky transactions with simple rules-based systems, such as evaluating the time of day that they were initiated or the payment amount. But those systems are easy to beat, Mr. Levchin said.
"The bad guys, they test if you use a simple collection of rules," he said, and if they can figure out that transactions initiated at 2 a.m. get extra scrutiny, they simply wait a few hours.
The Igor software needed to evaluate plenty of other variables, many of which are neither easy nor intuitive to test - whether a new account holder bothered to capitalize his first name, for instance. Individually, these elements cannot expose fraud, but in aggregate they can indicate whether a certain account was opened by a fraudster or a legitimate one has been hijacked.
Todd Pearson, PayPal's senior director for merchant services, said Igor "was really the first groundbreaking fraud product that Max invented, really from scratch," and that the San Jose company still uses it.
Users of the Igor software could interpret the mind-boggling amount of data the system observed, Mr. Pearson said. Behavior was depicted as lines between the account being observed and other PayPal accounts with which that account had transacted. The line's thickness and its color communicated different characteristics.
For example, thickness indicated the size of a transaction. If an account had a long history of small transactions, but suddenly was linked with a thick, big transaction line to a recipient, that could be a sign that the account had been taken over, Mr. Pearson said.
He called the Igor software a "breakthrough" and said the productivity of PayPal's anti-fraud team "went up eightfold as soon as the product was released."
