The brokerage technology vendor Scivantage Inc. is developing a security system that uses challenge questions with dynamic answers, making them more resistant to keyloggers.
On the surface the Jersey City company’s product is similar to software offered by EMC Corp.’s RSA Security and by Entrust Inc. — it presents a personalized image to the user while invisibly attempting to tell whether the user’s computer is known to belong to the account holder.
Like those other systems, it falls back on challenge questions to identify the user when it does not recognize the user’s computer. Unlike those systems, it offers challenge questions about recent account activity, so the answers are in constant flux.
Asking a dynamic question can “really eliminate the risk of keyboard hacking and being able to record keystrokes,” said Adnane Charchour, Scivantage’s president and chief executive.
Because such systems are meant to protect against stolen passwords, it makes little sense to rely on questions whose answers can be stolen just as easily, he said.
Challenge questions have long been problematic, observers say. Personal information such as a mother’s maiden name once was considered secure, but is now a common enough question that a fraudster may easily find the answer.
Thinking up new questions is just as problematic. Some personal information is used so infrequently it is hard to remember, and customers’ tastes change frequently enough that asking them what their favorite movie is could yield a different answer each time.
Mr. Charchour said that by relying on account information from within the past five days, his system can ask for information that is still fresh in the customer’s mind.
The security software, which will be made available to brokerages in the first quarter as part of a product for integrating disparate systems, is made possible in part by Scivantage’s recent acquisition of Kenamea Inc., an alerts company. Kenamea’s software can be used to supplement the security system by monitoring for suspicious activity such as repeated failed log-in attempts and alerting the bank or brokerage of the possible online break-in.
Avivah Litan, a vice president and research director at Gartner Inc., a market researcher in Stamford, Conn., said that dynamic challenge questions have been considered by some banks and brokerages, but she does not know of any system that has been fully developed.
The advantages to dynamic answers are clear, Ms. Litan said. “You don’t have to enroll people, so it’s much more convenient for the customer.” And because the answers are time-sensitive, phishers cannot make easy use of them.
However, though the method may work for brokerages, “I’m not sure it would work for banks, or for any companies where there are not that many transactions,” Ms. Litan said.
And even online brokerage customers go far longer than five days between trades, so in many cases there may not be enough recent activity from which to build challenge questions, she said.
This could be solved by working with another vendor, such as Verid Inc., which provides data from public databases for challenge questions, but that would add to the cost of the system, she said.
