For a bank, protecting consumer online banking sessions from criminal activity is like protecting your family from a storm in California when you're in New York — there's very little an institution can do to protect personal computers that it doesn't own.
In light of strict
"The customers are in a hardened sandbox where it doesn't matter how infected the environment is around them," says Jason Raymond, CIO and executive vice president of the $806 million-asset Jacksonville, Fla.-based community bank.
Prosperity has purchased IronKey's Trusted Access product. Online banking customers who want to execute financial transactions via other websites while logged into Prosperity plug in a USB device that encrypts the user's keystrokes and forms a protected network between the client and Prosperity Bank. The bank controls which sites the user can access through a white list of commonly accessed sites and other sites requested by consumers.
Generally the approved sites are for firms (utilities, retailers, brokerages) that are frequently used by bank customers as destination sites for online account transfers. The benefit for the consumers is the security of the transfer from the bank account to the approved site is unaffected by any PC vulnerability on the users' end.
The consumer's online banking session and transactions involving the approved sites all take place in a sequestered environment — any infestations from the broader internet or the user's computers can't penetrate the session. Yet there's no infringement of privacy. "People can conduct business without worrying about whether somebody is 'watching over' them," Raymond says.
Raymond says there are about 50 sites on the list, including firms such as eBay, Amazon.com, Blue Cross/Blue Shield and Charles Schwab. IronKey doesn't necessarily have a security relationship with these firms, but the bank's security strategy is to remove online banking sessions from the user's PC to a virtual environment in which layered protection is easier for the bank to ensure. "If any of our customers are performing ACH or high risk transactions, the transaction will comply with the FFIEC guidance," Raymond says.
Banks have
IronKey rival Trusteer has also recently made headway. It signed CNB, a $1 billion-asset bank based in Clearfield, Pa. that serves the northwestern and central portions of the state. CNB will deploy Trusteer Rapport to protect online banking sessions.
The software is designed to lock down consumer browsers to protect communication between the PC and bank site, preventing penetration from man-in-the-browser and man-in-the-middle attacks. The software also includes website authentication to shield against phishing attacks, and includes security alerts.
Other tech firms active in the space are Guardian Analytics, which detects potential fraud in online banking; and Nice Actimize, which offers technology that spots suspicious behavior online.