When Internet access mushroomed at Stanford University in the early 1990s, online banking at Stanford Federal Credit Union quickly followed suit.
Back when most banks didn't know what a URL was, SFCU in Palo Alto, CA was plugging in customers through the Internet and delivering the types of Web offerings that were a decade off (and more) for many other institutions: funds transfer, loan applications and even in-house bill-pay. Perhaps Internet service took off because, as Stanford CU's CTO Sam Tuohy quips, students and university employees "really don't like to give up their parking place." But inconvenience alone wouldn't account for an unheard-of 85 percent online banking enrollment rate or the fact that 99 percent of the credit union's transactions are electronically delivered through online, ATM and ACH channels.
So it's with some surprise to learn this small but leading-edge institution couldn't get its savvy customer base on board with stronger authentication when it first tackled the issue in 2001. Four years passed before Stanford FCU finally made a choice-PassMark Security's two-way authentication solution (now part of RSA Security)-that wouldn't result in a mini-rebellion from accountholders who previously disdained simple self-help measures like case-sensitive and alphanumeric passwords. "It was a struggle," admits Tuohy. "We looked at lots of different technologies, and each one had a serious objection to it. Either it would be too expensive to roll out, or it was going to require our users to do something they don't want to do."
Stanford's dealings with customer aversion and other fraud-related challenges are the same as those being waged at thousands of institutions today. Banks and other firms face a barrage of choices to meet an expanding dimension of fraud, all for a customer base that is simultaneously worried about privacy but unwilling or unable to take adequate steps for their own protection. Rushed by the FFIEC's mandate to get on board with multifactor authentication by year's end, banks are selecting technologies from large number of established and startup providers that some warn could have largely unknown applicability and effectiveness for the long-term. Some may not even be the right path for near-term scalability, says Forrester Research principal analyst Jonathan Penn. "They're not very well vetted, and you're talking about rolling them out to millions of people," says Penn. "[Banks] are worried about support-will this little tiny company be able to support me in my big rollout to five million users...when they've got lots of other people knocking on their door and they're just trying to book deals?"
"At this point, it's pretty much a free-for-all, with lots of trial," says Ted Crooks, VP of global fraud solutions for Fair Isaac. "It's going to take some months for it to settle down."
Perhaps the rigmarole is winding down because the array of multi-faceted solutions-electronic tokens, biometrics, scratch cards, browser tools, digital signatures, out-of-band verification, risk-based authentication, transaction monitoring, etc.-are starting to come together on the vendor side in partnerships and newly packaged one-stop solutions. For example, RSA Security's acquisition this year of authentication player Cyota and later Passmark, the technology behind Bank of America's pioneering SiteKey tool, represented a "watershed" if obvious realization that "tokens aren't the only answer," says Penn.
Entrust built onto its authentication technology by adding Business Signatures Corp.'s real-time fraud detection solution. Penn says online security vendor Verisign has garnered buzz and business by acquiring transaction-monitoring software firm Snapcentric for its identify verification suite that is attached to different fraud solutions, including Vasco Data Security tokens.
The all-in-one toolsets are driven by banks' emerging preferences for behind-the-scenes products that won't interfere with customers nor depend on them to patch and maintain home PC security solutions, says Ariana-Michele Moore, senior analyst in Celent's banking group. Banks "want to do monitoring, and maybe start to develop profiles on a user basis," says Moore.
Institutions are also reacting to surging consumer worries about phishers and middleman hackers who spoof bank sites. Another RSA Security Passmark customer, Zions Bank in Salt Lake City, found the two-way authentication hit a sweet spot with online customers. "Within four weeks of rollout, we had 60 percent of our user base enrolled" in the voluntary phase of multifactor authentication, says Lee Carter, Zions' president of online banking. The bank is confident it will carry through with mandated enrollments in September without any brushback from customers.
Tuohy, like IT experts at many small institutions, used to think his was too small-fry for phishers to find. But in 2004 the credit union hired a business consultant who used Google and pocketful of change - $25-to obtain a current Stanford email list that proved a 45 percent match against SFCU's user base. "Even if only one percent had accounts with us, and they were mentally vacant enough to respond to a phisher, that would have been 325 people giving out their private information," says Tuohy. He became convinced last summer, when two separate phishing attacks finally hit the $750 million institution-and victimized two of its presumably very well-educated customers. Getting that customer buy-in today may be the banks' easiest hurdle to jump, what with the daily news of data breaches and frightening identity theft statistics issued by the Federal Trade Commission or Consumers Reports, which estimates one in three people are potential victims.
Getting the solutions right for customer use may still require some tweaks. Bank of America notably ran into some glitches in its 2005 Passmark rollout when it initially worked with PC-based cookies rather than unique user characteristics like IP addresses and browser setting. Many institutions that have deployed challenge and reminder questions are having to address mutable query problems, in which customers can't remember if they enrolled by entering numerical dates or capital letters and are getting frozen out by ultra-picky fraud monitoring engines-forcing the customer to make call the bank and chew out a CSR.
But Carter, Tuohy and others aren't kidding themselves that even should all the kinds work out with multifactor authentication, this won't be happily ever after for institutions. There will still be the oncoming business pressures to make fraud tools a differentiator advantage vs. just a me-too staple. The $10-$25 per-customer token costs giving way to more software-based authentication solutions that cost under $1 per user are already pushing that equation.
And what about the value equation of fraud solutions if online crime declines and consumers begin caring less about security parameters and complain about that pain-in-the-neck challenge question?
"I think ultimately the hassle factor will grow in importance as the fear factor reduces over time," says Fair Isaac's Crooks. "Somebody's going to figure out that identity theft is not on the rise, so eventually consumers are going to get that message...but it's going to be a year or two from now."
