Stanford Federal Credit Union of Palo Alto, Calif., is the first depository institution to use an innovative anti-phishing system from PassMark Security LLC - even though it has never been phished.
"That doesn't mean we won't be," said Sam Tuohey, its vice president for technology and e-commerce.
The credit union has been testing PassMark's namesake authentication system since mid-October and made it available to all customers Tuesday.
PassMark's system allows customers to select a personal image - such as a photo of a pet or relative - that is displayed any time they log on to their bank Web site.
Phishers try to lure people to fake bank Web sites. Customers accustomed to seeing their personalized image at Stanford Federal's site will be less apt to get fooled by an impostor site, Mr. Tuohey said.
Though most phishers have impersonated major banks, roughly 20% of these attacks use the names of smaller banks and credit unions, according to the Anti-Phishing Working Group.
Bill Harris, PassMark's chairman and a co-founder, of the Redwood City, Calif., company, said conventional passwords are "weak" and that his system provides an additional layer of security.
PassMark financial institutions can also phone customers automatically at log-in, providing a third factor of authentication, Mr. Harris said. A forthcoming version of PassMark will verify customers' identity by voice, he said.
Many banks have hired companies to detect and disable phishing attacks, but few have a customer-facing approach that goes beyond providing information. Some, including E-Trade Financial Corp. of New York, are evaluating supplemental security measures, such as a key-chain fob that generates an ever-changing validation number as an extra log-in code.
Key-chain tokens and similar devices are called two-factor authentication because they combine a password with a second security device. Mr. Tuohey said Stanford Federal did not want to burden its customers with a piece of hardware.
Avivah Litan, a vice president and research director at the Gartner Inc. market research company in Stamford, Conn., said key-chain devices are more secure than PassMark but require people to keep track of an additional piece of hardware.
"Customers told us that's their least favorable option," Ms. Litan said.
Instead, PassMark's system places a file on customers' computers, to function as a second authenticating factor.
Stanford Federal is a big win for PassMark, she said. The credit union's owner-members include Stanford University, which, Ms. Litan noted, has trained some of the tech industry's giants, including the founders of Google Inc.
For a tech vendor, Stanford Federal Credit Union is "a sexy thing to have on your resume," Ms. Litan said.
Ariana-Michele Moore, a senior analyst at Celent Communications LLC in Boston, said signing up Stanford Federal will open doors for PassMark.
"A lot of banks will not want to touch a vendor until they've been validated by other banks," she said.
PassMark expects to announce an agreement soon with a top-tier bank, Mr. Harris said.
