The Internet continues to have a tremendous impact on how and where business is conducted. A recent International Data Corp. report estimates that by 2003, business conducted on the Internet-both business-to-consumer and business-to-business-will surpass $1.3 trillion dollars.
With the rise in e-business comes a corresponding need to develop security measures to enable those transactions to take place, particularly in banking. "Generally the big story is that as business-to-business commerce has grown within financial services, there are significant sums of money at risk-and as a consequence, business adopts appropriate technologies as business decisions," says Richard Bell, senior analyst for retail banking at TowerGroup, Needham, MA.
In the beginning
One challenge to the continual escalation of Internet security lies in the basic structure of the Internet. The original designers of the Internet and its protocols paid little attention to security issues. Networks were assumed to be either isolated, private, and physically secure-or totally public.
But in world of e-commerce, security has evolved into a paramount concern, both for ensuring safe transactions and instilling confidence in a sometimes-jittery public. Washington, DC-based Frederick Schneiders Research conducted a survey last year indicating that an overwhelming majority of consumers are concerned about Internet security. Nearly 85% of respondents stated their concern with the security of online financial transactions.
"From my perspective," says Steve Jensen, vice president of information security services for Minneapolis-based U.S. Bancorp, "customers are more concerned about the perception of the Internet and the relative security of it." But Jensen believes that fears, such as those regarding credit card transactions, are overstated. "People generally have no problem giving their credit card number and expiration date over the phone when ordering something through a catalogue," he points out.
The concerns work both ways. A recent survey by Security Magazine of some 1,500 security executives at banks, insurance companies, and investment firms show that electronic security has overtaken bank robberies as the greatest threat facing financial services companies.
There are always individuals seeking to break into a network, whether for purposes of sabotage, to get information, or merely to wreak havoc. "We certainly have a number of hackers and crackers that make strong attempts to break through the system," Jensen says. "We've never had a documented case, though, where that's actually occurred. We see attempts at breaking in on our attrition detection system, but they never get beyond that into our backend systems."
Still, even the best security is never "absolutely absolute," experts say. Just about any security code can be broken, given enough time and money. Late last summer a group of Amsterdam-based scientists working for the National Research Institute for Mathematics and Computer Science claimed to have broken an international security code used to protect millions of daily Internet transactions. Using a Cray 900-16 supercomputer, 300 personal computers, and specially designed number-crunching software, they managed to break the RSA-155 code-the backbone of encryption codes designed to protect both credit card transactions and e-mail messages. (RSA codes were designed in the mid-1970s by a team at the Massachusetts Institute of Technology.)
While few hackers, however sophisticated, have resources such as those used by the Dutch scientists, such incidents serve to remind the banking industry that security is often a matter of staying a step ahead.
"We see higher rates of adoption of the more advanced security technologies with the business-to-business segment of the banking industry," Bell says. "The use of cryptography, particularly PKI [public key infrastructure], which is the most prominent cryptographic technology in widespread use, is one notable example."
The spread of PKI was seen this past December, when Microsoft Corp. and IBM Corp. announced the formation of a collaborative PKI Forum. The member companies are stepping forward, they say, to help improve understanding, usability, and profitability of the PKI business, and the group includes partners such as data encryption stalwart RSA Security Inc. and digital certificate vendors Baltimore Technologies plc and Entrust Technologies Inc.
"Security has moved from being something to keep people out to something that enables e-business," says Chris Voice, director of product management for Plano, TX-based Entrust. In business since 1994, Entrust sells products based on PKI technology and is a spin-off of Nortel Networks.
"What we do is ensure at all times that you know who you're doing business with through authentication," Voice says, "and that the transaction itself is secure and can't be read online by anybody other than the designated parties." Entrust also provides non-repudiation. "So if I send you a transaction, I can't deny it later," he adds.
Financial institutions were early adopters of Entrust's PKI products. "Banking is our single biggest vertical market in terms of our sales," Voice says. "Many of them ask that we not mention their names because they view this technology as strategic, but there's virtually no bank on Wall Street that isn't using our technology."
Entrust also provides browser plug-ins that make it easier for organizations to deploy PKI, as well as developer tools that help developers PKI-enable their own applications. "By taking advantage of trust in e-business transactions, I can reduce the cost associated with fraudulent transactions," Voice explains.
Entrust is also planning to adapt and apply PKI security to mobile phones, pagers, personal digital assistants, and other mobile appliances.
PKI may become the status quo in the near future. At the Bank Administration Institute's Retail Delivery Services conference held in Miami last December, Microsoft announced that Windows 2000, the new version of its operating system, will have PKI built in.
A number of firms-such as the aforementioned Entrust and Baltimore Technologies-are attempting to set the cryptographic standard. "Security is such a fundamental infrastructure issue," Bell says, "that at the end of the day it's a space where commonality is in everyone's best interest and where, failing commonality, adoption rates will be substantially slowed."
Some steps toward greater clarity, if not unification, in e-security have been made. "There have been agreements to form joint activities for issuing certificates and to manage the certificate process of business clients," notes Bell, who takes a wait-and-see approach to predicting any likely vendor winners. "The certificate issuance business, with the stakes and competitive advantage it can offer, is for lots of folks to slug out."
Digital certificates are unique electronic files that provide a way to confirm identities online, both on the client and server sides. The certificates assure customers they've securely reached the correct server and can exchange messages safely, while assuring the institution on the other end that a valid user is accessing the system.
Early last year, Charlotte, NC-based Bank of America Corp. became one of the first institutions to complete a large-scale deployment of digital certificates to its corporate clients. In August, the bank announced the conclusion of the first phase of the National Automated Clearing House Association (NACHA) certification authority interoperability pilot, designed to facilitate secure Internet commerce among banks, consumers, and merchants. The pilot tested the use of digital certificates for digitally signing authorization debit agreements.
Bank of America's deployment was revolutionary, according to Anil Pereira, vice president for the Internet services group at Mountain View, CA-based Verisign, which provided the Web site certificates to the bank. "It was the first use of online certificate status protection-a technology that enables real-time validation of digital certificates," he says.
"If you look at different vertical industries, clearly the financial industry is forward-thinking in its use of advanced technology and security technology. They tend to be on the leading edge," Pereira says, pointing to banks' movement into wireless and virtual private networks. "The ability to deliver authenticated and secure information to handheld devices like cell phones and pagers is a glimpse of what's coming in the future."
Pereira lists a broad range of banks beyond Bank of America that use Verisign's site certificate services, such as First Union Corp., Wells Fargo & Co., and the Royal Bank of Canada. "Every Fortune 500 company with a Web presence is a customer of ours," he claims.
Keep out crooks
The challenge of maintaining security is a day-to-day task that evolves and changes with technology. Michael Zboray, research director with Stamford, CT-based GartnerGroup, believes that nowadays it takes more than a garden-variety firewall to secure a Web site.
"The current attack against Web servers has changed a little bit in nature," he says. "It's not really a matter of trying to attack services running on the server. The attacks are the kind of attacks that go right through a firewall-basically, manipulating URLs that are presented to the server, and gaining illicit access to files and services on the server itself."
The problem is that merely telling administrators to be vigilant doesn't work. "They're human beings, and they make mistakes no matter how much you tell them not to," Zboray says. "So how do you apply technology to compensate for the fact that people screw up no matter what you do?"
Zboray points to several ways to mitigate risk. Chief among them is detection technology. "The best kind of intrusion detection is host-based, runs on the server that you're trying to protect," he says. "It's going to have components that make sure the files on the server have not been compromised." A frequent mistake is that Web-enabled institutions sometimes run intrusion technology on their network, viewing it as a simple "bolt on" solution. "It doesn't do a whole lot," Zboray declares.
Working out kinks
Another good tactic is maintaining a regular program of penetration tests with tools that play the role of hacker. "If you choose to outsource this sort of thing, it's very important that you plan a set of tests against your outsourced Web site," Zboray declares, "and that the outsourced Web site manager knows that there will be unscheduled tests. That way, what is being delivered to the client is of high quality."
Web site pages have to be secure as well. The use of encrypted or restricted cookies that can be read only by the Web site that deposited them is necessary for preventing security breaches. "If you don't do that, it's possible to use some techniques to trick the Web browser into divulging the content of the cookies to an unauthorized Web site. Frankly, there are some organizations that are doing this-they're taking the unsafe approach. There are going to be government audits in the future," Zboray warns.
Another good security measure is to be confident you've applied technology that compensates for any miscues, such as trusted operating systems. "Smaller banks tend to be NT-reliant," Zboray says, which gives them a security edge.
A number of approaches have been proposed to guarantee identity verification. One of the most intriguing has been undertaken by Toronto-based ING Direct, a phone and Internet bank owned by ING Group of the Netherlands. The bank announced plans late last November to provide home fingerprint readers that verify customers' identities online. A reader will be built into a computer's mouse, and software will compare the readings with images stored in a database, making log-in passwords unnecessary.
Some security analysts, such as Cambridge, MA-based Forrester Research Inc.'s Charles Rutstein, express doubts about the cost-effectiveness of going to an online biometric ID rather than adding digital certificates to enhance online security.
American Express Co. is taking another route by placing smart card reader technology on the customer's desktop for securing the company's new Blue card.
"American Express has had so much uptake on that card, they can't deliver the reader for about eight weeks," Zboray says. "In theory, it's great stuff, but we've got a little ways before it's going to be easy for the bank in the middle of the road to deploy that." He adds that it has a high-end exclusivity aspect to it. "It stretches the expertise of your typical end user. Even though the technology works right, you've got a low-tech user sitting there saying...hmmm."
U.S. Bancorp's Jensen is emphatic that for a bank with an active presence on the Web, more than plain firewalls are necessary to enable security.
"It's a comprehensive infrastructure of firewalls, the proper directory services, authentication, intrusion detection systems, and so forth," he says, while reiterating that the Internet is no less secure than other venues.
"Because it's received so much attention, the Internet channel, if done properly, can be one of the most secure channels to do business," Jensen maintains. "As a result, if all those security safeguards are piecemealed together and are orchestrated over an overall security policy, e-commerce is one of the more viable ways to do business today."
Art Daudelin is a business writer based in Brooklyn, NY.