RSA Security Inc. has developed a way for banks to determine which of their customers would benefit from using passcode-generating tokens, and E-Trade Financial Corp. has agreed to use it.
Banking industry observers say the tokens, which create a new passcode every minute, are an effective anti-fraud measure, but issuing them to millions of customers can be expensive.
RSA, of Bedford, Mass., is offering its Risk Profile Report to clients to perform individual risk assessments of customers’ banking habits. RSA picked up the software with its December acquisition of Cyota Inc.
The risk-assessment software looks at transaction types and where they are made to identify people who may be more at risk of fraud. Banks’ transaction monitoring software may not raise a red flag for an unauthorized transfer from the account of someone who makes make frequent large transfers or travels often and uses different computers to initiate the transfers.
Chris Young, an RSA senior vice president and the general manger of its Cyota Consumer Solutions division, said RSA “will be able to help our customers profile their customers.” The Risk Profile Report, he said, “is based on actual analysis of specific customers in the user population.”
To use Risk Profile Report, clients must also be using its companion Risk Based Authentication transaction monitoring software, another Cyota product.
E-Trade, of New York, has offered RSA’s tokens to its customers since December 2004 and will start using both this month. The agreement is to be announced today.
“Financial institutions need to be leading the way in protecting all of our customers,” said Greg Framke, E-Trade’s chief information officer.
He was not sure how E-Trade would use the customer reports. “It’ll be something we take a look at,” he said. “We’ll see what it tells us, and then we’ll decide what to do with the data.”
Avivah Litan, a vice president and research director at Gartner Inc. in Stamford, Conn., said that banks using Risk Profile Report would obtain more detail on their customers but that it is primarily a means of increasing sales of RSA’s tokens.
“RSA really looks at the world in terms of authentication unit pricing-per-customer, and they want to drive the price up as much as possible,” Ms. Litan said. She put the cost of the tokens at $2 to $10 per customer. The transaction monitoring software costs $1 per customer.
Ms. Litan said the assessment software will appeal to banking companies concerned about complying with the October recommendations from the Federal Financial Institutions Examination Council, which called on financial companies to strengthen security for their riskiest remote transactions.
Using the software “seems to be an easy way to comply,” Ms. Litan said. “The FFIEC guidance calls for risk assessment, so this term, Risk Profile Report, is attractive for banks.”
Ariana-Michele Moore, an analyst at Celent Communications LLC in Boston, said “risk is always a complicated thing to determine, so the more data points you have, the better.”
But she wondered how a bank would go about telling people why they have been singled out to use tokens. “I can’t imagine a bank going to its customers and saying, ‘You’re risky,’” she said.
