A leading provider of on-line transaction systems and security for automated teller machine networks has developed a hardware-based encryption device designed to protect bank transactions sent over the Internet.
The system, called Websafe, was made by Atalla Corp. - the San Jose, Calif.-based division of Tandem Computer Corp. - and can be used for payments, electronic notarization, secure e-mail, and electronic data interchange applications.
Atalla officials claim that the system provides a higher level of security than currently available software-based encryption products.
The company's announcement is particularly timely in light of recent reports on breaches of security software. The most notable instance was the thwarting of a popular encryption product made by Netscape Communications Corp.
The incident renewed bankers' concerns about conducting financial transactions over the vast, public Internet.
Atalla hopes to address these fears with the new system, which officials said employs the same technology used to secure ATM networks.
Atalla has a long track record providing security for financial transactions.
The company, with 23 years of experience in financial network security, supplies hardware-based security for 70% of all ATM transactions in North America, company officials said.
Hardware encryption is thought to be inherently more secure than its software counterpart, according to industry experts.
"The idea is that hardware is more secure because you can lock it up, physically and electronically, so people can't get to (the data)," said Jerome Svigals, an electronic banking consultant based in Redwood City, Calif. "Software can be copied and taken."
With regard to Websafe in particular, Mr. Svigals took a cautionary position, going only so far as to say that it "may be" more secure than today's software encryption products.
Websafe is a peripheral device that attaches to an Internet Web server at a bank or third-party provider.
The device is physically secured; if someone tries to break into it, data are automatically erased and cannot be retrieved.
The device is also what Atalla calls "logically" secure. This means that, because all the security processing is done within Websafe's hardware, it is nearly impossible for anyone to see cryptographic material.
By contrast, software products process encryption data on a host computer, explained Larry Hines, Atalla product manager, network security. This involves decrypting the data so that they can be recognized and made useful. At that point, the information can be subject to fraud, he said.
Websafe operates by translating data sent over the Internet from the typical public key encryption used by software solutions, to the hardware- based "DES" encryption used by the bank payment network.
Mr. Svigals pointed out that the combination provides the convenience of public keys, which anyone can gain access to, with the added security of the DES algorithm, which provides an additional advantage of being a faster transmission protocol.
Websafe also includes support for an electronic notarization function that can be used to verify the identity of an Internet user. This is another growing security concern with regard to electronic communication.
The notarization process would involve establishing the identity of a user through the use of third-party certification authorities - most likely major credit card companies, banks, telecommunications companies, and post offices.
The process is similar to one supported by Verisign Inc., a Redwood City, Calif.-based company that has developed "digital ID" technology designed to authenticate the origin of information sent over public and private networks.
Atalla's Mr. Hines said that the company would like to work with Verisign, but no definitive plans have been made.
Several large banks that Mr. Hines declined to name will be testing Websafe.
The cost of one unit is $12,500, and Atalla plans to eventually offer several Websafe products.
As transaction volume grows, banks can simply add more boxes, Mr. Hines said.