Visible online security is important to customers, but bankers say it is no substitute for behind-the-scenes protection.
Stanford Federal Credit Union learned that lesson the hard way, according to Sam Tuohey, its vice president of technology and e-commerce and chief technology officer.
At a panel discussion Tuesday during a New York conference hosted by RSA Security Inc., Mr. Tuohey said the Palo Alto credit union began using authentication software from PassMark Security Inc. in February 2005 to protect its members from phishing. (RSA, of Bedford, Mass., acquired PassMark in April.)
The version that Stanford Federal installed displays a preselected image when people log in, to prove that the Web site is authentic.
Stanford Federal had never been the target of a phishing attack before the installation, and the rollout was accompanied by a major advertising campaign to inform members about the features.
Shortly after the rollout, Stanford Federal’s members began to receive e-mails directing them to a fake Web site. The site did not display the PassMark image, but some members still logged in and revealed their online banking passwords.
“Some of our members, bright as they may be at Stanford University, fell for the scam,” Mr. Tuohey said.
When the criminals tried to use the information at the credit union’s site, another feature of the PassMark software kicked in. In addition to proving to customers that a site is real, the software examines a user’s computer to determine if it is one the customer has used at the banking site in the past. If it is not, the software asks challenge questions to authenticate the user’s identity, and the criminals could not answer them.
Why make a big deal about the security features customers can see when the most effective aspect of the software is invisible to them?
Mr. Tuohey said fear can be just as bad for a bank’s online banking operations as fraud. In 2004, when phishing attacks started to rise dramatically, the growth rate for Stanford’s online banking transaction volume “tapered off a bit” to 13%.
After adding some very visible security features to its Web site (and promoting them heavily), the growth rate shot back up to 25% in 2005, he said.
Alessandro Colafranceschi, the head of online banking for the Italian banking company UniCredit SpA, said at the panel that visible security is extremely important in Italy. His company has offered customers passcode-generating tokens from RSA since last year. “The physical device, to us, to Italians, it’s key.”
Online fraud is a more recent phenomenon in Italy than in other countries, he said; phishers first targeted his company a year ago, and it has faced only three attacks in all.
But the threat quickly gained national attention, and Mr. Colafranceschi said UniCredit began to use tokens to counter customer fears that banks were losing the war on online fraud.
He agreed that defenses must go beyond what the customer can see and use.
Both Stanford Federal and UniCredit say they are considering joining RSA’s eFraudNetwork, which pools observations from RSA customers to spot fraud trends that may affect multiple companies. For example, if the network identifies a computer that has made several unsuccessful attempts to access different online banking accounts, that machine can be blocked from logging in to any account at any banking company connected to the network.
Cyota Inc., which RSA bought in December, introduced the network two years ago. It is now being sold as part of a product called Adaptive Authentication, which combines elements of software originally sold by RSA, Cyota, and PassMark.
Barclays PLC has been using the network since 2004. Ian Morgan, the London banking company’s head of operations and development for electronic banking, said the network has spotted 58% of the fraudulent attempts to access his company’s Web site, while challenging only 4.1% of legitimate users.
Unlike UniCredit, Barclays is targeted by “several hundred phishing attacks a month,” Mr. Morgan said. “It continues to be a big issue for us.”
The network has “been very successful as a first step,” he said. “But that is merely the first step.” Barclays plans to add other behind-the-scenes features soon, including transaction monitoring and device ID profiling.
Mr. Morgan said he also wants to improve Barclays’ visible security features. “We are looking at tightening up the front door.”
