Those in the market for a new system to secure their Web operations face a dilemma-how to authenticate without intruding upon the customer's privacy. Kenneth Bob, chief executive officer of Uniondale, NY-based Safewww Inc., thinks it's a no-brainer. The company's IDshield links a person's idenity with his PC. "Our mathematical solution inventories your hardware and matches you with it."
The company boasts that it is all but impossible to hack into a system protected by IDshield. Not only does the product rely on user name and password, but it also identifies a person based on certain parameters related to his personal computer, explains Bob.
IDshield, which was introduced to the financial market last November, looks at the serial numbers on the central processing unit, hard drive and basic input/output system (BIOS) on people's computers and runs an algorithm on these combined characteristics that associates individuals with their computers. "It's mathematically impossible to match someone else's numbers to yours," says Bob. "The data security experts we've hired to hack it say they've never seen anything like (IDshield) that actually works."
Plug and play
Safewww serves several markets, including financial institutions and electronic payments. The core technology remains the same, but the interface differs from market to market, says Bob. "The difference is based on how the transaction occurs. IDshield interfaces with a bank's Web server when used with an online banking product."
When installing the product, banks write a "small script" on their Web server. This will check on Web banking customers when they log on and authenticate them. "We're not making banks change the way they do business," says Bob. "It's all Web-based, so it's relatively painless to implement."
The download for consumers is fairly small in size-180 KB. Bob won't call it a file, per se. "It just goes in, does its work, sits in memory, and kicks in again when someone returns to the online banking site."
And Safewww is looking beyond financial institutions for growth. One area of interest to the company is securing online shopping. Currently, Safewww is looking to partner with the card companies that are already in this area, says Bob. This will mitigate the problem of creating a merchant network for IDshield since the card companies already have merchants on board. So far Safewww has spoken with two midsize card issuers about using IDshield for authentication in online shopping. He declined to name them. "It's a matter of proving the concept to the larger card issuers first."
Despite the increasingly intense scrutiny of Web security, Bob believes there is much room for improvement. "Take disposable card numbers," he says. "They solve the problem of keeping your number from being stored on a Web site. But that's only 10% of the fraud problem. It doesn't answer the authentication issue."
But what about the privacy question? Will consumers be comfortable with a product that can identify them right down to the hardware components of their PCs? "This is not going to be a big concern," says Bob. "We don't keep any more information on users than their user name, password, hardware signature, and a log of all transactions to detect fraud." He believes the PC data isn't something that's considered "private" by consumers. "We're not asking for your Social Security number. Just your CPU number."
Though the company has not yet announced-or perhaps signed-any U.S. commercial banks, he touts the recent installation of IDshield in the Spanish bank Caixa Terrassa. "This will mark our first installation in a bank." Initially, IDshield will be used to "secure the communication with special chosen clients in the business sector who already have a client server," says Joan Davi Ferrer, projects manager at the Barcelona-area financial institution. Eventually the bank plans to move it to its retail clients. Its online banking service has 1,800 business clients and 1,600 "home" users.
"We had begun to study PKI solutions, but then our supplier presented the IDshield to us," explains Ferrer. "We chose this because we wanted to ensure authentication without the need of a PKI environment and because of the ease of use of IDshield from the side of our clients." He also mentions Safewww's price structure as "attractive." For example, an online bank would pay $5.00 a year per customer and that price would decrease based on volume, Bob says.
A pilot at Caixa Terrassa was set for mid-January but an official implementation time has not been determined.
As to the matter of its customers feeling uncomfortable with a product that can identify their computers, Ferrer is unconcerned. "Our clients trust our services and we are going to guarantee the use of this information. We are not going to oblige our clients to use IDshield."
For Safewww's Bob, it is this capability that will help his company dig out a niche for itself. "Most security products, like firewalls, are focused on servers. People forget that consumers are at risk. Addressing the authentication of people is our market approach."