The Financial Services Technology Consortium says a methodology it has created to evaluate fraud protection and authentication software can lead to more effective, standardized security products.
Daniel Schutzer, the executive director of the New York trade group, said that with the growth of online fraud, especially phishing, it is imperative that banks and vendors come up with better protection measures.
"We need stronger authentication," he said. "We need to authenticate both the client and the financial institution."
The consortium said last week that it had concluded its Better Mutual Authentication Project, a survey of the anti-fraud measures currently available. The report, which the group is using to brief banks, vendors, government agencies, and any other organization that has a stake in reducing online fraud, not only lists what is available, it also provides data about how various applications work when used together.
"This is a tool that can explain how to combine different fraud-protection tools," said Chuck Wade, the project director. Many banking companies use multiple security applications, often from different vendors, and though the vendors provide details about their own software, there is little data available about how they may interact, he said.
"We developed an architecture for authentication that recognizes that there may be multiple security tools working in parallel," Mr. Wade said. "Authentication does not mean using just one technique" to protect customers.
Twenty-eight banking companies, vendors, agencies, and trade groups participated in the project, including RSA Security Inc. of Bedford, Mass., VeriSign Inc. of Mountain View, Calif., and the Securities Industry Association. The banking companies included several "major" ones, Mr. Schutzer said. He would not name them.
He said that the goals of the project's next phase have not been defined but that they will likely include measuring the effectiveness of the various security techniques.
For example, the survey could help banking companies find out how many legitimate customers are unable to authenticate themselves using commonly used challenge questions, such as their mothers' maiden names, instead of other questions, such as the names of childhood pets.
The more unusual questions "can be more effective, but people can forget," Mr. Schutzer said in an interview Friday. "There is no way to evaluate the effectiveness" of the different methods. "Right now, it's all just hand-waving."
Mr. Wade said the consortium hopes the survey will be adopted by the financial industry as a standardized way for vendors to describe how their products fit into a bank's overall security system, and for banks to understand how separate vendors' applications might work together. "We created a new taxonomy," he said.
The "challenge remains interoperability," Mr. Wade said. The consortium hopes that its survey will help banks "pick the approach that they are comfortable with" and that vendors will "develop software that can be used with multiple financial institutions," he said.
"The financial industry can't do this on its own, because the financial industry doesn't develop infrastructure," Mr. Wade said.
Mr. Schutzer said the project has another, more fundamental goal. "This can help companies beef up their security infrastructure."
Banks could use the standardized language in the report to ensure that their authentication practices are uniform, and interoperable, across all of their channels, Mr. Schutzer said. "Getting that right is a tough nut, but it has to be addressed," he said.
