A spate of recent vendor partnerships reflects a growing interest among banks in adding Internet Protocol address analysis to their fraud prevention strategies.
S1 Corp., an Atlanta banking software company, said Monday that it had collaborated with Digital Envoy Inc. of Norcross, Ga., to make Digital Envoy's IP Inspector Fraud Analyst product compatible with S1's Enterprise banking platform.
This is the third such announcement in two months. In March, Digital Envoy's rival, Quova Inc., announced partnerships with the Hillsboro, Ore., banking technology vendor Corillian Corp. and with the New York anti-fraud vendor Cyota Inc.
Both Digital Envoy and Quova offer IP address analysis technology, which looks at a computer's IP address to determine where it is located. The technique offers only a general idea of the location, but it is specific enough to tell when an account that belongs to a U.S. resident is being accessed from a computer in Eastern Europe.
Ron Young, S1's vice president of product management, said that his bank customers are increasingly asking S1 to recommend security products and even specific vendors. He said S1 and Digital Envoy have made their software interoperable and that his company is now recommending Digital Envoy to banks.
Mr. Young said S1 plans to endorse other vendors that offer security products compatible with S1's.
He said IP address analysis is important because it can help banks spot potentially fraudulent transactions if a customer's account has been accessed from an unusual location.
An IP address is a unique string of numbers assigned to every Internet-connected computer, and much like telephone numbers, these numbers signify details about the computer's location.
When someone accesses a banking Web site, the bank's systems can read the IP address and compare it against known identifying details about the customer, such as their mailing address or the IP address of the computers they typically use. The IP analysis software can also tell how a customer is connecting to the Internet, which can be compared to how they connected in the past.
"Every time you enter into a bank's online banking site, part of the information that comes with you is your IP address," Mr. Young said.
Dennis Maicon, Digital Envoy's executive vice president of financial services solutions, said that 95% of online banking customers typically connect to a bank's site from three or fewer computers. A log-in from a different IP address could be a sign of fraud, he said.
Digital Envoy also tracks "velocity inconsistencies" - log-ins from two distant locations that occur in less time than it could possibly take to physically travel between them.
Ariana-Michele Moore, an analyst at Celent Communications LLC in Boston, said many places are considered "hot spots" for fraud, and any IP addresses from those areas may be suspicious.
George Tubin, a senior analyst at TowerGroup Inc., a Needham, Mass., market research unit of MasterCard International, said a growing number of people are using "anonymizers," specialized servers that intercept Web traffic and provide an alternate IP address for the user's actual computer. Honest Web surfers may use an anonymizer to protect their privacy, but criminals can use them to hide their true identities.
This could circumvent an IP analysis tool, but Gary Jackson, the senior vice president of operations at Quova, said "there is no legitimate reason why you should ever allow traffic to come to your site from an anonymizer. You should block it, period."
People gaining access to an online banking site from a dial-up connection are five to 10 times more likely than people using broadband connections to be criminals, because dial-up systems can be used to mask the user's location, Mr. Jackson said. For example, a criminal in Europe can dial in to a New York Internet service provider to attempt to access a New York resident's bank account.
Another common technique is to use a zombie computer, a machine belonging to innocent people or businesses infected by a virus that enables a criminal to take over the system. Mr. Jackson said Quova catalogues zombie IP addresses as well. A compromised computer is "not that hard to detect," he said.
"If I can't be absolutely sure" who is trying to log in to a bank account "based on user name or password, I have to begin to look at the circumstances of his access and his behavior," Mr. Jackson said.
Mr. Maicon said the zombie problem is not a challenge to Digital Envoy's software, because even zombie computers near a legitimate customer's computer are unlikely to have the same connection details that are in the customer's online banking pattern.
