Bankers are increasingly enthusiastic about using the Internet to "push" financial information to customers even as some security officials are warning of the technology's risks.
Although push technology applications for home banking are still being developed, the concept has gained many adherents in remote-banking circles because of its anticipated ability to personalize and strengthen on-line customer relationships.
Advocates cite the desire to establish a presence directly on their customers' personal computers, to eliminate the cost of delivering specialized software, and to lay the groundwork for a detailed understanding of consumer behavior.
"Push technology is the next most important evolution in the Internet," said Randy Kahn, president of direct banking at First Data Corp., who until recently was responsible for H.F. Ahmanson & Co.'s home banking program.
"The World Wide Web is dead. Long live the Internet," said Mr. Kahn. "The Web will become to the Internet as a card catalogue is to a library-it will not be how you access the information."
Gaining access to information on the Web requires a user specifically to request, or "pull," a piece of information from a Web site. Conversely, push technologies such as Marimba Inc.'s Castanet and Pointcast Inc.'s software transmit individualized data through the Internet's wires at preset intervals.
BankAmerica Corp., Chase Manhattan Corp., First Union Corp., and First Tennessee National Corp. are among the banking companies that have already stepped onto the field of push technology.
Teaming up with Marimba and with companies like Meca Software, Home Financial Network, and Home Account Network Inc., the banking companies have been preparing to launch pilot versions this year.
In lieu of the desktop client's requesting information from a server hosting it, Castanet substitutes a "tuner" that captures automatic downloads from a piece of software it calls a "transmitter."
But that kind of automation could lead to trouble, at least one security company warned.
"How do you know that the information a push server is sending you is safe?" asked Gary McGraw, a research scientist at Reliable Software Technologies in Reston, Va. "How do you know that the update that was just pushed onto your PC was really from the company that developed the software?"
One doesn't know unless the data are both encrypted and authenticated with digital signatures, said Mr. McGraw, who has also written a book on security flaws in the Java programming language.
Bankers and software developers agree that almost all financial information is sensitive enough to require such measures.
"When you want to deliver financial information in the background, you need an additional layer of security," said Jon R. Lowell, chief technology officer at Meca. "We deliver it encrypted and allow the user to decrypt" it at the PC.
"The main thing that protects the user is that all data" are digitally signed, said Andrew Barrett, chief executive officer of Home Account Network. The Charle-ston, S.C., company last week announced an alliance with Marimba to help First Tennessee Bank personalize its on-line banking with push technology.
"Any communication will be aborted if the correct certificate is not used" by the transmitting computer, he said.
But Mr. McGraw painted a picture of a push technology that is particularly vulnerable to "spoofing" and to mass hacking.
Spoofing occurs when an impostor intercepts data and substitutes new information, such as a stream of incorrect stock quotes.
Because millions of people get data transmissions through push systems such as Pointcast, the danger of transmitting viruses on a mass scale becomes acute, said Mr. McGraw.
But advocates of push technology deny any inherent problems in it. Though agreeing that "the stakes are very high on security," Marimba chief executive officer Kim Polese pointed to "a lot of paranoia about security" in the Internet environment.
The company delayed the ability of Castanet users to transmit the most dangerous, or "executable," programs until version 2.0 offered authentication features.
And officials at Pointcast said its software avoids spoofing by operating in a closed network transmission mode that cannot be intercepted.
"We took an approach that was more like that of an on-line service" than that of a traditional Web site, said director of engineering John W. Nogrady. He noted that the system has never been hacked.
But that is only a matter of time, countered Anup Ghosh, also of Reliable Software Technologies. "Push technologies are operating on a model that assumes no one is malicious. That trust is going to come to an end."
