Several financial services companies are using a new user-authentication product from Strikeforce Technologies that the vendor and analysts alike say takes a new approach to combat on-line fraud.
E*Trade, for one, has embarked on a pilot program to use the Protect ID product, says George Waller, vp of sales at Strikeforce. Waller says there are several other financial companies in the early stages of usage as well, but he declined to name them. E*Trade could not be reached for comment.
The main feature of Protect ID is what Waller calls "splitting the pathway." Strikeforce's "split pathway" refers to the idea that a user ID and a password can be sent from a customer to a company via two different routes. The most commonly used method for a second pathway so far is the old-fashioned and ubiquitous telephone, Waller says.
The underlying problem in most on-line fraud is the fact that all of a customer's identification data is submitted to a company in the same manner, Waller says. That is, a user ID and password usually gets submitted over the computer and often with the same stroke of a keypad. So if a hacker intercepts that single transmission, the customer is suddenly vulnerable to future on-line theft.
Waller says password technology dates back to IBM's first mainframes in the 1950s and is hardly up to the task of keeping today's savvy hackers at bay.
When using Strikeforce's product, a customer initially sets up an account, complete with a certain phone number that he or she will use for future access. When he later logs onto that account, after a user ID is submitted over the computer, he immediately receives a phone call to verify that the session is legitimate before being allowed full access, Waller says.
If it is legitimate, a password is then submitted over the phone's keypad. If it's not legitimate-if the user gets a random phone call-she can simply block the transaction. "If you get a call on your cell while you're at a Knicks game and the bank wants to know if this is really you that's about to log onto your account, you can say 'no, it's not' and that ends it. You can go back to enjoying the game," Waller says.
Gartner research director Ray Wagner agrees that the idea of splitting the pathway is an innovative approach, and will assuredly draw interest from banks and financial institutions. However, he says the general idea is not entirely new.
While Wagner acknowledges that he's not aware of any other vendor that takes this precise approach, he cautions that technology companies often define things narrowly enough to claim to be a pioneer in their endeavors. That said, he considers this technology to be similar to a system that deploys one-time passwords that also can be sent over the phone.
A recent research paper that he co-authored refers to one-time passwords as an "out-of-band credential passing" and a "two-factor authentication."
However the process is characterized, the phone is a great device to use, he says, because it's unlikely that a fraudster will have someone's user ID as well as access to their phone. This process has received attention from banks in Europe where banking kiosks and Internet cafes have become popular with customers and have seen an alarming rise in keylogging fraud.
Still, he foresees one particular vulnerability in any method that incorporates the phone. "If I'm smart enough to intercept your phone message, I could still steal your information."
The use of some sort of alternative identification is still in the very early stages and it's difficult to predict just how popular it could become, Wagner says. Still, he calls this a "very interesting approach" and says it could allow banks to combat fraud on the "front end" of a transaction, instead of a more costly "back end" analysis, which entails looking for unusual transactions and only then alerting the customer. Or, even worse, conducting an investigation days after the transaction.
Waller, for his part, shrugs off the worry of competitive threats. In addition to four patents pending on Strikeforce's product, he says the company is looking beyond the phone. He envisions other methods to split the pathway, mostly involving biometrics technology that would replace the phone password. Under that scenario, devices that connect to a customer's computer would allow a user to use fingerprints or eye scans for the second level of identification.
For now, though, he's content to focus on the phone method. And one of the greatest advantages of this technology is simply how common phones are in today's world. "Scalability isn't an issue because the existing infrastructure can already handle the world's phone traffic," Waller says.
