Facing a firm yearend deadline to implement stronger security for online transactions, many banks have developed very similar strategies.
The Federal Financial Institutions Examination Council's guidelines, announced in October 2005, were intentionally vague; they told banks what to do, but not how. And left to their own devices, most financial companies have started by adding back-end transaction monitoring capabilities, which are largely invisible to customers. Many have also added a layer of front-end strong authentication, which adds steps to the login process and is very obvious to users.
Banks and vendors working on these projects say that companies face a tricky balancing act when making changes that could make their Web sites harder to use.
"A lot of our customers wanted to start with the back end, the fraud detection piece," said Chris Voice, the chief technology officer for the security software vendor Entrust Inc. However, in most cases, they also bought a visible authentication product, but those who bought only one component typically bought the invisible part, he said. "There was a significant concern about interrupting a user's experience. That's why we saw the fraud detection piece becoming more and more interesting."
Nico Popp, the vice president of authentication services for VeriSign Inc., said that now a lot of companies understand "that the back-end fraud detection capabilities are actually critical."
By contrast, six months ago banks mostly were looking at the less expensive front-end authentication products, he said. However, they found that even the most sophisticated front-end products "can be somewhat defeated" by determined fraudsters.
Jon Fisher, the chief executive of the security vendor Bharosa Inc., said that the demand for transaction monitoring has been especially acute at the biggest financial companies. "The larger the user base, usually the enterprise is opting for fraud detection, or an approach that doesn't involve impacting the user" for normal transactions.
The growing demand for transaction monitoring software prompted several recent purchases in the sector, such as Entrust's July acquisition of Business Signatures Corp. and RSA Security Inc.'s December 2005 purchase of Cyota Inc., now part of RSA Consumer Solutions. Both buyers already had strong front-end authentication offerings but lacked the back-end software that banks have been demanding.
RSA also acquired the front-end authentication provider PassMark Security Inc. in April; the memory company EMC Corp. bought RSA in September.
RSA's PassMark software is one of the best-known of the front-end authentication applications. It asks people to select an image or photo when they enroll, and then displays that image to them upon subsequent visits to a Web site. The software is meant to prove to users they are not visiting a fake site created by phishers.
Chris Young, the vice president and general manager of EMC's RSA Consumer Solutions, said that no bank customers have purchased PassMark alone; all have also added some behind-the-scenes security enhancement, such as another PassMark component which can identify the computer people are using to access the bank's site.
"At the bare minimum, they're using device ID," Mr. Young said.
RSA also offers more elaborate fraud detection methods, such as a network that pools observations among multiple companies to determine when fraudsters are hitting several banks at once.
Andrea Klein, the chief marketing officer for IdenTrust Inc. of San Francisco, said that banks are using multiple products because "anything by itself, they're learning, is not a robust enough solution," particularly when applied to customers with different needs and different levels of risk.
IdenTrust works with other vendors to adapt their products for corporate banking security by weaving in its public key infrastructure encryption technology, she said.
Bank of America Corp. announced in May of last year that it would install the PassMark software. The Charlotte company, one of the first big banking companies to install the software, now requires all its online banking customers to use the feature, which it calls SiteKey.
However, B of A also has software running behind the scenes to determine whether a computer trying to access an account is known to belong to the account's owner.
"We found that that solution was going to provide the right balance of added security and customer convenience," said Betty Riess, a spokeswoman for B of A. "Security is an ongoing conversation."
Vendors offer a variety of invisible systems that can look not only at users' hardware but also at their network settings, their login location, and the risk of each transaction. In many cases, unrecognized computers logging in from risky parts of the world are challenged or blocked altogether.
Gwenn Bezard, a research director at Aite Group LLC of Boston, said that part of the reason banks are looking at fraud monitoring software is that it fills a need that has less to do with FFIEC compliance than with basic security.
"Most banks did not have any way to monitor what was going on their Web site," he said. "It's like if banks had branches, and they did not have cameras, and they did not have ways to monitor what money was coming in and going out."
Even so, "a significant number of banks, even among the largest banks in the country, were not going to be ready by Dec. 31," he said, citing a report he published in October.
Of course, this does not mean those banks have not made their plans; though only 33% of banks that chose fraud detection had installed it by the time Mr. Bezard published his report, another third planned to have it installed by yearend. Most of the banks that planned to install fraud detection were in earlier stages such as a pilot test or proof-of-concept, he said.
When the FFIEC guidelines were announced, many vendors thought the best security candidate would be password-generating tokens, which have been used for years to protect corporate data networks. Users must have the tokens, which create a new password roughly every minute, to access a Web site. However, the tokens have proven expensive to distribute on a large scale.
RSA, which has long offered these tokens, began promoting them to banking customers when it became clear that they were interested in beefing up their Web security, Mr. Young said.
Until last year, "if you're going to have stronger authentication, then the prominently accepted way of doing that was tokens," he said. "What some of the early announcers in this segment showed was that it didn't necessarily need to be tokens."
Mr. Voice said that banks are likely to choose different security methods for different customer groups, even if what they have already satisfies the FFIEC guidelines. "They made their bets, if you will, for '06 into '07 for FFIEC" compliance, he said. "In the future they'll need more flexibility."
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that banks "all start with back-end fraud detection and invisible authentication, and they put something visible on top."
Next year most banks will increase their spending for online security, to improve the quality of the products they are using and to add further layers, she predicted, and those that did not buy visible authentication products are likely to do so in the future.
But this year banks have focused on back-end approaches, Ms. Litan said, because their first priority has been to satisfy the FFIEC requirement, and choosing invisible software fulfills that need without disrupting the user experience.
The reason so many banks are adding visible authentication on top of that is that their second priority is to increase consumer confidence, she said. "Consumers need to be pacified. Keeping it invisible does not build consumer confidence."
