With financial companies facing a yearend deadline to implement strong online authentication tools, vendors are touting products that evaluate servers' logs of users' online activities - and that the vendors say can be installed quickly.
Nico Popp, the vice president of authentication services for VeriSign Inc., called his company's antifraud software a "zero-integration" system.
"We don't touch" the code customers use to build and support their Web sites, or the other applications running on the sites, Mr. Popp said. That makes it easy for the vendor to install the VeriSign Identity Protection software.
The smooth installation process was "one of the reasons Schwab picked us over the competition," Mr. Popp said.
That would be the brokerage company Charles Schwab Corp., which is already in compliance with the authentication guidelines issued in October by the Federal Financial Institutions Examination Council. The guidelines urge financial companies to improve their authentication procedures by the end of this year by requiring more than the standard user name-and-password combination.
In February, however, Schwab offered to reimburse customers for any losses due to unauthorized online trades. Though banks are required by law to reimburse consumers for fraud on deposit accounts, brokerages are not. Mr. Popp said Schwab began using the VeriSign software to boost its security and minimize the cost of making good on its guarantee.
VeriSign Identity Protection examines its customers' server logs to find potential criminal behavior.
Those logs offer several clues about a site's visitors, including the site from which they connect to the VeriSign customer's site, users' hardware and network configurations, and their IP address.
The software uses fraud data collected by eBay Inc.'s PayPal Inc. unit, whose 105 million registered users include 29.2 million accounts that used PayPal's payment system in the first quarter. The software can compare the hardware and network settings of anyone who logs in to a customer's Web site with those of known criminals.
By evaluating visitors, "the only thing you cannot do is the real-time intervention" for suspicious transactions, Mr. Popp said.
However, VeriSign, of Mountain View, Calif., has written software filters that work with other vendors' online banking applications. The filters enable financial companies to evaluate individual transactions as they occur and to block those that might be fraudulent. The filters do not require any changes to the banking software, Mr. Popp said.
"We allow you to drop a configuration file and a filter into your server," he said. "You just have to set a few parameters; you don't write any code."
VeriSign also helps train its customers' employees to use the antifraud software.
Other vendors are using similar methods to offer fast installation. Peter Relan, the chief executive of Business Signatures Corp. in Redwood City, Calif., said his company's software also examines server logs. That way, "you have the ability to see all online customer activity, and pick and choose the ones you want to analyze for suspicious activity," he said.
"If you don't have to integrate with the application server database, a deployment cycle, from our perspective, goes from months to weeks," Mr. Relan said.
Business Signatures' software, Real-Time e-Fraud Detector, is included with two products the company announced last week: Anomaly Detection with Customer Notifications, and Anomaly Detection with Passive Authentication (The products are similar, but the former is more visible to users.)
Mr. Relan said that not all the information garnered from server logs is crucial to fraud detection. For example, computers of the same model are often sold with the same operating system, memory, and network card, so these factors may be less useful in spotting individual criminals than a computer's location, browser settings, and other factors.
The average Business Signatures customer uses about 50 of the 200 pieces of information available on a server log to create a profile of each person logging in to the customer's Web site, Mr. Relan said.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said the concept of evaluating server logs "is really solid," and that the abundance of information available makes such systems good tools for spotting less obvious types of online fraud.
For example, systems that look at the Internet Protocol address of people logging in can tell if they are doing so from their hometown or from a foreign country. But by looking at all the data available on server log files, security tools can also tell if another computer is eavesdropping on the session.
"That would likely not be caught by a system that's not looking at every record," Ms. Litan said.
To be fair, she said, competing products that require deeper integration can be told to look at the same details, but most do not. And configuring the competing products to do so would likely require that the code be rewritten, she said.
"If you're just building off log files, all the work's done for you," Ms. Litan said.
The ease of installing the VeriSign and Business Signatures software could make it more appealing to customers than harder-to-install products from vendors such as RSA Security Inc.
RSA has substantially improved its security product line in the past six months. It bought Cyota Inc. of New York in December and PassMark Security Inc. of Menlo Park, Calif., in April. Both companies were winning big customers in fraud detection and online authentication, but customers must integrate those products with their existing online banking software.
RSA, of Bedford, Mass., is combining all that software into a product it is calling Adaptive Authentication. The product currently includes RSA and Cyota software; it will include PassMark software in an upgrade expected to be available this month.
The VeriSign and Business Signatures server log evaluation products offer "a good, competitive approach to RSA, frankly," Ms. Litan said, and are something for RSA "to worry about."
