As banks conduct more business with customers online, and as more sensitive transactions get done there, e-mail security is becoming a hot-button issue for financial institutions.

It makes sense that banks would want to use the highest level of security possible, especially when e-mail messages include communications with private banking customers, online bill payment customers, or others who have entrusted their financial lives to an institution.

Last week, First Union Corp. announced that it had hired Tumbleweed Communications Corp., a secure messaging vendor in Redwood City, Calif., to install and manage a secure e-mail system specifically for communications with the bank's business partners and corporate customers. Kellie Scott, senior vice president and director of First Union's eChannels unit, said Tumbleweed's technology would be particularly useful in helping First Union communicate with the other banks that belong to Spectrum EBP, the electronic bill payment and presentment consortium.

But most banks have not yet selected a vendor for this task, and, given the range of technologies available to secure e-mail, the decision may indeed prove difficult. Tumbleweed's technology is a server-based S/MIME system that uses digital certificates, but each of the other big names in this line of business - including PGP Security, Verisign Inc., Baltimore Technologies, and Entrust Technologies - uses its own technology configuration. Most large U.S. banks already hire one or more of these companies for various security jobs.

Last week, there was some interesting jockeying among some of these vendors. Phil Zimmerman, who created the e-mail and file encryption program PGP (which stands for Pretty Good Privacy) left the company he founded by that name and defected to a rival, Hush Communications, which was formed in 1998 and is based in Dublin. Mr. Zimmerman, who is Hush's chief cryptographer, explained in an online farewell message that Network Associates Inc., to which he sold PGP Security in 1997, has "developed a different vision for PGP's future," and that his priority is to promote an open standard he created. Now he will be working to implement the OpenGPG standard in Hush's products.

According to Jon Matonis, chief executive officer of Hush, his company offers "end-to-end encryption" of e-mail, "which means that it's encrypted from desktop to desktop. At no point in the process can the ISP take it and do scanning on the message." Hush has been letting people sign up free for encrypted e-mail accounts at its hushmail.com site, and has recently introduced a private-label version of the service that banks can use to secure their e-mail systems.

"We are going for the Holy Grail, which is mass-market crypto," said Mr. Matonis, who joined Hush after stints at Visa International, Verisign, and the Digital Signature Trust division of Zions Bancorp.

Hush is offering "full, secure messaging outsourcing," Mr. Matonis said, so that banks "don't have to run an encryption key server on their own, they don't have to become a digital certificate authority, they don't have to buy all the hardware and software to run a secure encryption platform - we do all that." Hush charges based on the number of key pairs it has under management.

As banks assess their technology budgets, they would be wise to factor in e-mail security. Not only could it avert a disaster, it could also serve as a powerful public relations tool for coaxing retail and wholesale customers to do business with banks online.


From Our Archive

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.