Frustrated that phishers have made e-mail effectively useless for reaching customers, banks and technology vendors are hoping to develop a method to verify the authenticity of electronic communications.
Included in this effort is an evaluation the Financial Services Technology Consortium plans to begin next week of a new kind of digital certificate that could be used to authenticate e-mail messages.
Eight financial companies and 14 vendors have agreed to test various certification schemes as part of the FSTC's Authenticating Financial Institutions to Consumers project, and more may join at the first official meeting Sept. 18.
Independent third-party security vendors have long issued standard digital certificates as a way for people to "sign" electronic documents and verify their identity. However, Dan Schutzer, the executive director of the New York trade group, said the problem with these digital credentials is that "anyone can get one now."
The FSTC project is looking at a new type of digital certificates. Phillip Hallam-Baker, the principal scientist at the security software vendor VeriSign Inc. in Mountain View, Calif., said the new certificates, which have yet to be formally adopted within the security industry, are known as high-assurance certificates (or sometimes extended validation certificates). VeriSign is participating in the FSTC project.
VeriSign was one of the pioneers in issuing certificates, but Mr. Hallan-Baker said that the ones in use today certify only that information is encrypted. As a result, having a standard certificate may not verify that data comes from a reputable source. "All it really tells the user is that someone paid $30 for a certificate," he said.
The process of obtaining a high-assurance certificate is expected to be more rigorous, he said, and is designed to make users confident that a certificate holder is affiliated with a legitimate enterprise. "We are trying to establish accountability."
Mr. Schutzer said that one of the goals of the project is to restore confidence in e-mail and reclaim the format as an effective way for financial companies to reach their customers. Eventually, he said, "anyone could have this software, and would know that messages really are from a financial institution."
Avivah Litan, a vice president and research director at Gartner Inc. in Stamford, Conn., said that several other companies have tried in recent years to introduce methods to send e-mail with an embedded authentication mechanism. Though the basic theory is sound, she said, "the business case has always been the problem," and past efforts failed because they lacked a critical mass of consumers and companies using the same software. "It's something of a chicken-and-egg issue."
However, the current project "has a better chance now than it would have had a year ago," because consumers are now more aware of the need to trust incoming e-mail, Ms. Litan said. "This is an important initiative."
Louie Gasparini, the chief technology officer for RSA Security Inc.'s consumer solutions group, said his company is developing an e-mail application that can send messages bearing high-assurance certificates. It does not issue them.
Mr. Gasparini said that the current e-mail applications most consumers use are not set up to spot high-assurance certificates in incoming messages, and that consumers would have to be taught to look for, and interpret, them. But he said if the idea catches on, consumer e-mail software could eventually be modified to do that interpretation automatically. RSA, of Bedford, Mass., is one of the vendors involved in the FSTC project.
Ken Schaeffler, the chief information security officer for Comerica Corp., said that the Detroit banking company expects to work closely with vendors to test several different e-mail systems, and hopefully will be able to find an application, or multiple applications, that will work well for financial companies. "The vendors need to have a dialogue with the financial services industry to find out if they are out in the weeds or not," he said.
The FSTC's project comes at an important time. The growing threat of online fraud and the increasing prevalence of phishers, who use fake e-mail messages to steal confidential personal information, have turned a once-useful communication method into one that many people no longer trust.
Even legitimate messages from known parties are often treated with suspicion by recipients, rendering e-mail of little value for service or marketing.
Stephen Lange Ranzini, the president and chairman of University Bank in Ann Arbor, Mich., said his company no longer uses e-mail to communicate with customers. "E-mail is extremely important, and now it's negated by the phishing threat," he said. "It's unwise at the moment to use e-mail." The unit of University Bancorp Inc. is part of the FSTC project.
Ms. Litan said that "most people don't trust e-mail anymore," and that it has become "a useless mechanism for consumer marketing."
According to a recent study, 46% of consumers have changed their online behavior and payment habits because of the growth of online fraud and the frequent disclosures of large data security breaches in the past year or so. Of those people, Ms. Litan said, 67% reported that their trust in e-mail has declined, and 85.5% of those people will typically delete unopened any messages they do not trust. The telephone survey of 5,000 online consumers was conducted in August.
And if a bank cannot count on getting its messages read by a significant number of customers, "why bother sending them at all?" Ms. Litan said. "Banks are worried about losing the Internet as a low-cost communication medium."
Wachovia Corp. learned this lesson the hard way in 2004. In an upgrade to its online banking system, about 500,000 customers were contacted by e-mail and told they needed to change their usernames and passwords. The message included a link to a Web site where they could do so. Wachovia was trying to make the process as easy as possible; instead, thousands of customers thought the message looked fake, and flooded the Charlotte company's call centers with inquiries.
