By Matt Hines  |  Posted 2006-10-22 Print this article Print

One of the more innovative elements of Bharosas software is known as the Slider, which helps protect users by using simple graphic symbols to further encrypt traditional passwords and screen names when users log on to a company Web site, rather than when they log on to a traditional keyboard.

The Slider tool allows a customer to enter a PIN by using symbols, such as circles or triangles, to represent the individual alphanumeric characters used in their passwords and therein make it harder for someone to intercept the information. The order and array of symbols is changed each time a user logs on, cutting at the efficacy of malware programs such as keystroke loggers, which attempt to intercept passwords and other log-in data for criminal purposes.

Wells Fargo combines the real-time log-in information it gathers from Bharosas software with data collected via IP location scanning tools made by Quova to help determine whether a customer is signing on from his or her usual device and location or if someone is trying to log in fraudulently from a different PC somewhere else in the world. If the information doesnt add up, the bank can request the user to supply additional information to gain access to the banks applications.

That system is linked with a risk management application made by Actimize that aims to detect fraud by analyzing online transaction and user-session behavior. Those tools are combined with applications that issue one-time passwords for customers high-dollar transactions, including RSA Securitys SecurID two-factor authentication tokens and an array of internally developed Wells Fargo programs.

In terms of creating a customer interface that provides adequate security without making online applications unwieldy for users, Smith said that Wells Fargo wanted a system similar to the anti-fraud programs maintained by credit card companies, which observe customers buying behavior and throw up a red flag when unusual spending patterns emerge.

"The key is creating something that doesnt get in the way of customers," Smith said. "Online banking has always been about convenience; anything onerous you create that gets in the way of customers completing their transaction is heading in the wrong direction."

Another bank using Bharosas anti-fraud software is SVB Silicon Valley Bank, the commercial banking arm of SVB Financial Group, in Santa Clara, Calif. While SVB Silicon Valley Bank cannot claim the millions of customers served by Wells Fargo, the company estimates that some 80 percent of its business is conducted online and driven largely by its overwhelming proportion of technology-savvy Silicon Valley business customers.

In January 2006, SVB Silicon Valley Bank turned to Bharosa to help replace its existing third-party password protection and anti-fraud systems with something more comprehensive and easier to manage. Today, all online client accounts at the bank are guarded at log-in by enhanced features powered by Bharosas applications and a slew of other security programs.

Using both the Bharosa Tracker and Authenticator applications, the company has a much firmer grasp on who is accessing its online systems and what sort of behavior he or she displays, said Dave Webb, CIO at SVB Silicon Valley Bank.

"In our environment, we have a large number of big transactions with customers moving a lot of money over the wires, and we wanted to give users additional levels of validation for their transaction and any level of authentication they want," Webb said. "The multi-layered technology approach is the only way you can support this type of a business as far as I can tell; you need a lot of different vendors and products to create a lot of different points for catching the potential attacks."

Among the other vendors whose programs are used by the bank are products from data protection specialists Tablus and Vontu. Webb said that beyond protecting user passwords and online applications, SVB Silicon Valley Bank is employing those companies tools to protect against social engineering attacks aimed at its workers, or to fend off attempts to commit crimes internally.

"There will always be new threats on the horizon," Webb said. "Well work hard to make sure we can predict a lot of it and be ready to change our defenses on short notice and adapt."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel