Bank on Integration for ID Security

Seamless security requires a big-picture approach.

From all appearances (and most notably for me, judging by my bank account) the merger of accounts between Bank of America and Fleet Bank went well during the weekend of June 18-19. The following Monday, my former Fleet account looked like a Bank of America account from my browser and, near as I could tell, was not being manipulated by a bad actor living in a country with an unpronounceable name.

Contrast this to other news that developed over the same weekend, when credit card processor CardSystems Solutions revealed that a hacker intruding on its system exposed 40 million credit card users to potential fraud. Why can one organization do such a good job of integrating internal systems while another is unable to keep its most valuable information safe from prying keyboards?

/zimages/2/28571.gifRead more here about the credit card vendors response or lack thereof to the recent data thefts.

While the folks at CardSystems arent talking, my guess and the guess of Jan Hichert, CEO of security startup Astaro, is that an overabundance of point solutions leads to an inability to stay aware of individual corporate vulnerabilities. The emergence of viruses, bugs, spam, phishing and combination attacks too often leads to security spending to deter the latest threat rather than an integrated approach to deal with the entire spectrum of problems.

Hicherts company sells an integrated appliance that mixes open-source and proprietary security technology. He has something to gain by promoting the integrated approach, but he is also right in pointing out that all the big networking and security vendors, including Symantec, Trend Micro and Cisco, are now talking about integrated approaches rather than point solutions.

While much attention is being paid to desktop security and the role of the individual consumer in protecting his or her identity, breaches such as the one at CardSystems point to a change in the tactics of the hackers.

Using secret keyloggers and password swipers will get the hackers some of the information they need, but the big prizes of millions of customer files will be found in the databases of banks, government organizations and companies such as credit card processors.

/zimages/2/28571.gifTo read more about how these recent data thefts are changing the way companies think about security, click here.

I think well see a race over the next two years or so between the bad guys and companies trying to shore up their security technology, develop widespread on-the-fly encryption and create systems that protect customer identity. Well see companies alter their consumer marketing, shifting focus away from lots of features and ease of accessibility toward security and safety. We are already starting to see some of that shift now.

Bank of America is moving ahead with plans to make it easier for customers to recognize legitimate e-mail messages from the bank using SPF (Sender Policy Framework) authentication. As Dave Wright, the banks senior vice president of e-mail infrastructure, stated in that article, "We are sending a message to the industry that we are willing to support an authentication scheme—in this case ... SPF."

The bank will use the SPF authentication technology along with its SiteKey Web site authentication technology. Bank of America has rolled out its SiteKey program so far only to its customers in Tennessee, where it promotes the service as a way to confirm a Web sites validity and protect a users accounts. Bank of America is not without its own problems, however, including the loss of backup tapes containing information on 1.2 million federal employees in February .

Consumers dont have a lot of faith in the vendors that are supposed to protect their privacy. If it isnt the credit card information being stolen, it is the backup tape containing hundreds of thousands of names that is lost in transit or the Social Security numbers pilfered from a university database.

Consumers who are being asked to take steps to protect their privacy are justified in demanding that vendors and government regulatory agencies explain what steps theyre taking to protect the millions of customer records they have on file.

Companies that have made the right choices and investments will be able to promote the results of those steps in a positive light, while companies that have made poor choices and not invested properly will be wracked with unfavorable publicity.

eWEEK magazine editor in chief Eric Lundquist can be reached at

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.