With criminals stalking their operations and customers, Wells Fargo and SVB Silicon Valley Bank cant afford to fool around with online security.
Just as riflemen rode shotgun on Wells Fargo stagecoaches in the 19th century, today, Wells Fargo and SVB Silicon Valley Bank executives are relying on whatever weapons they can get their hands on to help keep the bad guys at bay.
The most significant trend in the online business world over the last year has been the shift among hackers and other criminals from attacks aimed at disabling corporate infrastructure to threats that specifically look to steal companies money and customer information.
In mid-October, Londons Metropolitan Police Computer Crime Unit announced that the e-mail addresses, credit card numbers and transaction histories of approximately 83,000 U.K. consumers had been found on a PC recovered by law enforcement authorities in the United States. According to London police, the files were stolen from computers at an unnamed U.K. bank using a Trojan horse back-door virus that recorded individuals passwords.
“Security has always been a cornerstone of what weve done as a business, and thats obviously changed over time and will continue to change as threats evolve, so we continue to work hard to do everything we can to protect customers without getting in the end users way,” said Jim Smith, executive vice president of Wells Fargos Internet Channel and Products group, in San Francisco.
The benefits of achieving success in defeating todays criminal threats are hard to quantify in dollars and cents, as the return on investment for companies such as Wells Fargo and SVB Silicon Valley Bank are measured by the companies ability to stave off potential attacks and the number of customers who remain willing to do their business over the Web. If successful in their endeavors to keep users protected and banking online, the companies also hope to keep their brick-and-mortar overhead expenses from rising to pre-Internet levels.
The other goal in allaying online attacks is the banks desire to keep their names out of national headlines for failing to adequately protect customer data, a fear that is increasingly driving adoption of new IT defenses faster than the fear of the threats themselves, security analysts said.
Wells Fargo maintains some $500 billion in assets and provides banking, insurance, investment, mortgage and consumer finance services to more than 23 million customers. The company offers a 100 percent security guarantee that its users wont fall prey to online threats such as phishing schemes, keylogger programs and pharming attacks.
At the core of the banks Web applications defense effort is a best-of-breed approach that aims to provide fail-safe coverage for Wells Fargo and its customers by protecting online transactions at every level. By employing technologies from a wide array of providers, said Smith, the bank is able to use the most effective tools for each security function while protecting against loopholes that might exist in any single product.
Since Wells Fargo launched its online banking operations in 1995, its Web sites have been fully encrypted, including customer password input, processing and management features. The bank has offered two-factor authentication in its Commercial Electronic Office business portal since 2000.
Among the many tools employed by the company are applications from fraud detection and authentication software specialists Bharosa, along with other products from vendors including Actimize, Quova and RSA Security. The various products are used in unison to provide real-time risk analysis for all Wells Fargos customers online transactions, Smith said.
Bharosa offers two enterprise products. Its Tracker software analyzes users online account and device information to look for unusual behavior and help verify their identities, while Bharosas Authenticator application creates a unique “virtual token” to help encrypt user password or PIN information each time a user session is launched.
One of the more innovative elements of Bharosas software is known as the Slider, which helps protect users by using simple graphic symbols to further encrypt traditional passwords and screen names when users log on to a company Web site, rather than when they log on to a traditional keyboard.
The Slider tool allows a customer to enter a PIN by using symbols, such as circles or triangles, to represent the individual alphanumeric characters used in their passwords and therein make it harder for someone to intercept the information. The order and array of symbols is changed each time a user logs on, cutting at the efficacy of malware programs such as keystroke loggers, which attempt to intercept passwords and other log-in data for criminal purposes.
Wells Fargo combines the real-time log-in information it gathers from Bharosas software with data collected via IP location scanning tools made by Quova to help determine whether a customer is signing on from his or her usual device and location or if someone is trying to log in fraudulently from a different PC somewhere else in the world. If the information doesnt add up, the bank can request the user to supply additional information to gain access to the banks applications.
That system is linked with a risk management application made by Actimize that aims to detect fraud by analyzing online transaction and user-session behavior. Those tools are combined with applications that issue one-time passwords for customers high-dollar transactions, including RSA Securitys SecurID two-factor authentication tokens and an array of internally developed Wells Fargo programs.
In terms of creating a customer interface that provides adequate security without making online applications unwieldy for users, Smith said that Wells Fargo wanted a system similar to the anti-fraud programs maintained by credit card companies, which observe customers buying behavior and throw up a red flag when unusual spending patterns emerge.
“The key is creating something that doesnt get in the way of customers,” Smith said. “Online banking has always been about convenience; anything onerous you create that gets in the way of customers completing their transaction is heading in the wrong direction.”
Another bank using Bharosas anti-fraud software is SVB Silicon Valley Bank, the commercial banking arm of SVB Financial Group, in Santa Clara, Calif. While SVB Silicon Valley Bank cannot claim the millions of customers served by Wells Fargo, the company estimates that some 80 percent of its business is conducted online and driven largely by its overwhelming proportion of technology-savvy Silicon Valley business customers.
In January 2006, SVB Silicon Valley Bank turned to Bharosa to help replace its existing third-party password protection and anti-fraud systems with something more comprehensive and easier to manage. Today, all online client accounts at the bank are guarded at log-in by enhanced features powered by Bharosas applications and a slew of other security programs.
Using both the Bharosa Tracker and Authenticator applications, the company has a much firmer grasp on who is accessing its online systems and what sort of behavior he or she displays, said Dave Webb, CIO at SVB Silicon Valley Bank.
“In our environment, we have a large number of big transactions with customers moving a lot of money over the wires, and we wanted to give users additional levels of validation for their transaction and any level of authentication they want,” Webb said. “The multi-layered technology approach is the only way you can support this type of a business as far as I can tell; you need a lot of different vendors and products to create a lot of different points for catching the potential attacks.”
Among the other vendors whose programs are used by the bank are products from data protection specialists Tablus and Vontu. Webb said that beyond protecting user passwords and online applications, SVB Silicon Valley Bank is employing those companies tools to protect against social engineering attacks aimed at its workers, or to fend off attempts to commit crimes internally.
“There will always be new threats on the horizon,” Webb said. “Well work hard to make sure we can predict a lot of it and be ready to change our defenses on short notice and adapt.”
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.