Software Tools Promise to Create Virtual ATMs

A new software development kit marketed by security specialist Authentium offers to lock down all other applications when users interact with banks and other financial institutions.

Authentium, which sells software development tools to security applications vendors, introduced a new product July 31 that promises to give banks and other online service providers the ability to create more secure Web-based transactions.

Dubbed VirtualATM, the SDK (software developer kit) is aimed squarely at businesses looking to boost security of their online operations by further locking down users computers to decrease the likelihood of fraud during sensitive communications.

Meant to be offered directly to customers by financial services firms and Internet service providers, and via partnerships between the two types of companies, the product promises to shut down all other applications running on a device when an end user begins any Web-based transaction on a site that uses the technology.

The VirtualATM toolkit also aims to help financial companies comply with the security guidelines set forth by the FFIEC (Federal Financial Institutions Examinations Council).

With the rise of spyware, phishing and other malicious attacks that directly attempt to steal peoples personal financial information for the purpose of committing identity fraud, Authentium officials said that banks are looking for new ways to reassure customers that doing business online is safe.

By disallowing any other programs to run on a desktop other than the browser on which they have logged into a service using the technology, end users and their service providers can be assured that third parties cannot view transactional data when it is being processed.

VirtualATM also promises to establish a VPN (virtual private network) between the end user and his or her bank, which, combined with the PC lockdown functionality, creates a doubly secure environment, company officials said.

"Theres no solution that addresses the need for end-to-end security without putting the burden on the customer, and we know that the customers PC is most often the problem, having been exploited by some type of malware," said Corey ODonnell, vice president of marketing at Authentium, West Palm Beach, Fla.

"This allows banks to establish a secure tunnel between themselves and their customers that wont allow any other program to interfere or try to steal data."

As an ancillary benefit, ODonnell said that customers of businesses using the technology will know that they have not been lured into any spoofed sites or phishing attacks based on the manner in which the program works, including a set of visual cues that inform end users when they have entered a session.

By stopping all other programs from affecting such a transaction, the software essentially creates the same sort of trusted connection that banks maintain to communicate with their automated teller devices, he said.

Using the toolkit, companies can build extensions designed to intercept device driver installations and other system events, or any computer activity that requires the processor to function.

In doing so, VirtualATM eliminates the threat of so-called keyloggers by prohibiting the applications from running, since these applications would initiate events with the processor.

Other security vendors have recently detailed products aimed squarely at helping online businesses improve consumer confidence in online transaction.

Anti-virus market leader Symantec has issued a beta version of its Norton Confidential application, first announced in June, which uses a combination of black lists and advanced heuristic scanning tools to help protect transactions as they occur.

/zimages/6/28571.gifClick here to read more about the state of spyware attacks.

Green Border Technologies also offers both enterprise and consumer applications that use virtualization technologies to create stronger "virtual sessions" for people doing business online.

Jonathan Singer, analyst with Boston-based Yankee Group, said that banks and other financial services providers increasingly need to help provide technologies that can better protect customers and potentially convince those people not using their online services, based on security fears, to begin doing business via their Web sites.

While the Authentium approach of physically shutting down all other applications while a transaction is being processes may be slightly "heavy handed," and could confuse some end users, the software could help stop keyloggers, one of the biggest problems facing the online banking industry, the analyst said.

Other vendors such as Symantec and McAfee have a direct line to consumers, adding anti-phishing tools to their security applications suites, while Authentium is trying another route that specifically demands the banks to become more involved, a step Singer said those companies may need to take.

"Everyone is trying to figure out new ways to help the banks become more secure, and consumers dont want to download a lot of extra software to their desktops to try and protect themselves," Singer said.

"The banks need to take care of this problem, because theyre the ones losing money because of the security concerns, and this is the type of thing I think you could see companies adopt as they try to create the next level of security for their customers."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.