Lining Up to Stop Online Theft

Web-security firms team with financial institutions to cash in on new guidelines

By Thomas Gaudio

March 27, 2006

Internet-security providers stand to profit as U.S. banking institutions scramble to comply with new federal guidelines designed to stamp out online theft. Two local companies—StrikeForce Technologies and Green Armor —have in the past month signed deals with credit unions and firms that create online platforms for banks.

At present, a user name and password are all that is required for a person to do something like transfer money between accounts online. But procedures handed down by the Federal Financial Institutions Examination Council (FFIEC) call for financial institutions to have more safeguards in place by 2007.

The FFIEC, sanctioned by the U.S. government, creates standardized systems for agencies like the Federal Reserve to use when evaluating and rating financial organizations.

The new procedures, titled “Authentication in an Internet Banking Environment,” are an update to the FFIEC guidelines released in 2001 that addressed electronic banking. Escalating fraud and major changes in the law and technology prompted the revisions.

For companies like Edison-based StrikeForce, the FFIEC’s decree presents a major opportunity. Last month, the electronic security company signed a deal with Corillian, an Oregon-based provider of Internet-banking platforms to financial organizations. The partners will offer a well-protected banking environment to online customers under several joint agreements, says George Waller, vice president of marketing at StrikeForce.

Corillian will offer two of StrikeForce’s technologies—VerifyID and ProtectID— with its products. The two companies will share revenue on sales of the combo systems.

Identity theft caused $53 billion in losses in 2004, says Waller, and there’s no end in sight. “Everyone’s grabbing a partner,” he says. “Everyone’s making deals.” He says the guidelines have opened up a market of nearly $2 billion for companies like StrikeForce.

VerifyID, one of StrikeForce’s main products, scrutinizes people setting up bank accounts for the first time. The program analyzes billions of personal records from credit-reporting agencies in real time to “form questions on the fly that you have to answer in under a minute,” says Waller. Incorrect responses prevent further attempts; subsequent requests are routed to the bank’s help desk.

ProtectID, StrikeForce’s second suite of products, works to authenticate users during banking transactions through measures that include placing a call to a customer’s cell phone. Companies can also use ProtectID devices to scan irises and take fingerprints—usually of employees with access to sensitive data.

ProtectID’s techniques all conform to the new guidelines for acceptable means of confirming a person’s identity. The report says companies need multiple layers of protection to guard against electronic intrusions such as phishing, pharming and malware. Phishing refers to bogus e-mails that lure people to fake Websites. Pharming redirects Web surfers from legitimate sites to phony ones without their knowledge or consent. Malware piggybacks onto seemingly innocent downloads of files like MP3s, stealthily sets up shop on computers and steals sensitive info as its being typed.

Green Armor, which is based in Hackensack, uses its Identity Cues system to address phishing and pharming. Online customers of six credit unions across the country will soon get an eyeful of the local company’s patented software. Each user will receive a unique logo that will appear on a bank’s Website with every login. The Cues software also verifies customers by linking to a user’s computer and communicating with it behind the scenes during transactions to determine factors like time zone, operating system and browser type.

Joseph Steinberg, CEO of Green Armor, says the Identity Cues logos will alert people to the fact that the authentication software is in use. The absence of a logo will indicate that something is amiss and prompt people to contact the authorities. That way, “investigators can get involved in the process earlier and get the criminals to go elsewhere,” Steinberg says.

This story originally appeared in print as well as online.