BAI Podcast Transcript

Interviews with vendors from the BAI 2007 Conference expo floor MIKE D'AGOSTINO: Hi. This is Mike D'Agostino with Information Security Media Group, producers of BankInfoSecurity.com and CUInfoSecurity.com. We recently attended the BAI 2007 Retail Delivery Conference and Expo in Las Vegas, where the theme was "Customer Innovation in the Banking and Financial Services Industry." We had a chance to speak with several vendors who address information security within the banking industry on the Expo hall floor. I invite you to listen to what they had to say about how they are addressing security.

D'AGOSTINO: I'm here with Martin Hugo of Alaric Systems International. He is going to tell us a little bit about their products, specifically their fraud products and service.

See Also: IoT is Happening Now: Are You Prepared?

MARTIN HUGO: Okay. Alaric is a company about 10 years old, founded by some visionary guys who came from an environment where they were developing, supporting and selling [Electronic Funds Transfer] systems, and there was a certain legacy product that was abandoned by its new owners around about that time, and the company was formed specifically to support that population of customers who wanted to remain on that platform set and continue with the support of the experts who they were familiar with. After a couple of years, the company realized that it was time to move forward with a whole new product suite in the EFT space. EFT processing, switching, routing, and so forth. And so, they developed their own product, called Authentic, which is the first product that Alaric produced, and that product turned out to be tremendously successful, so much so that it sold well outside the original customer base, having been used to replace that customer base's original product set. And the pinnacle of success, so far for that product is that it is used by a very large American C&E card company as its central switching mechanism.

D'AGOSTINO: Okay. I won't ask for any names.

HUGO: The name of which I cannot mention. But, they are very much in the news these days as a potential rival to Visa and MasterCard, following certain activities in the market. And that product is being resold multiple times to a variety of customers around the world, and it is interesting that it is being sold globally, multiple times. And the fraud product came as a result of one of the customers who had taken the switching software to do their ATMs in the U.S., saying, "We need fraud risk management solutions. We're not happy with the degree of choice that we've got in the market. Would you be kind enough to develop one on the same platform that we've got now?" And, what they said was, "We want fraud risk management solutions which are built in the same spirit." And that is what Fractals is. But, when the guys came to develop it, it just so happened that the leaders of the company -- we've got a couple of mathematics Ph.D.'s, and they said they could not only rebuild real-time systems better than other people, using Java technology, more accessible technology, lower cost of ownership, and so forth, but we just so happen to have the expertise in analytics and artificial intelligence, as well. And so, what they did was ... they built a whole - what we call an "adaptive classification engine," which is effectively the function of the equipment that can be implemented much more cheaply, and models and solutions can be built far quicker, and you can even narrow that list to where it only takes months or years to develop the model. So, we've got kind of a unique product set, and it's probably the most open product set on the market. And, the switching, conferencing and ATM fraud software is complimented by the solution. So, the beauty of them all is that they are so configurable, and the fact that they can be controlled by the business user. So, instead of having to go back and reprogram, you shop the IT shop to get your stuff reconfigured to take on new cards, new customers, new portfolios, new business services, and stuff.

D'AGOSTINO: I think you are one of the first companies we have talked with here that is U.K.-based. I guess the majority of your customers right now are outside of the U.S.?

HUGO: Actually, we have customers other than the one we mentioned, in the U.S., but yeah, they're everywhere.

D'AGOSTINO: My question is, where do you see the differences? How is the U.S. market different compared to what you are seeing outside of the U.S. market? Are the needs different, or are they focusing on different things, or certain other things? You know, is money more of an issue?

HUGO: Well, there are two things. The first is, in the banking environment, there is an evident trend for a replacement cycle in the EFT market. So, people are running ATM call switches, and they're looking for change. They want stuff that can move faster, because the business demands on the cards business, as you know, has been so dramatic ... That, basically, the software package has historically led the market. They just aren't moving fast enough to satisfy the business requirements. And what we are finding is that even institutions that have got existing systems that would be well known to your readers as market-leading solutions, saying, "If I need to deploy a solution for portfolio cards in a certain country in Latin America, say, if I use my existing solution, under certain licensing terms, I cannot do it cost-effectively with what I've got already in house, and I want you to develop it, reconfigure it ..." So, they're actually seeing, "I need a solution now ... and I can't get it from my system suppliers." So, even people who've got ... existing solutions are saying, "They can't move fast enough. We want something new, and we want it now." And that is the kind of thing we are seeing.

D'AGOSTINO: Thanks for the words of wisdom. Again, Martin Hugo with Alaric Systems. Thanks.

D'AGOSTINO: So, we're here with Hal Tilburry of Bluepoint Solutions, and he is going to tell us a little bit about what his company does.

HAL TILBURRY: Well, our company is in the document management space ...We believe that document management needs to be anchored by a philosophy of best practices. Most document management systems, historically, in the financial world, have cost banks and credit unions money, as opposed to being a tool for them to make money or to improve service to their customers. We believe that by adopting best practices for document management, we can improve customer service, improve employee productivity and improve your bottom line. So, we strictly adhere to these best practices, and we have developed a complete suite of document management solutions that conform to those best practices.

D'AGOSTINO: Okay. I notice one of the things that you guys had was authentication. How does that play out?

TILBURRY: Well, dual-factor authentication is an important tool when you are working with documents, because there are many documents that are a factor of identification. Think of a driver's license. Think of a fingerprint, or a signature. All of these are actually what we would call a binary large object. They are really a document. And if you think of a document as, really, something that contains information. So, a fingerprint is just something that contains information. So, we manage any kind of binary large object, whether it be a Word file, an e-mail, a thumbprint, a video clip or a paper document that is scanned into the system as a gif document. But, all of this information needs to be secure, and it needs to be properly protected and managed, and that is what we do.

D'AGOSTINO: Okay. Any other words of wisdom you want to add for our folks, or ...?

TILBURRY: Well, I think most document management solutions that I have seen in financial institutions are what I would call first generation. They are really archival systems, and I would encourage financial institutions to think beyond that, to the fact that by properly formulating a strategy for managing your documents you can dramatically improve customer service and employee productivity, which has a huge payback. So, this application, instead of costing the institution money, can be something that can service their customers and save them a lot of money.

D'AGOSTINO: Very good. Again, Hal Tilburry of Bluepoint Solutions. Thank you very much.

D'AGOSTINO: So, we're here now with Dan Werner of Fiserv, which most of our audience must know about, and he is going to tell us about a new risk and compliance initiative that they have.

DAN WERNER: Fiserv is, obviously, looking at risk and compliance in a little bit different mode recently, as we have went through the Fiserv 2.0 initiative, which is really taking a lot of what we are doing from a corporate perspective, all of the different solutions that we offer at Fiserv and pulling them together into a little bit more cohesive package. Risk and compliance is one of those that we are really working hard on with the Fiserv 2.0 initiative. So, we're trying to take a look at risk and compliance, really, more from a holistic enterprise risk management perspective rather than taking all of our solutions that we have historically in the past as point solutions and individual solutions for risk and compliance and product management, and really trying to bring them in together, and into more of a strategic enterprise risk management strategy. One of the initiatives that we recently went through is the acquisition of a company called NetEconomy, which is a BSA and financial crime management company located out of the Netherlands. So, that is probably one of the first examples how we are bringing that particular company into Fiserv and using that solution and deploying it across all of the Fiserv cores at the same time.

D'AGOSTINO: Can you tell me a little bit more about how the company works? How is the solution based? How does it fit in with the financial companies?

WERNER: The NetEconomy solution really addresses all aspects of BSA, from SARS and CTRs to all of the risk ratings. It uses some very unique profiling capabilities, along with just some regular rules-based technology, to handle all of the reporting needs from a BSA perspective. And, on top of that -- which is where again it comes back to the whole enterprise risk management strategy -- they use that same platform to do all of the fraud management, both external fraud, amounts out of range, check out of range, check hiding, those types of things, as well as internal employee fraud. So, literally on the platform, the same data feeds, the same technology, again, more of a holistic approach to fraud management and risk compliance.

D'AGOSTINO: Okay. One more question. I know a lot of our users may be from some of the smaller community banks and credit unions. Is this a solution that can address that? Is this for all size institutions, or ...?

WERNER: All sizes. I mean, we have, obviously, serving in the market, everything from a de novo to multibillion dollar organizations, and we look at the markets that Fiserv serves, obviously with all of the different core solutions, and that addresses almost the entire market in the financial industry. So, the acquisition of NetEconomy, it is getting plugged into every one of our cores, both on the banking side, as well as on the credit union side. So, we are very scaled.

D'AGOSTINO: Okay. Again, Dan Werner with Fiserv.

WERNER: Thank you.

MIKE D'AGOSTINO: Okay. So, now we are here with Bill Mickelson of Jack Henry, and he is going to tell us a little bit about their fraud products and services.

BILL MICKELSON: With the Yellow Hammer products, it is a suite of products; there are multiple different modules that make it up. One is a fraud detection system, and that encompasses kind of complete fraud. It looks at everything from checks to deposits to check writing, ACH activity, and some degree of ATM and debit card fraud. There is a second module that is called EFT. That piece of the risk management piece is for only ATM and debit card transactions, but it monitors in real time. And that came out about two years ago, in conjunction with the increase in debit card fraud, and it has gone up a huge spike, you know, through the roof with debit card fraud. So, we needed to find a solution that could combat it in real time, versus looking at the transactions the next days. So, that is where the EFT piece came out.

D'AGOSTINO: Okay.

MICKELSON: The third module is our BSA system, and that is an enterprise-wide BSA solution, fully automated and covering all the different areas of the Bank Secrecy Act, from customer due diligence ... risk rating your customer base, case management training - all the different aspects that make up all the rules and regulations of the Bank Secrecy Act.

D'AGOSTINO: Okay. So, we kind of noticed, you know, last year was kind of the year of authentication. This year we have seen tons of traffic towards our fraud and BSA and AML sections on the website, and research. Tell me a little bit more. I mean, how do you guys address, let's say, insider fraud?

MICKELSON: We don't, actually; we don't have a piece yet for embezzlement. That is actually the next evolution, the next piece of our Yellow Hammer suite. So, there is nothing in place that we have today for embezzlement, other than watching internally accounts, we do look at employee accounts and so forth.

D'AGOSTINO: Well, let me add this. I mean, most of our users probably recognize Jack Henry as more of a core banking system. Tell me about, you know, how did this come about? How are you guys using your fraud detective suite to either enhance your core banking system, or is it in lieu of the core banking system? How do they fit together?

MICKELSON: This is an add-on to enhance the core banking system. This was something that Jack Henry developed about four and a half years ago, and for four and a half years we have done, say, almost 800 banks now are on our fraud detection system. Our BSA system came out just this past June, and in the last four months, we have got 130 banks that have signed up for it already, just in four months. So, this is an add-on to the core solution that alleviates some of the manual reporting.

D'AGOSTINO: Do you have to subscribe to your core banking system to use these?

MICKELSON: No. It is one of the few products in Jack Henry that you don't. Because of the demand we've had for Yellow Hammer, we now take it outside of Jack Henry's core base, as well.

D'AGOSTINO: Okay. Well, thanks a lot. Bill Mickelson with Jack Henry.

MICKELSON: Thanks a lot.

MIKE D'AGOSTINO: So, I'm here now with Larry Myers and Mimi Hart of Magensa, and they're going to tell us a little bit about their company, and the products that they are offering here at the BAI show.

LARRY MYERS: Okay. Magensa is a remote-hosted ASP service that provides credential authentication. It works in tandem with some products from Magtech Corporation, which are called Magnatape readers, and basically what we are showing here at the show today is our newest release of the Magnatape portable readers, which allow consumers, from their home sites or their office sites, to securely log in to the bank websites, or also to secure e-commerce using the financial bank cards that they already have in their wallets today, based on Magstripe technology. The centerpiece of the technology that allows this to work is called Magnaprint. It basically is a card authentication technology offered by Magtech Corporation, which allows each card to be individually fingerprinted, or as we call it "Magnaprinted," and from that point forward, allows us to authenticate that card each time it is used in the system. With that uniqueness, we then [enable] multi-factor authentication for FFIEC standards that allow people to securely log into any website, and because we are using the payment card, we can also use those features to automate e-commerce payment systems.

D'AGOSTINO: Very interesting. So, I saw sort of a quick demo. It's very nice. You don't really have to carry around any additional hardware. And tell me, I think most people are probably familiar with tokens. So, how does this kind of differentiate between your product and a typical token that people are used to?

MYERS: Well, we think that the best token that people have in their possession right now is their credit card, or the ATM card that is in their wallet today. Everybody carries it. They use it everywhere they go, at ATMs and POS, they trust it already. So, why not use that same token as what you are going to use for secure e-commerce or online banking. And basically, what the beauty of our system is is that the reader is basically a neutral device. So, it's not assigned to you, you can mix and match, so it is unlike some of the OTT tokens out there, where it is uniquely assigned to you, and you must use it with a given institution. Our platform allows you to basically use any card as a token, and use it through the reader in any combination that you want. So, you have complete freedom in just using the readers, either the ones in your possession, ones that you borrow from friends, ones that may be in public locations. There is a lot more freedom and flexibility in our platform than in some of the other token solutions out there.

MIMI HART: Our [solution] is far easier than the tokens. The tokens involve a lot of eye to hand coordination, so first you have to read the value, and then you can transpose ...

MYERS: Right. Only good for a certain amount of time, and ... yeah.

HART: Exactly. If you don't get it right in 30 seconds, you've got to back up and do it again. Whereas, everyone knows how to swipe. So, it's really easy. It's just one simple swipe and the data automatically goes in, fills in the field, and then you're ready to go.

MYERS: Right. We like to say "It's easier to swipe than type."

D'AGOSTINO: Okay. That's good. That's good. Now, I know you showed me sort of a quick demo on logging in to your own banking account, and maybe doing some online banking transfers and everything. You mentioned that there might be some other possibilities for this application, maybe as far as e-commerce goes, maybe some end users ...?

MYERS: Absolutely. Unlike other token solutions that are out there, which are only dedicated to one task, this product in this platform allows you to use it for other things. So, for other things. So, for example, besides doing online banking, you can also do secure e-commerce payments. So, in that model, the same piece of hardware is now acting as a traditional Magstripe card reader, think of it as a mini-POS device. But, it features encryption, so that all the data is encrypted at the point of swipe, as it comes into your PC and goes out onto the Internet and whatnot, and basically, what it allows you to do is to have an experience similar to what you have at a retailer today. You swipe your card at the time of payment and the information is securely transferred to the merchant, and it meets the best requirements ... for data encryption and data protection. And again, it's very fast, and one of the things customers don't have to do, again, is type. They don't have to type in 16 digits, they just swipe their card like they do at a POS terminal. So, we think that there are a lot of advantages there.

HART: And the encryption will add a lot, as well, because you will not have to worry about phishing, and people that are able to obtain that information. It's all encrypted. So, they can look at it all day long, but they don't really see clear data.

D'AGOSTINO: Very interesting.

MYERS: I think in a nutshell what we would say is that the most trusted credential that people carry today is that bank card that is in their wallet. We think that represents a powerful branding opportunity between the customer and the financial institutions. So, why not build on that trust and that flexibility of that Magstripe card document that they have today. And, with Magnaprint as a card authentication technology, and then the Magnatape readers, combined together, it allows you to extend that trusted platform that they use today out onto the Internet services.

HART: And the readers are awfully cute.

D'AGOSTINO: Yeah, they are.

MYERS: They're kind of fun.

HART: Exactly. They're fun. So, not only is it familiar technology, but it's fast, and it's ....

D'AGOSTINO: Yeah. Very interesting. Okay. Well, thanks, guys, again. Larry Myers and Mimi Hart of Magensa.

MIKE D'AGOSTINO: All right. Now we're here with Jim Dempster of Metavante Corporation. Jim is going to give us a little bit of words of wisdom, so to speak, on their company, and how they might address security within the finance industry.

JAMES DEMPSTER: Okay. To start with, I look at this from a software architecture point of view. We kind of break it down. Security means many things to many people. The two major categories for us are the authentication and identification, and then once past that, the authorization or entitlement to specific functionality. So, on the first part, we have increasingly tried to move towards a single sign-on or a federated sign-on model, so that with our authentication layer we tend to want that to be the front door to any number of applications behind it. And then, at the same time, in the case of larger financial institutions, they may already have their own security framework in place in front of us, and in that case we work as a trusted back-end provider, where that front-end or portal does the authentication and passes the credential to a back-end system, where we don't re-login or don't rechallenge. So, that's been one of the things that makes the whole user experience more pleasurable.

D'AGOSTINO: Okay. You said the second part, it sounds like it deals with kind of like ID management, or access control?

DEMPSTER: Well, access control, in the sense that once a user is logged in, then determining all the things that they can do. So, the approach that we have taken, and you see a lot of people liking a lot, is to move from permissions or privileges at the user ID level, to have more of the model of the user ID as a role, and it's the role that determines what privileges or authorizations they have, and that allows the administrator security much more effectively, provisioned users, and have, especially in a more regulated world, more of an assurance that I am not having unintentional ... systems. Whereas with the older method of just user ID and what they can do, if somebody changed departments or changed roles, he often didn't go back and clean up all the things that used to be [indiscernible]. So, those are probably the two kind of major shifts that we are working on, I think, as far as security goes, and it's very welcomed by our user groups.

D'AGOSTINO: Okay. One more question for you. You know, a major topic with our users is regulatory compliance. So, they are concerned when an examiner comes in and says, "We need to make sure your compliance programs for this particular regulation is up to speed." How do you guys address that? How do you help them?

DEMPSTER: We work directly with our regulators, and they are really speaking, you know, with the same voice as the banks' regulators, so we have very thorough examinations. We know what they are looking for, and we generally are out in advance, really, as to what the banks are going to be needing. For example, in the online banking, the two-factor authentication, and so forth. We need to get there very rapidly, just in anticipation of those regulatory concerns.

D'AGOSTINO: Okay. Again, Jim Dempster of Metavante. Thank you very much.

MIKE D'AGOSTINO: So, now we're here speaking with Joram Borenstein of RSA Security, and he is going to tell us a little bit about knowledge-based authentication.

JORAM BORENSTEIN: Sure. Well, I think knowledge-based authentication is relevant in the online world. It has to do, basically, with three areas of fraud that we are seeing here in the ... landscape here in the U.S. The three areas, basically, are in fraudsters attempting to impact and interfere with new applications, in a minute I'll tell you what I mean by that; the second area is around new remote applications and telephone banking; and the third area is around new emerging threats like Trojans. The first area, really, is [that we] see a lot of financial institutions who realize that they locked down most, but not all, of their website, and the area that we are starting to use KBA for is for something called account origination, where a net new user comes to you and tries to open an account online. And the second area is in new account opening, and new account opening is basically an offline user. Maybe it's an elderly person, or a youngster, or somebody who doesn't have computer access, or somebody who never opened an online version of the account. They are an offline customer of your financial institution, and have been for 20, 30, 40 years, perhaps. They don't own a computer. Never had online banking and never had an interest in online banking. Someone tries to fraudulently open an online version of their account, obviously without their knowledge, and opens their account and takes away all of the money. Alright? So, that is the main area that we are seeing a lot of interesting KBA. The second area I talked about is telephone banking, where people are saying, "How do I authenticate customers in a call center in a way that is stronger than simply the last four digits of your Social Security number, and perhaps your mother's maiden name, or your zip code or your mailing address?" Phone banking has, inadvertently become much weaker post-FFAIC, where the banks all, excuse me, the financial institutions all focused on the websites. The final area doesn't really have as much to do with KBA as it does with general concern in kind of a post-traditional landscape. How are financial institutions going to be impacted by things like Trojans, key loggers, stuff like that.

D'AGOSTINO: Okay. So, knowledge-based authentication, how does that fit into all three areas? I mean, how is it utilized in all three areas? How can it be used across, whether it's online or on the phone, or any of the other technologies, phishing, or that sort of thing?

BORENSTEIN: Okay. So, the first scenario, it's used, we use that in reverification to vette a net new customer. So, you know, John Doe or Jane Doe comes to your institution, and you have no prior relationship with them. You want to vette them, in addition to somebody asking for, maybe, your driver's license number and a couple of other pieces of data, you might vette them with some KBA questions. You might ask them the model of a car they once owned, or you might ask them if they know who a certain individual is, and that might be the brother-in-law of a spouse, something that a fraudster typically wouldn't know. But at the top of my impression, then, these wouldn't. The same scenario for anyone enrolling in online banking. If a fraudster steals a paper statement and tries to fraudulently enroll you, the fraudster is going to have a lot of information about your mailing address and the last few transactions, etc., but won't necessarily know the answer to these kinds of KBA questions, real estate transactions, things that have occurred in your past that you would definitely know the answers to. In the phone channel, it's no different. In addition to asking you the last four of your Social or your mother's maiden name, a customer service representative can ask you a couple of questions, and depending on your answers, assuming you passed the process, right, then give you access to a higher level of riskier types of transactions, like money transfers, etc.

D'AGOSTINO: Is there a set of procedures? Do you, do they know the questions to ask before they are asked? You know what I mean? Is there, like, a set-up when someone creates an account, do you have a list of, you know, 100 questions that they have to give you the answers to, or is it kind of on the fly?

BORENSTEIN: KBA never shows you all of the questions that are available, because if that were to fall into the hands of a fraudster, it would be a treasure trove, if you will. It's very configurable and very flexible in that, you know, different institutions typically present two or three questions initially, and you have to pass two or more, two or all of those questions, and if you don't, and then you're vetted and you're in. If you don't pass two or more, they might give you one more question, and if you don't pass that second question, right, that second level of questions, excuse me, then they might lock you out of the account, or prevent the process from going through. But there's no prior knowledge. I mean, the information comes from a wide variety of ....

D'AGOSTINO: That's what I was getting at. Where do the questions come from? Where is it? I don't want any secrets, or anything ...

BORENSTEIN: I can't give away the secrets as to where the questions come from, but I can give you some more examples that might pop up. They have to do with areas of prior employment, members of the family, real estate transactions, you know - "Have you ever owned property in this county in the state of Georgia?"

D'AGOSTINO: Okay.

BORENSTEIN: Car ownership, educational records, things of that sort.

D'AGOSTINO: Okay. You answered the question. What are, next question, what are some of the roadblocks or challenges that you're seeing, for financial institutions to [adopt] this sort of technology? And how do you overcome those roadblocks?

BORENSTEIN: Sure. I think, inherently, financial institutions initially have a knee-jerk reaction, which is "I'm not sure how this is going to fly with my customers." Right? There tends to be an issue of usablility that they are concerned about. There isn't an issue of usability once they actually start using it. But I think they automatically say, "Well, what if my customer is not willing to answer this question, or my customer simply believes the question is somehow an invasion of privacy?" Once they talk to us and once they understand how these things are used, and once they understand that this is why we deployed it to over 130 customers, most of whom are financial institutions, but some of them are not, though, but once they understand the flexibility and the fact that you can use it in an online setting, and you can use it in a call center setting, as well, they say this makes a lot of sense.

D'AGOSTINO: Okay. Do you see this sort of filtering down - and I don't know about the institutions that are currently using it, I imagine they are somewhat on the larger size?

BORENSTEIN: Generally yes, but not always.

D'AGOSTINO: Okay. So, it's filtering down into some of the small and medium sized institutions.

BORENSTEIN: Yes. We have some small credit union customers.

D'AGOSTINO: Okay. Very interesting. Okay. Anything else you want to add for our audience?

BORENSTEIN: Yeah. I mean, I would just take the opportunity to point out that the broad landscape is a dynamic landscape, it's changing. You know, I spoke a few moments ago about the three main areas that we are seeing it in, sort of new applications, new remote channels, like phone banking, and new kinds of threats in a sort of post-phishing environment. And probably a year from now, it will be another three areas. The fact of the matter is the fraudsters are very innovative, they are watching the regulations here in the U.S. and elsewhere, they watch the press releases, and they know what the vendors are doing, for the most part. I'm not trying to make anyone paranoid, but the fact of the matter is they are aware of these things. We know, through our anti-fraud command center, that they are monitoring the different procedures and the different processes, and the fact of the matter is that you need a layered and innovative approach, and if you don't have that layered, innovative approach, and you know, what works now might not work tomorrow or six months from now.

D'AGOSTINO: Okay. Well, thank you very much. And, again, Joram Borenstein with RSA Security.

BORENSTEIN: Good. Thanks, Mike.

MIKE D'AGOSTINO: Okay. We're here now with Eric Quon and Don Lee of Soft Forum, and they are going to tell us a little bit about who their company is, and how they pertain to the finance vertical.

ERIC QUON: Soft Forum is a software security product. We focus on online transactions, and that includes online banking and e-commerce. So, basically, we focus on two areas, anti-key logging and anti-phishing, which is prevalent, as far as the hacking and stealing of information, such as ID passwords, credit cards and Social Security numbers. So ...

MIKE D'AGOSTINO: Okay. Well, tell me a little bit more about your anti-phishing. I know that's a huge area. Especially, you know, we monitor a lot of phishing e-mails. We're seeing them not only come in from the top 10 banks that you are used to, but even down to the smallest credit unions now. That seems to be the new wave this year. It doesn't matter how big your institution is, there is a chance you are going to get phished. How do you guys deal with that?

DON LEE: Basically, software has different laboratories worldwide in Asia, Europe, America and Latin America. We also work with an organization here called, it's an anti-Phishing database, it's comprised of Symantec and McAfee. So, we all share different databases regarding phishing and phishing sites. Using that database, we have security products where, when a user logs onto, for example, Bank of America, or Citibank website dot com, that address part will be highlighted in green, to indicate to the user that it is a safe website where ...

D'AGOSTINO: It's the site that they meant to go to.

LEE: Exactly. So, it's a safe site where they can -- it's okay to conduct their transactions. In case they are attacked with a phishing or a SPAM e-mail, and they are redirected to a phishing site, we will indicate that site with a red highlight bar, indicating to the user that that is a bad place, and don't do any transactions. We also have a secondary security measure where we've blocked out any host file or third server manipulations. Those are cases where hackers will try to manipulate the host file, and so even if you go to Citibank.com, it might appear that the real site appeared, but in actuality, it's not the real site.

D'AGOSTINO: It's copied, or something?

LEE: Yes. We will block out that site.

D'AGOSTINO: It has to be known already.

QUON: Yeah. The thing is that they are usually, the anti-phishing sites, still are over the weekend disappeared right away. So, it's not useful right away, but this product is what we want to say is it is, we got the green bar ... to indicate that this is a site where I was going to go. For example, Bank of America, if you see some of the India, Chinese, Korean locations, this is a suspicious site. So, we display that kind of ...

D'AGOSTINO: So, it's kind of in real time. I mean, you're kind of using data from different sources, and, and ...

QUON: It's almost real time. And also, it's key word search based, too. So, if you type "Bank of America," and Bank of America was shown with a different domain name, it will indicate that that is a suspicious site, too. And also, our anti-key logger section is, everything is moving to compliance. The U.S. government is driving compliance, and the banking [industry] is used to talking about security, and the security matter is high level ... To us, it's not enough. Why? Because you can always come from South Korea, and South Korea is originally one of the most [online] country than any other country. Over 85% or 90% of households have the highest speed modem connections. So, online subscribers, the banking subscribers joined together with high speed Internet subscribers, however, over there, 2006 was an outstanding year, for the first time, online transactions for money were higher than offline transactions nationwide. Every bank connects together, so that you can easily wire the money from Bank A to Bank B. When you transfer, say, $5,000, it costs about only $.50 for each case. My mom is 68 years old, and she is carrying her own tool in the suitcase, and she knows three different passwords. We educate my mom and she is doing it, because she recognizes that it's much easier to do it. It's a different generation.

D'AGOSTINO: So, it's a huge audience.

QUON: A huge audience. The U.S. will be getting to the same level right now. Because a long time ago, a generation, they don't know how to make a phone call ...

D'AGOSTINO: Right. Right.

QUON: ... they call to the operator. Now, older folks call the phone, or watch the satellite TV ...

D'AGOSTINO: But anybody can use it.

QUON: Right. But the problem is they still get the information from keyboard drivers. So, we encrypt the keyboard drivers here. So, this is more than two factors.

D'AGOSTINO: Okay. Very interesting. Okay. Well, thanks for the words of wisdom. Again, this was Soft Forum. Nice speaking with you.

MIKE D'AGOSTINO: We're here now with Mike Clarkin of Sykes Enterprises, a customer service outsourcing company, and he is going to tell us a little bit more about their company and vendor management with financial institutions and sort of what they have to go through, or what you should go through in order to work with a financial services company.

MICHAEL CLARKIN: Well, thanks for the chat. Sykes is one of the top outsourcing call center companies in the U.S. We've got a global presence. We work with banks and financial institutions all over the world. And to your point, really the main thing to consider when you're looking at outsourcing your call center services is the capability of your partner to really integrate with your network and become part of your security policies.

D'AGOSTINO: Okay. So, some of the things that you might have to do to work with a financial services company, I know that most banks or credit unions, or financial services organizations, when they do work with an outside vendor or a third-party service provider, you kind of have to jump through some hoops in order to work with that company. Can you tell me a little bit more about that.

CLARKIN: Well, I don't think I would call it ... it's what they have to go through. They carry a burden of privacy and legal responsibility that is higher than most industries. And so, in the very beginning of the ... process, we are looking at what does the physical security have to look like, what does the network security have to look like, what are the policies and practices related to our staff, and how they protect private information and personal information, and we build that all into a solution design that makes it so the bank can basically extend their network and their tools to our company ...

D'AGOSTINO: And I know before when we talked a while ago, and you had mentioned about sort of tracking and compliance issues. So, they want to, you know, examiners want to see an audit trail of what you have done. How do you guys address that?

CLARKIN: That's exactly right. You do that a lot of different ways. One of the clever ways we are doing these days is we have some automated tools that allow us to read or have the agent deliver compliance statements in an automated fashion, so that it can be recorded in the system, and we can guarantee sort of that it has been delivered and how it's been delivered and what time it got delivered. And I think the banks carry the biggest burden of the scrutiny of auditors, on how they perform and how they handle sales practices in particular. So, we're very conscious about how we do that. And you can, we do train agents day in and day out about how to be good about that behavior, but it's also nice to have some automated tools to make it a bit more easy for them to do.

D'AGOSTINO: Alright. Okay. Again, Mike Clarkin of Sykes Enterprises. Thank you very much.

CLARKIN: My pleasure.

MIKE D'AGOSTINO: So, we're here now with Rob McLaughlin of Thales Security, and he is going to tell us a little bit about the company and how they address the finance industry.

ROBERT McLAUGHLIN: What we do is we have two main products. The first product is we do network encryption for the banking industry and financials. And where that comes into play is when a bank has a data center, or a disaster recovery site, or storage area network site, and they say, "Hey, we want to encrypt the pipelines of data going between the different locations," from anything from a T1 to an OC192. We do hardware encryption, which is the best encryption AES to 6K, and our products are approved by federal agencies, the federal government, and we do a lot of work for the military, as well. So, the applications that we run to are a lot of companies in the U.S. might have facilities around the world, and we provide hardware encryption for these companies to send large pipelines of encrypted data in transit. So, anything moving across their network is all encrypted. The other part of our product portfolio is securing credit card information for people -- like all the major credit card associations use our products to encrypt and decrypt sensitive information from ATM or point of sale. We provide a hardware cryptography for those companies. So, when they are selling their banking solutions, we provide the hardware piece for software companies. We have offices all around the world, and we sell the same products all around the world. So, we can support any customer in the U.S. worldwide.

D'AGOSTINO: So, we heard last year some talks from people from the FDIC regarding encryption, and we all heard that encryption was going to be a big factor this year and moving into 2008, and even everything that has happened with, you know, the TJX data breach has been in the news a lot recently, and it seems like you guys are on top of that. What can you say about the payment card industry, PCI compliance?

McLAUGHLIN: Well, that's one of our main areas, again, working with people like Visa and working with MasterCard. We have people on the committees sitting there. So, we work very closely to make sure that all of our products have fits for that industry. We have seen a growth this year in people who are interested in buying our products, I don't have the statistics in front of me, but from what they were over the last few years, this is probably the strongest year we have had in sales of network products over the commercial space. We've always been strong in the government space, but over the commercial space, in enterprise and financial, it's just been ... it even might double this year.

D'AGOSTINO: Do you think things like the TJX data breach and the some of these regulations and guidance being issued, are those a driving factor?

McLAUGHLIN: Well, there's more exposure. The thing that we see with security, it depends on how much money a company has, because when you look at the risk, a company is going to look at what they want to invest their money on for security. And the thought would be the piece of encryption is where we see companies saying ... "Yeah, that's part of what we want, too." But it still comes to internal threats and internal things where a lot of money is spent. But, we are seeing, finally, more money being spent outside of that a little bit. But it really is a philosophy of the company. Because there are some companies that say, "We're encrypting all the pipes, and we might do software some different ways." But we have some companies who mandate that they want to do everything with hardware encryption, and that's where we've got some significant business this year. And we see that trend continuing in 2008, as well.

D'AGOSTINO: Very good. And again, thank you very much. Rob McLaughlin with Thales Security. Thank you.

MIKE D'AGOSTINO: Okay. We're here with Adam Dolby of Vasco Data Security, and Adam is going to give us his words of wisdom on what their company does and how it pertains to authentication in banking.

ADAM DOLBY: Thanks, Mike. Vasco is, we're actually the largest authentication provider in the world. We have about 850 to 900 banks around the world using our authentication solutions for securing their end user customers. Retail authentication with tokens is taking place all around the world, especially in the United States and Canada. And then, we are seeing some sort of passive authentication taking place in the U.S. The company as a whole received somewhere in the neighborhood of 75 million to 80 million end users secured with Vasco technology through banking applications. That certainly is our core focus and where we find our niche.

D'AGOSTINO: Okay. How would you say that your tokens kind of compare with other tokens out there?

DOLBY: The significant differences for us are, number one, we started the business focusing on financial institutions, so we designed and implemented solutions that are for delivery, for banks to their customers, rather than building out for network access and all that other stuff, like most other providers have. We've focused, all throughout our history, on delivering authentication to massive numbers of end users. So, we have tokens that last seven to 10 years, as opposed to the normal three. We allow complete branding of the tokens, and I have a sample here, where the financial institution can pick their color, put their logo on it, and so you notice, there is no Vasco branding on it, at all. And in the ideal situation, the end user customer has no idea who Vasco is. We prefer the banks have their brand, it's their product, and they've made the investment in security, and we want to have the customer feel that the bank is securing them, not Vasco. The other significant difference for us is our back end is very flexible, very scalable, so it provides for where millions of tokens to be deployed as easy as hundreds. So, there is no impact to the banks, and it integrates directly into applications, and it's very easy for administrators, and it's a very compelling solution to deploy.

D'AGOSTINO: Would you say there is any specific size institution that might use these, or is it ... the smallest?

DOLBY: It's all the way from de novo to, you know, the Capital Ones of the world. Just any size fit. And really, it's sort of a testament to our pricing model, and our market strategy, and the vision that we have is that every bank should be able to afford authentication, and be able to deliver to their end users. We don't care if it's the mom and pop bank down the street, or you know, the largest in the world.

D'AGOSTINO: Okay. One last question. Where do you see tokens going? What's the future? If you can tell me.

DOLBY: Tokens for everyone. Where we see it, generally, to be honest, in order for tokens to really hit through the U.S. on the retail side, there needs to be an evolution in the transaction ... for the U.S. consumers. The reason that tokens are so prevalent worldwide is that they are able to move money between banks, almost in, you know, in near time, so almost a five- to 10-minute settlement between banks, through consumers, and it makes fraud very highly likely, and it makes those banks very attractive targets. So, you see true strong authentication happening worldwide. In the U.S., we don't have that capability. We have bill pay, and we might be able to move it in a few days, or so. It's generally not even anything close to real time, or even near time. So, once that transaction [changes], you will see this start to happen en masse, for the U.S. retail market, where we see it sort of short term. So, that's kind of the two-to-three-year outlook. Short-term it's high net worth, high functionality users on the retail side, and cash management has certainly moved towards tokens.

D'AGOSTINO: Very good. Well, thanks. Adam Dolby from Vasco Data Security.

MIKE D'AGOSTINO: You've just listened to vendor interviews conducted on the Expo Hall floor at the BAI 2007 Retail Delivery Conference and Expo. To learn more about these vendors and other topics regarding information security in the banking and finance industry, please visit BankInfoSecurity.com or CUInfoSecurity.com. Thank you.


About the Author




Around the Network