Corillian Integrates Strong Authentication in Software, Services

With identify fraud posing a serious challenge to online bankers and merchants, technology vendors are starting to respond with hardware- and software-based solutions offering so-called strong authentication, which adds a second factor of identity to the standard user-name/password pair. Now Corillian Corp. has launched a product it says is the first to integrate strong authentication in online banking services and software. Like many vendors, the Hillsboro, Ore.-based software supplier is in part responding to a recent guideline (Digital Transactions News, Oct. 26) from the Federal Financial Institution Examining Council concerning the need for banks to move to two-factor authentication. (The second factor is usually related to something a customer has, such as a token, biometric characteristic, or computer). In related news, the company says a product it rolled out last year to detect online intrusions is helping put a dent in the steadily mounting threat represented by hacking and phishing?the use of bogus sites dressed up by fraudsters to look like legitimate sites to steal PINs, passwords, and other data from unsuspecting Web users. Corillian's Intelligent Authentication product supplies the second factor in the form of so-called access signatures?characteristics such as the operating system, geographic location, browser, IP address, and time of day?created by users when they log into an online-banking system. The product requires no action by the user and doesn't rely on a cookie or other code placed on the user's machine. “The average consumer isn't going to use a key fob or a CD [to log in],” says Alex Hart, president and chief executive of Corillian. “They won't go through that hassle to pay bills.” By compiling a history of access signatures for each log-in, the application assesses the risk of unauthorized access each time a user logs in. Attempts whose signatures depart sufficiently from the historical norm can trigger one or more challenge questions based on information supplied by the user at enrollment. A correct answer updates the signature history; a wrong answer returns the user to the log-in page. Three financial institutions have signed up for Intelligent Authorization so far, including the University of Wisconsin Credit Union, which has more than 100,000 members. Corillian won't project sales, but with pressure on banks from the federal government to move beyond single-factor authentication, the company expects brisk business. “With strong guidelines from the FFIEC and [rising] phishing attacks, we feel 2006 will be a strong year for our security business,” says a spokesman. A second product, called the Fraud Detection System, sifts through reams of log files generated by the web servers running a site to identify intrusions. The automated system looks for such things as repeated attempts to log in, efforts to expoit software flaws, and other such indicators of hacking. “Banks have these web logs but don't know what to do with them,” says Hart. The product, which Hart says is also aimed at online retailers, can aid in shutting down phishing sites by identifying attempts by phishers to lift graphics they need to create their bogus sites. “They'll steal logos from your site,” says Hart. If phishers have created links to these pages on their servers, it will show up in the scan of millions of lines of web-log content, Hart says. In one case, he says, the system detected a phishing site under construction and helped get it shut down by the Internet service provider supporting it eight days before it launched. Clients can deliver their logs to Corillian for analysis, with same-day reporting, or install the program in their own data center. Launched last summer, the product has so far been adopted by 35 clients, including several top 10 banks, the spokesman says. Corrillian won't publicly specify pricing for Intelligent Authorization, given that it has just been introduced, but it is based on number of online users and is “significantly less than a hardware token device,” the spokesman says. Pricing for Fraud Detection System is based on the number of Web servers run by the client and ranges from $200 to $300 per month per server.