As emerging security threats cause confidence in online services to wane, banks and businesses are searching for new ways to restore users' faith. Rival providers of online authentication technology RSA Security Inc. and Vasco Data Security International Inc. are taking advantage of this opportunity to spread their technology across the globe.
RSA Thursday announced that Japan Net Bank and Sumitomo Mitsui Banking Corp. have chosen to use RSA's SecurID two-factor authentication technology to better protect online banking customers in Japan against threats including fraud and phishing. Japan Net Bank, which launched in 2000 as an online financial institution, is deploying RSA SecurID tokens to more than 1 million online banking customers. Sumitomo Mitsui, meanwhile, has deployed SecurID as part of the bank's One’s Direct Internet banking service, which has more than 6 million users.
As RSA spreads to the Far East, Vasco has its sights set on the North American market that RSA has come to dominate. Vasco Tuesday announced it has sold and delivered 20 million Digipass token authentication devices, with 7 million of those sales coming in 2005. While Europe is Vasco's largest market, the Americas and Asia are growing the fastest.
Vasco earlier this week also introduced its Digipass 860, an authentication device that plugs into a USB port. The 860, developed in conjunction with Italian security device maker Eutron Infosecurity Srl and scheduled to ship by June, can be used to provide secure remote LAN login and for public-key infrastructure, or PKI, authentication. Vasco also recently introduced it Digipass 300 Comfort Voice device for the blind and visually impaired. The 300 Comfort Voice features extra-large buttons and LCD display and has a speech component that can audibly read authentication codes to the user in a variety of languages.
A major development pushing the growth of two-factor authentication technology, which requires users to input one password or PIN they create for themselves and one they are assigned randomly through a token device, is the Federal Financial Institutions Examination Council's publication last October of updated recommendations to improve security in online banking. The FFIEC recommends that financial-services companies create two-factor authentication for online applications that require banking customers prove their identities using more than just a user name and password. Although the FFIEC guidance lacks teeth with which to penalize laggards, it does stipulate that financial institutions will be expected to achieve compliance with the guidance no later than year-end 2006.
Both Sovereign Bank and LaSalle Bank Corp., a subsidiary of Netherlands-based ABN AMRO Bank N.V., are Vasco clients looking closely at the FFIEC guidelines. ABN Amro is treating the FFIEC guidelines as though they were regulations, said John Scully, first VP of electronic banking products for ABN Amro, who spoke Wednesday at a Vasco-sponsored event in New York. Leonard Goodman, senior VP and product management director of Sovereign's global solutions group, at the same event said, "We have a project to evaluate our different online services, what the risks are, and what security needs to be implemented as a result of the guidelines."
LaSalle Bank has been using Vasco Digipass token technology for the past seven years to provide customers with authentication when performing sensitive online transactions such as wire transfers and stop payments. "Tokens are extremely portable, easy to use, and their life expectancy is more than seven years," Scully said. LaSalle also uses RSA SecurID tokens.
Sovereign Bank has since 2003 been using Vasco Digipass tokens to provide 2,500 of its 12,500 corporate customers using its information reporting and initiation system with authentication security during wire transfer online payments, which totaled $60.4 billion in 2005. One reason customers like tokens, most of which are the size of a car alarm remote, is because they are a physical representation of digital security, Goodman said.
Vasco needs this kind of enthusiasm to take on RSA in North America. The company has about 2,100 customers worldwide, 450 of them banks. Vasco chairman and CEO Ken Hunt Wednesday used a soft drink metaphor to describe his company's place in the North American market, comparing RSA with "Coke" while likening Vasco to "RC or even Pepsi."
Through the nine months ended Sept. 30, 2005, RSA reported $163.2 million in revenue and $30.8 million in profits. While revenue was down from $169.4 million for the first nine months of 2004, profits were actually higher than the $23.2 million reported in 2004. RSA set itself up for further growth in December when it spent $145 million to buy Cyota Inc., a provider of online security and anti-fraud technology to the worldwide financial services industry.
Through the nine months ended Sept. 30, 2005, Vasco reported $37.1 million in revenue and $4.7 million in profits. This was up from the same time period a year ago, when the company reported $14.7 million in revenue and $2.5 million in profits. In addition to financial services, Vasco's token technology is used by health-care providers logging on to view patient records, automotive dealers as well as online banking and brokers to place online orders, online gamers to make payments, and educators to prevent the theft of exams.
Broadband and cheap PCs have primed users to take advantage of a wide variety of online services, in particular online banking. But the growth of online services is not a given. "We can't allow security problems to undermine trust," Vasco CEO Hunt said. "And banking is all about trust."