Protecting The (Brand New) User

Over the past few weeks, I've had the opportunity to meet with literally dozens of leading banks and financial service providers, as part of the Authentium SafeCentral rollout.

Authentium SafeCentral, for those unfamiliar with the service, provides consumers with a simple, highly-effective way of securing online banking and transaction sessions, by combining a locked-down virtual desktop with a secure browser and dedicated secure DNS network.

For the most part, banks are doing a good job of deploying and employing additional security layers and user authentication methods.

I witnessed a number of very practical and well-designed technologies, including several practical and well-designed out-of-band text-based transaction confirmation systems, and some terrific automated fraud and AML (anti-money laundering) controls.

However, one glaring gap in security that almost everyone agreed needs improvement is the issue of how to protect the personal data supplied by a "brand new user." Nobody I've spoken to has yet gotten this right.

Visit the web page of virtually any bank (except those than only allow branch-based processing of new accounts) and you'll see what I'm talking about. Most banks host multiple online application forms for credit cards, home equity loans, insurance, and numerous other products.

All require massive amounts of personal data to be entered at the time of application.

Which leads to a problem. At the time of the application, the only security is "implied" security - which is to say, the user assumes that the bank is somehow protecting them while they go through the process.

In actuality, both parties are "flapping in the wind" when it comes to this data transfer. Banks don't yet know their (new) customer, and cannot verify if the data is legit or stolen, and cannot protect the user using anything more sophisticated than an SSL session.

In the event of a breach, users, unfamiliar with the site, don't know they are being redirected to a phishing site, a spoofed sign-up page, or a page designed to serve up malware.

During this critical application process, the user is, for possibly the only time in the banking relationship, laying out every single personal detail, include the details most critical to their identity - for the world (and any installed keylogger or screen-scraper) to see.

Here's an example of how this can affect behavior - and the pace of account sign-ups.

While having a very pleasant lunch recently with the CTO of a billion dollar financial services firm, we got to discussing Mint.com (a service that we're both fans of, in concept), and discovered that neither of us had gone "all the way" through the sign-up process. We'd stopped short of plugging in our accounts.

Why? Security. The part in the sign-up process where you need to share all your passwords to all your bank accounts "in the clear" - without any prior relationship being in place with the company, and any knowledge of security processes - was just too scary for either of us.

Which is a shame, because the service Mint offers looks tantalizingly good.

Obviously, our service - SafeCentral - offers a possible solution here. And it wouldn't be an expensive solution. Offering it as part of a new account sign-up wouldn't cost Mint (or anyone else in the business of signing up new users online) anything - there's a 30 day free trial version.

And it would help those users (like me) that are deeply uncomfortable sharing personal data online - and help plug a hole that I am certain, based on my recent conversations, that online criminals are bent on further exploiting.

Whatever solutions are eventually utilized, these gaps for me loom larger ever time I visit a financial services site. I feel for the (brand new) user, who has no way of knowing whether or not their personal data is going to be protected, or stolen, as a result of applying for a new service.