ING looks to help customers secure online transactions

Computerworld - Despite numerous security measures by online banks and e-commerce sites to secure consumer data, few have been able or even willing to directly protect customers using their sites from phishing scams and data-stealing malware.

Among those looking to make a change is online bank ING Direct USA, which this week made available a small software tool from Trusteer Inc. that is designed to protect consumers against online fraud and ID theft.

Trusteer's Rapport software, available as a free download, helps protect customers by essentially building a secure connection between a users' desktop and the Web site he is accessing, said Trusteer CEO Mickey Boodaei. All communications and transactions between the user and the site are carried out within this secure tunnel, Boodaei said.

The goal is to prevent the data that is exchanged during an online transaction from being stolen by keystroke loggers and other types of threats such as man-in-the-middle attacks and session hijacking, he said.

"What Trusteer does for us is kind of address, at a basic level, some of the security threats out there," said Rob Weaver, head of IT security at ING Direct. Unlike other antivirus and malware protection tools now available, Trusteer's software is designed to secure Web transactions even if the user's system itself is compromised, Weaver said. For instance, a keystroke logger on a user's system would not be able to steal data when the Trusteer software is in use while accessing ING's site, he said. Similarly, the software can prevent users from being redirected to a spoofed site if they click on a malicious link, he said.

The tool is easy to install and, once in place, runs in the background -- launching whenever the user logs onto ING's site, Weaver said. "This is all about a layered approach and covering all the bases. Banks are doing their thing and securing their servers and their networks. They are raising the bar on providing authentication. The users have their responsibilities with their PCs."

Trusteer's tool is another way of ensuring users are protected, even if they fail to secure their own hardware, he said.

Rapport features a three-layer architecture for creating the secure pipe inside a user PC: An API Blocking Layer to prevent malware from using operating system API calls to tamper with a session, a data encryption layer that encrypts all communications, and a delivery confirmation layer that authenticates the Web site being accessed.

ING's move is noteworthy because until now banks and other service providers have been "quite averse" to distributing desktop security software for end users to use when transacting with their Web sites," said Avivah Litan, an analyst at Gartner Inc. Most don't want the headache of having to deal with PC maintenance and troubleshooting customer service calls. They don't want to touch customer desktops that are outside their network boundaries.

But with more attacks being directed at consumers, at some point banks and other service providers were bound to take some responsibility for securing customer transactions on their sites, she said. Trusteer's software would seem to fit the bill, because at 400KB it is small enough for users to download easily while offering a layered approach to protecting customer data, she said.

"Trusteer's technology is intriguing, but still unproven," she said. "Many eyes will stay focused on ING Direct's experience with the Rapport software."

Read more about security in Computerworld's Security Knowledge Center.