Thursday , November 21, 2024

Behind PassMark’s ‘Keep it Simple’ Plan to Fight Phishing Fraud

Woodside, Calif.-based PassMark Security LLC, which incorporated only in February to attack phishing and other online transaction fraud, says it has attracted interest in its solution from banking and retailer Web sites. The company is now in serious discussions with “eight to ten major sites,” says Bill Harris, chief executive, and is looking forward to clinching its first deal. A former chief executive of both Intuit Inc. and PayPal Inc., Harris says PassMark's product has been under development for about two years and is designed to be easy for both consumers and Web marketers to deploy. PassMark offers to license a product to e-commerce sites that allows consumers to choose or upload an image, along with a short bit of text, that can be used to authenticate both a Web site and e-mail from the Web marketer. The text can be made to display as well in the headers of e-mails from marketers using the system. Consumers are prompted not to enter passwords until they see the image and accompanying text, which are known only to the site operator and the consumer. Criminals who use phishing schemes send e-mail and create Web sites that mimic the logos, slogans, and language of legitimate financial and retail sites to gull consumers into giving up sensitive data like passwords and account and social security numbers. E-commerce operators can license PassMark's system for anywhere from 10 cents per customer per year up to $1 per customer, depending on volume. Pricing is deliberately based on the number of PassMark images stored to encourage usage. “We don't care how many times the customer has logged in,” says Harris. PassMark offers the product as a “hardware appliance” that sites can install or as a hosted service. Customers can choose images from catalogs offered by PassMark or upload one of their own. PassMark takes care of formatting so that the image always appears in a standard, postage-stamp size on clients' Web sites and e-mail messages. Once customers enter a user ID, the system identifies the user's computer ID and serves the image and short text, typically 25 characters or fewer, which prompts users to enter their passwords. Customers who use a second computer are asked to register that machine's device ID as well. In this way, e-commerce sites authenticate themselves to customers in addition to asking for authentication from customers. Consumers are not required to add any hardware or install software. “With millions of customers, some experienced online and some not, for something to be effective [against fraud] it has to be incredibly easy to grasp,” says Harris, who contrasts his product with proposed solutions like smart card authentication, which requires consumers to add hardware and software to their computers and carry a card or other chip-based token. At the same time, PassMark's product, which Harris characterizes as “plug and play,” doesn't require client sites to make system changes. With phishing and other e-commerce frauds threatening to undermine the online transaction economy, PassMark executives figures online marketers will increasingly move toward PassMark's model, which is based on so-called two-factor authentication (consumer to site and site to consumer). “Most [companies] know that ID-and-password is not going to cover the kind of risks that are coming up, the threat models like phishing,” says Mark Goines, chief marketing officer at PassMark and another former Intuit manager. “Many have gone with two-factor authentication already with high-value customers, and that is the model we see the [industry] moving toward.” He adds PassMark has been “talking at length” to large banks and retailers, most often the victims of phishing frauds, and says “they're very interested” in the company's product. Phishing in particular has become a serious problem, with no indication of a let-up in sight. The Anti-Phishing Working Group, a coalition of online marketers and law-enforcement agencies, reported last week that the number of reported incidents jumped 180% in April to 1,125, with Citibank and eBay among the target sites most favored by criminals (Digital Transactions News, May 24).

Check Also

A Senate Panel Sends a Signal: Time to Cut a Deal on Swipe Fees

Members of the Senate Judiciary Committee told representatives of Visa Inc., Mastercard Inc., and the …

Digital Transactions