Stanford Federal Credit Union Is Ready for Phishing Season

Sam Tuohey - Stanford Federal CU
April 7, 2005

Recently Stanford Federal Credit Union in Palo Alto, California recently installed PassMark Security on its online banking website. PassMark Security has been in business for a little more than a year—its CTO, Louis Gasperini, is a former senior vice president with Wells Fargo Bank and ran the development team that built the Wells Fargo Internet site.

The following Q&A is with Sam Tuohey, vice president of technology and e-commerce for Stanford Federal Credit Union, and Steven Klebe, vice president of sales and business development for PassMark Security.

Sam, has Stanford had many problems with phishing?

Tuohey: No, SFCU has not been the subject of any phishing attempts, but we understand that it’s the fastest-growing crime in history. Hundreds of millions of e-mails have attempted to defraud customers of Citicorp, US Bank, and PayPal. We know it’s possible that criminals will pick smaller institutions as their targets in the future, so we wanted to be ready. The addition of PassMark to our online system is proactive planning so that we can help our members avoid being defrauded.

How did you decide on PassMark?

Tuohey: Part of my job is to keep abreast of current and emerging technologies with an eye toward improving our ability to do business or improve security. We had not been overwhelmed by the various security technologies that were being touted. I don't think distributing and managing tens of thousands of USB sticks or password-generating tokens is a reasonable approach.

PassMark Security has a very simple and yet solid solution that intrigued us. Passmark told us that its solution doesn't require the end-user to download programs, obtain special hardware, or learn any new codes.

How does it work?

Tuohey: The PassMark program works with our online banking system to display an image and two-word phrase to each of my online banking members during the log-in process. The credit union authenticates to the user and the user authenticates to the credit union. The concept is as elegant as the technology.

The PassMark system issues users random and unique images. Unless they later decide to select another graphic, or manually change the two-word phrase, they will always see their personal elements on the system during their log-in process.

If a phisher were to send me an e-mail to encourage me to update my SFCU records, the site that the phisher would take me to (after I clicked on the e-mail's link) would not be able to display my image, or my phrase. I would notice the absence of those elements before I entered my password and my suspicion would be aroused.

What else is unique about PassMark that you think other tech officers need to know about?

Other proposed products and services were not sufficient, dependent on certain platforms, or were highly cumbersome and expensive. We recognized that PassMark's solution was nonobtrusive, quickly deployable, and platform independent.

Klebe: PassMark doesn’t need complex infrastructure—it just needs a system that runs JAVA. Stanford was the first institution to use our product live.

How long as your PassMark System been up? How has it been working?

It's been live since January 31st. We've had no technical problems with it.

How has member response been?

Response from members has been nearly silent, which is their highest praise.

What does the system cost?

Klebe: The basic price of the model is x cents per user per year. Typically that falls between $0.50 and $1.00, depending on how many online bank users you have. That also includes the license and all maintenance.

We are actively talking with the major third-party vendors that serve the CU industry and who can integrate PassMark for small to medium-sized institutions much more cost effectively than if PassMark were to sell to them directly.

What else do people need to know about PassMark and online protection?

Tuohey: Staff and member communication is the key. We had a three-week-long beta test of the new system with staff, so that all employees had a good opportunity to become familiar with it. We found it was very important to make the explanations as simple and straightforward as possible.

What would you say to CU leaders who balk at the cost?

Klebe: With all the attention on ID theft and phishing impacting the use of the Internet and e-mail channels, you can’t fully exploit this delivery system without providing additional and mutual authentication. This is especially important for CUs, whose memberships tend to be remote and more dependent on e-channels.

The economics are compelling: If members lose confidence in e-banking, they will start coming into branches. Costs for transactions of branch versus Internet is about $1.40 using a teller, compared to $0.04 with an Internet transaction. It takes only a very small percentage of members reverting to legacy channels before it becomes apparent that the cost of not providing that security is extreme.

Also most financial institutions are adding more risk-bearing transactions, such as bank-to-bank transfers. This is starting to grow, just when fraud is getting more proficient on the Internet. In addition, most financial institutions want members to go to statementless banking, which will only happen when members have confidence in online security. That 0.50-$1.00 cost per user per year for PassMark is a small chunk of change compared to the costs associated with members losing confidence in their CU’s e-banking channels.

For more information, contact Sam Tuohey at sam@sfcu.org, Steven Klebe at stevek@passmarksecurity.com, or visit www.passmarksecurity.com.