The United Nations last week became the latest organization to warn computer users about the dangers of relying on just passwords to protect online bank accounts and e-commerce shopping carts, according to Reuters
The warning from the UN’s International Telecommunications Union came a little more than a year after the United States’ Federal Financial Institutions Examination Council (FFIEC) released similar guidance calling for stronger user authentication for online banking customers.
Those kinds of warnings are music to the ears of Jon Fisher, CEO of Santa Clara, Calif.-based Bharosa, which sells anti-fraud and multifactor authentication technology to banks, health care companies, and the government. Just three years old and with 50 employees, Bharosa’s been taking on security industry behemoths such as VeriSign and EMC/RSA on their own turf and, in some cases, winning. In the past year, Fisher’s company signed deals with Wells Fargo, National City, and the U.S. Air Force. A serial entrepreneur who sold his first company at age 23, Fisher spoke with InfoWorld Senior News Editor Paul F. Roberts about how the changing regulatory environment has been good for his company.
InfoWorld: What is the core intellectual property that Bharosa has?
Jon Fisher: We have a proprietary, gated methodology to screen for fraud in real time. The first gate manifests itself pre-log-in via an analysis of a host of data about the user and transaction. The second gate is at the first point of authentication: the user name and password. The third gate is manifest in session where transaction and document requests occur. The fourth gate is a score of third-party data, whether that’s enterprise, legacy, or other data that’s fed into our fraud detection engine.
IW: What should enterprises know about software like Bharosa’s?
JF: Fraud detection has a place not just in achieving FFIEC compliance, but also truly bringing together disparate legacy systems [that] enterprises have had in place for some time.
IW: Are you talking about single sign-on, or something else?
JF: Single sign-on is an application of that. But fraud detection [can make] a decision about what advanced forms of authentication to use based on the conditions, or what kinds of transactions will manifest in certain ways, like a document request or [bill payment].
IW: Aren’t authentication and fraud detection ultimately just parts of a bigger architectural change that will tip the scales in favor of vendors who can take care of data security in addition to authentication and storage and the networking piece?
JF: I’ve been an entrepreneur for a number of years. I know that if you want to start a company and run a good company, you’ve got to do something well. We’ve selected a few things to focus on and do well. They’re things that, in aggregate, constitute more than just a point solution. But, yes, certainly less than the array of products in unrelated areas offered by competitors.