How Schwab shuts out hackers

It’s a simple promise that Charles Schwab & Co. makes to its customers, but one with security ramifications that ripple throughout the company: “Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity.”

What the pledge means in practice is that security extends to every corner of the Schwab organization, according to Kostas Konstantinides, director of client Web services for Schwab. “Security is beyond IT definitely at Schwab,” he says. “It’s also at the branches, it’s in our mailing of statements. Everything that has to do with interacting with clients has a security element attached to it.”

Technology, of course, plays a central role when it comes to the company’s Web site. Konstantinides told attendees at the recent Network World IT Roadmap event in San Francisco about the latest tool in the Schwab arsenal to help protect customers’ online accounts from unauthorized logons. The very week of the conference, Schwab had gone live with its implementation of VeriSign’s Fraud Detection System. The system is designed to weed out suspicious logon attempts and either deny them outright, mark them for human evaluation or escalate them to an additional level of authentication.

Finding the right tool

Schwabs use of the Fraud Detection System is the culmination of an evaluation process that began in early 2005. The goal was to find an additional security layer beyond the existing back-end firewalls and intrusion-detection systems that could help protect the $1.4 trillion in assets the company maintains in 6.8 million brokerage accounts.

Schwab looked at various types of security measures to authenticate Web site visitors, from password expiration schemes to one-time passwords, biometrics and knowledge-based authentication. One criteria was the vendor had to provide a single product and also deliver the majority of the security as part of a user’s online experience, as opposed to forcing users to some form of out-of-band security mechanism, such as a token.

“When you put in a criteria like that, the list becomes relatively small,” Konstantinides says, noting VeriSign quickly bubbled to the top. In early 2006, Schwab began looking at the VeriSign Fraud Detection System in depth. At that point, the product was relatively new, with few customer installations. Indeed, VeriSign only publicly announced it as a service in February 2006. Rather than use it as a service, however, Schwab bought the software and worked with VeriSign to implement it on Schwab servers.

“We took a very deep look at the product and its capabilities and had our IT folks evaluate the method it was using to do the fraud detection,” says Konstantinides, whose role falls on the business side of the house at Schwab but has been involved with Schwab.com since its inception. “We determined it was something that we could integrate in our environment and that it was flexible enough to handle new forms of attacks, not only the ones that were known.”

Click to see: Schwab's security

Customer experience was also high on Schwab’s list of criteria. If a customer’s session wasn’t considered risky, the company didn’t want to be bothering that customer with additional authentication requests.