In the vault: The Coastal Bank and IronKey
In the vault: The Coastal Bank and IronKey
A Georgia bank found a tool to protect financial transactions and payments...while meeting compliance demands, reports Greg Masters.

Headquartered on Johnson Square in the heart of Savannah, Ga., The Coastal Bank has served The Peach State for 56 years. With over $430 million in assets, this community bank, which is locally owned and operated, provides a range of financial services, specializing in small business and consumer banking, mortgage solutions and lending services.

Six branches are spread throughout the greater Savannah area, into Rincon and Hinesville, as well as an operations center in Pooler, Ga.

Like any other financial institution, one potential issue The Coastal Bank faced was cybercrime and fraudulent attacks on its customers and the bank, which, if successful, could result in personal information and money being stolen. It was also looking to find a way to adhere to a new set of guidelines from the Federal Financial Institutions Examination Council (FFIEC) that must be implemented by Jan. 2012. The supplement to the FFIEC "Authentication in an Internet Banking Environment" guidance, first issued in Oct. 2005, puts in place requirements for customer authentication, layered security and other controls in the online environment.

"It was important to The Coastal Bank to not only find a way to successfully meet the FFIEC requirements, but to also implement a program that was easy to use," says Adam Montgomery (left), director of marketing at The Coastal Bank.

He says the executives at the bank realized they needed to be proactive and get in front of the threat to protect customers from ever-changing malware and keep their money and personal information safe.

The bank's IT staff, consisting of four people, began a search for a solution.

"Our director of IT initially reviewed most of the current software solutions implemented by other financial institutions and found them to be insufficient, cumbersome and, most important, already proven compromised," says Montgomery.

The bank's director of IT, director of operations, and director of marketing and products made the initial decision to implement the IronKey Trusted Access product. An extended team that included the chief banking officer, chief financial officer and the director of retail services were included for final analysis and sign off.

"After a complete review and analysis of the IronKey Trusted Access product, we felt it was the only solution that could meet and exceed the FFIEC requirements," says Montgomery. The bank staff spent close to six months testing and reviewing the product, as well as conducting focus groups to determine what would best fit its customers' online security needs.

Unlike competing approaches, IronKey Trusted Access delivers a safe, separate and dedicated secure web browser only for online banking (or sites approved by a bank), says Kevin Bocek, vice president of marketing at IronKey. ZeuS, SpyEye, OddJob and other trojans prey on users accessing sites on their computers. Instead of relying on an infected browser or potentially tampered network connection, Trusted Access provides an application that users know is just for financial transactions. And, because Trusted Access is a dedicated app, it does not hog resources by looking to detect each new attack or monitor user's behavior and website access everywhere they go, says Bocek.

Trusted Access for Banking does not rely on potentially compromised and vulnerable applications on the user's host computer, Montgomery adds. Instead, a secure, encrypted connection to online banking is made through the IronKey Trusted Network. "It allows us to provide a level of security previously only available to the U.S. government and military," he says. "It provides our clients with an unprecedented level of security when performing financial transactions."

The Trusted Access Secure Browser is as easy to use as any other web browser, says Bocek. However, unlike a standard browser, users are kept safe from keylogging, transaction tampering, website redirection and other attacks used today to steal money, he says.

Today, there are almost as many unique virus signatures as there are online banking users in the United States, Bocek says. Current detection rates for common trojans designed to steal money, like SpyEye, are only 25 percent. "That means 75 percent of attacks go undetected by today's most popular anti-malware solutions. It's a losing game trying to detect and block each new attack." Instead, Trusted Access focuses on protecting users in a safe environment from known and unknown attacks.

Being the only bank with the product in the markets it serves has created a tremendous market advantage, he says, and has allowed the institution to attract new customers and bring customers over from other banks. "Customers want to bank where their money is the most secure," Montgomery says.