Banking on Encryption
The Internet has opened the door for tech-savvy identity thieves eager to steal bank account details and other personal information. To combat this threat, the New Alliance Bank in Manchester, Connecticut, has installed an e-mail encryption system that protects the bank’s customers and its reputation, while also helping to ensure that it remains in compliance with privacy protection laws.
Although the bank has never had an incident of identity thieves intercepting e-mails containing sensitive data, “We wanted to be ahead of the curve,” says Bruce Crowell, vice president of information technology for New Alliance.
That process was helped along by the fact that before it was purchased earlier this year by New Haven Savings Bank, the New Alliance Bank—then called the Savings Bank of Manchester—was already using an encryption system manufactured by ZixCorp called VPM 1.3.
But the bank wanted to improve on that system. For example, the VPM 1.3 encrypted all messages sent from bank employees, regardless what they contained. The system required users who did not have the ZixCorp software installed on their systems to register with a secure ZixCorp Web site in order to view the e-mail.
At that point, users were given a username and unique password, which were used to log on with each time they received a secured message. All messages, even though they may not have contained any sensitive information, were automatically encrypted.
The bank wanted to minimize the number of times its partners and clients had to go through this process at the Zix site. This registration process, however, was not necessary for bank employees receiving intra-office e-mail because each computer was equipped with the ZixCorp product, which automatically decrypted the message without requiring the recipient to log onto the Web site.
The bank wanted a solution that would strategically select e-mails with sensitive information and encrypt those messages, leaving other e-mails unencrypted. Also, it wanted a system that was easy to install and easy to manage and maintain.
Because the existing system, VPM 1.3, had met expectations, the bank was willing to consider an upgraded version from the same company as it looked for a solution that met its new objectives. The upgraded system, VPM 2.1, was considered along with two other systems.
Crowell found that the other systems would require a dedicated administrator to oversee the exchange of public and private encryption/decryption keys. By contrast, all keys for ZixCorp senders and recipients are housed in a secure data center run by ZixCorp. “It requires zero maintenance from our end,” says Crowell.
Another key feature of the upgraded ZixCorp product is that it allows customers to customize its lexicons. The lexicons contain a series of key words and phrases, that would typically be associated with personal information such as Social Security numbers and account information. Each e-mail sent by a New Alliance employee is scanned against this lexicon. If the e-mail contains one of the key words or phrases, the message will be encrypted.
Crowell says the lexicons that were provided by ZixCorp were so comprehensive that he did not feel the need to add any other words or phrases. If he chooses to add words and phrases later, he would simply call ZixCorp, which maintains the lexicons in its data center. Added words are effective immediately and any subsequent e-mails are scanned for the newly added words in addition to those words already in the lexicon.
Additionally, the New Alliance senders can choose to click a button at the top of their e-mail program before they send the e-mail. This action encrypts the message and acts as a fail-safe for senders who may not trust the lexicon when sending extremely confidential information.
The upgraded VPM system still requires recipients to register with the ZixCorp Web site, using the username and password mentioned earlier. However, because every message is not automatically encrypted, nonsensitive messages are no longer subject to encryption, which saves recipients the trouble of decrypting nonsensitive communications.
Bank customers who receive an encrypted message are sent an e-mail that tells them they have a message containing private encrypted information from the New Alliance Bank. With the old version, customers received an e-mail that told them they had an encrypted message from ZixCorp. Because they were not familiar with ZixCorp, customers often ignored the message or deleted it, thinking it was spam.
Crowell says that the bank does not send unsolicited e-mails to customers, and when a customer receives an encrypted e-mail, it is almost always in response to an inquiry that was instigated by the customer. For that reason, Crowell says, the customers are expecting the e-mails and are receptive to registering at the ZixCorp site.
The usernames and passwords can be reused by customers to access any messages in the future. The software does not, however, have any controls to ensure that the message is sent to the intended recipient. This makes it much more critical for the bank to make every effort to double-check the recipient’s address before sending out messages. However, Crowell says that the lack of such a control has never been a problem for his users.
“What customers come to realize is that an encryption product is a tool to help keep information private and secure,” says Sales Engineer for ZixCorp Jonathan Stanney. “That tool is only part of the overall solution that should also consist of end user training and awareness.”
ZixCorp handles all passwords and usernames. If a recipient forgets any of this information, he or she can contact ZixCorp directly and the password or username will be changed. In addition, Crowell says, the customer service department at New Alliance has been trained in how to direct recipients who call the bank for assistance.
Recipients who use one of ZixCorp’s products can receive encrypted e-mails that are automatically decrypted, without requiring the recipient to log onto the ZixCorp site. Additionally, Crowell has the ability to register business partners with which the bank has an ongoing relationship. This allows the business partner to receive the e-mails without the need to log onto the ZixCorp site. This option is not used for customers because the bank does not send e-mails as consistently to patrons as it does to business partners.
The VPM system creates a daily report of every encrypted e-mail that was sent. This feature allows Crowell to check the effectiveness of the lexicons. The reports are generated in an Excel spreadsheet that can be searched by subject, sender, or date.
Installation of the product required tech support from ZixCorp to install a hardware device on the New Alliance network. Once this was installed, the system was up and running. “Inside of an hour, we had the box set up and encrypting mail,” Crowell says.
The encryption process is transparent to the bank employees. The only indication they have that there is a system that encrypts the messages is the button that allows them to manually encrypt it. That makes it nonintrusive and easy for employees to use, according to Crowell.
When the system was first installed, Crowell sent all bank employees an e-mail explaining how it worked. Because administration of the keys and replacement of lost passwords are handled by ZixCorp, he says, no other training was necessary. “It’s one of those things that you just put in and forget about,” he says.
Although the system was more expensive than the other products that were reviewed, Crowell says the customizable lexicons and easy maintenance justified the extra expense. He says the system makes him feel confident that the bank is not sending out information that could be intercepted or used for illegal activity.
(For more information: ZixCorp Sales Department; phone: 866/257-4949; e-mail:[email protected])
Marta Roberts is staff editor for Security Management.