RealTime IT News

Neal Creighton, CEO, GeoTrust

Neal Creighton

You might say the experiences of Neal Creighton, the CEO and co-founder of GeoTrust, have taught him a thing or two about security. The West Point grad served five years as an Army officer and was a tank platoon leader in Desert Storm.

From there, he branched into information security, identity verification and certification markets after he went on to earn a Juris Doctor and MBA from Northwestern University.

But that's not the only thing that put him on the path to GeoTrust. There were other experiences. You might call it The Ability to Get That Book Written. Called "The Eyes of Orion," it's about his Gulf War experience.

Add to it Creighton's passion for entrepreneurial ventures, can-do spirit and a keen sense of what security takes, and that pretty much explains what led him to co-found GeoTrust, which has become one of the leading providers of digital certificates and online security.

It also makes GeoTrust a prime target by hackers, phishers and other groups trying to take down a name that means trusted content on the Web. These days, he's got plenty of company. Nearly every major business or enterprise network has come under attack in the past few years.

Creighton recently chatted with internetnews.com about why he thinks two-factor authentication, such as using encryption to verify the identity of the party undertaking an online transaction, is about to have a break-out year. And not just because that's his business.

Q:Two-factor authentication has been around for a while, but is on the verge of wider adoption, if vendors' wares at the RSA Security Conference are any indicator. What's gotten the larger industry to this point of adoption?

I think two areas. One is the phishing fraud that has taking place in the last couple of years. A lot of people realize the systems we have today, especially browsers, were designed before the phishing problem [started to grow].

But if you look at the browsers now, it's getting better. Microsoft just showed off a new UI [user interface] for IE7, the next version of its browser. The level of security, and being able to see if a site's been authenticated, is built in to other browsers as well. There's been a real amount of attention to [thwarting] fraud and phishing patterns.

Number two, there's movement by a lot of companies evangelizing around two factor authentication because of federal mandates. The latest is the Federal Financial Institutions Examination Council (FFIEC), [which is about making online banking concerns improve their security in order to reliably authenticate customers online].

So lots of companies are coming up with ways to protect their customers and how they access high value accounts. This is especially true for corporate banking customers.

Q: Let's chat about two-factor authentication. First off, how do you define the term?

You know, if I were talking to my dad, for example, I'd explain it as something that he would use in place of a user ID and password in order to access his bank account online. It would need something stronger, such as the equivalent of an ATM card. He would need to use something like that to log into an account through a PC.

Can you imagine only punching in a password instead of an ATM card to get into your bank account? It's a similar way of thinking about two-factor authentication -- it would be good to use something you hold, such as a card, with a second way of authenticating you [using a smart card with a digital certificate loaded along with a password, for example].

Q: What would be loaded on a smart card?

There would be a certificate to be used for digital signatures, and maybe another for physical access to buildings, depending on how you need to use it. You know, American Express released a card with a [smart card] chip on it back in the 1990s. But it was really before its time. I could see putting a lot of information on the card.

Loyalty information, for example, so it could be used for multiple purposes. Again, a good example is the ATM card. Your computer is a lot like an ATM. We need a device to insert that would authenticate you for online transactions.

The fact is, phishing is still a big problem online. Once they dupe people into turning over sensitive information, such as a user ID or password, the next thing [fraudsters] do is log into your account and drain it.

If I want to try to do the same thing with a smart card, I would have to grab your wallet, and coerce you into giving me a password as well. It just makes fraud more difficult, especially when you're using a unique encryption key with PKI . With PKI, only your key fits into that keyhole, and it's unique to you. The public component of the key goes to the bank or where you need it to go for the other half of the transaction.

Overall, I can tell you that an authentication movement is flowing into the wider world. And not just using SSL or two-factor authentication. We're seeing it flow into the anti-virus market, in which people authenticate the software before they download it.

It's the same with Voice over IP traffic. We're seeing people authenticate where it's coming from. The theme is pretty much the same though, with a focus on preventing fraud, phishing and securing high-value transactions. The same is true with digital rights management (DRM). We're seeing the same theme of authentication flowing everywhere.

Q: Which sectors or industry verticals are ripe for adopting two-factor authentication?

One example is Equifax, which is a customer of ours. Equifax is a big provider of consumer data, and formerly would use leased lines as a way [sending and receiving] very sensitive data. In the past it would use leased lines and would install direct terminals back to Equifax for credit checks, etc.

Equifax used to spend $2 million a year alone just for leased lines. It also had to install [dedicated] terminals just for those leased lines. With authentication and the use of digital certificates for customers and merchants with accounts, it's been able to get rid of those.

That's one example. We're providing certificates for that. You see companies that are using encryption and smart cards for vendor extranets, to let [suppliers] come in and check inventory online.

Banking is getting into wider use of two-factor authentication, beyond traditional uses such as a smart card that lets employees access certain buildings on corporate campuses.

Beyond the states, however, smart cards are already in wider use. For many banking customers, more so with corporate banking customers right now, they have to stick in a smart card and use it with a smart card reader when they need to transfer money and take care of banking.

In the states still, a lot of online banking still just requires a user ID and password to move money around. In Europe, smart cards are more widely accepted, so it's not as big an issue there, especially in corporate banking in which a card reader is used with a smart card to log into an account.

I think it's a bigger deal in the U.S., and I think we're going to see smart cards more and more. Look for more PCs to ship with smart card readers built into them. The great things about smart cards is, like plastic credit cards, people are used to carrying them.