Its vice president of IT, Sam Tuohey, says he and his staff became aware of the need to go beyond the four-digit pin early, especially after a test showed that 80% of those could be cracked in seconds with freely available software that "you, me and anyone else has access to."

The credit union then began requiring alphanumeric passwords that had to be changed regularly and for a while things were copasetic.

Then in 2004, phishing became an issue and, Tuohey says, "Every day I looked long and hard at e-mails before opening them up. I was afraid it would get to the point where people are going to ignore e-mails from financial institutions, and we don't want to lose that channel."

The credit union began looking around for technology that would provide pro-active strong authentication and was introduced to PassMark by one of the credit union's board members who knew a company founder.

"They were involved in a fairly hot feasibility study of site-to-user authentication that involved some things we were very interested in, including the presentation of an image to users during log-in that would assure they were actually at our site, an image they selected themselves," Tuohey says.

That became the pass mark. Behind the scenes, the company also developed a device-checking system that looks at the IP address and other characteristics of the machine the member is using and determines whether to present pre-selected challenge questions if the records don't match.

"For me, that was the killer application that really let us sleep at night," Tuohey says. "We made it part of our process and required all our online users to use it."

Stanford FCU has about 44,000 members, 25,000 of them using online banking. Tuohey says that 80% of the $726 million credit union's members with checking accounts are users of its Internet system.

Protecting their accounts is an ongoing process. PassMark was acquired in April by RSA Security, the Massachusetts-based outfit that had previously picked up Cyota Inc. en route to becoming a major player in online security at many of the largest financial institutions and transaction processors, with solutions that address log-in and risk-based authentication security, phishing, IP address and device verification and more.

Cyota and PassMark technologies have been combined into one solution, says Steven Klebe, a former PassMark executive who now is vice president of strategic alliances for RSA Consumers Solutions Division.

RSA Security is making serious inroads into credit union land. Fiserv, with its seven credit union core processing units, has signed on, as have S1, Financial Fusion and Certegy. Prior to the PassMark acquisition, RSA Security had signed agreements to provide its services to clients of Jack Henry & Associates and Online Resources Corp.

"Right now the only two technology providers to credit unions of any consequence who have not opted for RSA are Digital Insight and Harland," Klebe says. "We're also now part of a much larger, stable public company with a proven track record and money in the bank."

Staying on top of emerging threats will be the work of the former PassMark staff in Menlo Park, Calif., working together with the Cyota development team in Israel and at other RSA Security locations.

"The big thing now is the creation of our eFraud network, a growing database that's looking at millions of transactions around the world and identifying potential fraud in real time. And we've combined that with the latest in authentication at log-in and site-to-user authentication," Klebe says.

"That's how we're building our response to these threats as they get more and more intense," he says.

Meanwhile, back home at the ranch, Tuohey says, "To me, it's not much different than building a physical branch that's hard to rob. We've done that and only been robbed once in our 45-year history.

"It's the same thing with our online banking. It's an ounce of prevention that's well worth that pound of cure." -

[email protected]