Credit cos to adopt one data protection standard

CHICAGO (Reuters) - The top three U.S. credit reporting companies said on Thursday that they would adopt a single, shared encryption standard to better protect the huge amounts of sensitive electronic data they receive every day from banks, retailers and credit-card companies.

Equifax Inc., GUS Plc subsidiary Experian and privately held TransUnion LLC, which maintain huge databases on hundreds of millions of Americans, said the joint effort would involve the development and adoption of a data-cloaking code built on encrypted algorithm and 128-bit, secret-key technologies.

In a statement, the companies insisted they have "long employed information security tools and programs" to ensure the information they compile from third parties isn't intercepted by thieves.

But they said that by creating and adhering to a single, beefed-up industry standard, they would "further assure the protection of sensitive consumer data when transmitted between data furnishers and credit reporting companies."

"We're trying to make it easier for them so they don't have to juggle three different standards when they're dealing with us," said Colleen Tunney, a spokeswoman for Chicago-based TransUnion.

The coordinated effort by the three traditional rivals is the latest proof of the serious threat posed by identity thieves and Internet-enabled crooks -- and the unprecedented lengths business is going to to fight back.

According to a report released earlier this week by Symantec Corp., the world's biggest maker of security software, programs designed to steal confidential information accounted for three-quarters of the viruses during the first half of 2005, up from 54 percent in the last six months of 2004.

The credit reporting agencies aren't alone in seeking strength in numbers. Speaking at a credit-card conference earlier this week in Memphis, the top security experts at Visa and MasterCard, the world's two biggest card associations and long-time rivals, said that they, too, were cooperating to crack down on fraud.

Visa and MasterCard said the unity was required given the growing sophistication of the thieves, who, they said, were increasingly acting in concert and hiring former Soviet KGB cryptographers to help crack security codes.

Among the challenges the financial services industry faces is the emergence of highly sophisticated "sleeper crimeware" programs that infect a computer and then wait -- quietly -- for the user to log into a highly secure site such as an online banking or brokerage account.

Once the infected user has run the gauntlet of passwords and authentication hurdles and is inside, the sleeper program wakes up and swings into action, launching what is known in the industry as a man-in-the-middle attack.

In the case of an online bank account, for instance, it might send instructions to the secure server -- which the server believes to be legitimate and the infected user cannot see -- to liquidate the account and transfer the balance overseas using automatic clearing house services.

"We're making it tougher and tougher for the bad guys," John Shaughnessy, senior vice president for fraud prevention at Visa USA, told the Memphis conference on Monday.

"But the Russians are good."

adopt cos credit data one protection security standard to