Phishers Use Craigslist to Stay Ahead of the Curve

Criminal minds are usually the most fertile. Just how fertile was displayed last week, when a phisher actually advertised for victims on Craigslist, the popular classified ads web site.

The ad, posted at 7:00 AM on April 26, asked Bank of America customers to send the poster their account and telephone numbers, in return for which he or she promised to deposit $1,000 per day into their accounts. The victims were supposed to take 15 percent for themselves, and immediately forward the balance to another Bank of America account. The poster couldn’t do it him/herself, they said, because they were currently in New Zealand.

We stumbled across the ad at 9:00 AM and immediately forwarded it to Craigslist, which removed it within an hour. We also informed Bank of America, which later said it was aware of the scam. Bank of America’s response led to the obvious inference that the scamster had been active earlier, since the ad had been posted on Craigslist for only two hours, but it—and Craigslist—declined to explain the apparent discrepancy in the time line.

The Federal Bureau of Investigation, which likewise declined to respond specifically to the event, said the ad was a new version of the old “freight forwarder” con game, in which the victim is asked to receive payments and forward them and then, after a few successful transactions, is asked to cash a check for more than the usual amount, and refund the balance. If they’re successful, the crook predictably vanishes. The scam also has much in common with the—by now—hoary Nigerian scam, in which someone posing as a Nigerian lawyer or government official emails the mark for help smuggling enormous amounts of money out of that country.

The scam breaks new ground, says Avivah Litan, vice president and research director at Gartner Inc. “I’ve never heard of this—it’s very clever social engineering,” she says. “I doubt that BofA knew about it—they just want to seem like they’re on top of things.”

At a minimum, the scam should get a prize for sheer brass, not to mention minimum effort. Typically, a phishing scam involves a skillfully crafted and apparently genuine email from a bank or popular e-commerce site, and an equally well-designed, fake website in which the unwary enter their account information. In this case, the scamster just posted an ad, hoping to snag one or two victims before the ad was spotted and taken down.

In this case, whether the perpetrator succeeded is unknown, but the Craigslist ad is very similar to similar scams commonly found on job want-ad sites like Monster.com. “The jobs boards are filled with these things, and the FBI is constantly having to trace them back to the sender, but this is the first report I’ve heard about a Craigslist ad,” says Peter Cassidy, secretary general of the Anti-Phishing Working Group.

Cassidy says this is a new wrinkle in the game. “It’s phishing, but not the usual retail phishing, where they’re looking for your banking credentials—it’s definitely a new hybrid,” he says.

And, he adds, he’s unsurprised. “People are putting up things like deceptive software that infect your computer and call it freeware or games. Why should we be surprised that people are putting up deceptive ads in order to phish people?”

For the record, we post the ad below, complete with misspellings.

Reply to: job-154729485@craigslist.org
Date: 2006-04-26, 7:09AM EDT
We´re an e-gold exchanging team. I own a website, and I`m looking for Bank of America customers, as i'm an account holder as well, I´m able to transfer UPFRONT to your account, daily amounts of $1000. All you have to do is withdraw and send to one of our exchangers. Remember that you get to keep 15% for yourself.If you are wondering why I can´t do it myself, it is simply due to my current unavailability; I`m in New Zealand visiting with relatives, and that´s why I´ll need your assistance.

As I am going to send upfront, I´ll need some things, such as:

– You must own this account for at least 3 months (I call to verify)
– You must suply a land line phone #
– You must be from USA and you´re not allowed to use a third party.
– The amounts should be sent within 24 hours, delays will not be tolerated.

You may also be wondering:

– What information do you need to transfer the amount into my account!?

I´ll need only the following information: Account holder #, last name and zip code, ONLY

– Is there any possibility of having my account hijacked with performing such activity!?
Absolutely not, it´s a typical transaction between bank of america accounts, and you can make sure about that calling up bank of america customer service with these questions, or simply using your bank online referring to transfer and if you notice, they will require the information I previously requested to.

a.. Compensation: You´ll receive 15% from all amounts. Up to 65k annually, your weekly share will be $1800.
54729485
——————————————————————————
(Contact: Craigslist, 415-566-6394; Bank of America, 415-622-6367; Federal Bureau of investigation, 202-324-3000;Gartner Inc., Avivah Litan, 301-610-7482; Anti-Phishing Working Group, Peter Cassidy, 617-491-2952)

Bankers Making Fun of Bankers

Homestreet_getitlink_1David vs. Goliath has been a popular theme for a few millenia. Everyone likes the underdog. And when the established player is also seen as stodgy and clueless, the advertising opportunities multiply.

Credit unions and community banks have taken market share for decades using a variety of similar themes: local vs. outsiders, small vs. big, member concerns vs. shareholder profits, and so on. It was only a matter of time before this tried-and-true strategy went online.

Campaign #1: HomeStreet's My Bank Doesn't Get It
Mybankdoesntgetit_homeThe first campaign to catch our eye was from Seattle's HomeStreet Bank, which sent teaser postcards to local businesses in mid-April. The cards featured an image of a face and an intriguing URL, <mybankdoesntgetit.com> (see right). We've also seen the campaign running on the side of city buses.

After logging in to the unbranded site, users were encouraged to post a rant about something they disliked about their bank (see screenshots below).

#1 Mybankdoesntgetit_numthree   #2Mybankdoesntgetit_four   #3Mybankdoesntgetit_five

The site is about as soft-sell as you can get; users aren't even asked for their email address. The only sales message is an unbranded, lower-left link prompting users to click to go to a bank that does "get it" (see inset upper left and screenshots above).

Mybankdoesntgetit_threeUsers clicking on the link are taken to a HomeStreet landing page that reinforces the "get it" theme (see screenshot right). First, users see a welcome page that reveals the name of the with-it bank. Then users move to a more traditional product page with subtle reinforcement of the "gets it" theme (see screenshot below).

Mybankdoesntgetit_landing2However, once at the bank site, the sales momentum rapidly loses steam, and there's little in the way of compelling benefits to convince a business owner to go to the next step. Obviously, the bank's branding agency gets it, but not necessarily the website designers.

For viral marketing, HomeStreet includes an email-to-a-friend link. But what's missing is an email-capture device for visitors making the online rants. All the bank needs to do is add an inexpensive prize to the pitch, such as a free iPod Nano, and they'd have hundreds, if not thousands, of opt-in emails to market to.

Campaign #2: Washington Mutual's Trapped Bankers
Surprisingly, the second campaign is not from an up-and-coming community bank or credit union, but from behemoth Washington Mutual. The company has a long history of anti-banker advertising going back to the days when it actually WAS the underdog and not the sixth-largest retail bank in the country.

It was brave enough to provide a look at its new campaign at BAI's SmartTactics conference earlier this week in Las Vegas. Unfortunately, I was busy with another session and missed the joint presentation from Chris Matthews, the bank's brand & advertising SVP and its agency, Leo Burnett

Wamu_trappedbanker_download The campaign was a hit with the crowd of 30-something bank marketers, especially the television spots depicting various methods to trap bankers such as baiting a trap with a plate of steaming lobster. The campaign has a Web component at <trappedbankers.com> where users can view one of the television spots, ask questions of the bankers trapped in a basement holding pen, and review the benefits of WaMu's free checking offer. The only lead capture device is an opt-in email address required to download a screensaver (click on inset for closeup), a huge 3MB offering that incidentally wouldn't load onto our Windows XP laptop.

Wamu_trappedbanker_homeWhile the edgy advertising is likely to be popular with its younger target audience, I don't think the website is particularly appealing (click on inset left for closeup). The Flash-based presentation first required a download of version 8 to run, then used hard-to-read fonts on a black background.

There are several HTML remnants in the black background that if accidentally clicked, take you to a garbage page at <pointroll.com>, a rich media design house that must have had something to do with the WaMu site. And there is no way the site works on a dial-up, and even on broadband the use of streaming video creates some lag that makes the presentation a bit choppy. This is one of those high-tech websites likely to win design awards while turning off users.

Finally, I find the whole concept of "trapping" a bunch of fat old bankers and then teasing them in an underground holding pen to be slightly disturbing. Maybe it's that the banker profile hits too close to home, but I think they went too far. Instead of a positive, "we get it" message, there is an underlying theme of negativity, one that is borderline abusive, which turns me off. While it will gene
rate massive traffic, I wonder what impact it will have on account growth and brand image. There must have been quite a debate in the boardroom on this one.

Even if you like the creative, as in HomeStreet's campaign, I don't think the Web designers quite "get it." The bank should have a way to capture email addresses from the hundreds of thousands, or millions of visitors, and there should be a more direct link to sign up for an account. Currently, the bank just drops you onto their default personal banking page when clicking on the tiny WaMu link at the top of the trapped banker page.

Grades
We'll give each of them an A for effort, although we prefer the simpler design of HomeStreet Bank's campaign. However, both get downgraded on execution. HomeStreet gets a B- due to its lack of sales emphasis and failure to capture email addresses. WaMu, which also fails to capture email addresses from most visitors, receives a C- due to the overly complex website, lack of a custom landing page, and lack of a good, direct-marketing design.   

JB

 

For more financial interactive marketing ideas, check out the Interactive Financial Marketing Database from our sister publication, the Online Banking Report.

Payments via Text Message

Textpayme_image_1In today's WSJ, there's a good roundup of the text-message payment systems attempting to find traction in the United States. The article looks briefly at TextPayMe, Obopay, and PayPal Mobile. The article does a good job of contrasting these systems to the more common "mobile wallet" where a cellphone is used in place of a credit/debit card.

Analysis
We see much promise for the latter. In fact, it's almost inevitable that today's plastic-based payments systems morph into cellphone-based services using radio frequency (RFID) technology as the enabler. For many people, especially younger cellphone-toting debit card users, it will be easier to point their phone at the POS terminal and press # than to swipe a card and enter a PIN or sign a receipt. Arthur D. Little projects $37 billion in mobile wallet transactions in 2008, a twelve-fold increase from the $3 billion in 2003.

However, text-message-based services, designed to send money to individuals, are a solution seeking a problem. Even the WSJ couldn't dig out a rational anecdotal example, though the writer tried. The "splitting the dinner bill" straw man was trotted out, but it just doesn't fly. Imagine you had a group splitting a $100-tab four ways. The vendors want us to believe that one person will pay the entire bill, then his or her three friends will each text-message their $25 share.

Not only is this a hassle (what if the phone call is disconnected, or the wrong button is pushed in a dark eatery), but each of the three parties will likely incur one or more transaction fees (from the payments gateway, the cellphone provider, and possibly one or more financial institutions along the way). Finally, the person receiving those payments then has to initiate some type of transaction to tap the $75 sitting in their cell phone.

This makes about as much sense as ordering dog food online. Current methods of sharing costs, either with cash, having the restaurant apply it to two or more debit/credit cards, or by agreeing to "get the next one" works just fine.

Mobile Wallets
Obopay_phone_2Obopay and PayPal both offer a linked debit card for spending the money sitting in your payments account. But it's not as powerful as a true mobile wallet where the bank offers its debit card base a cell phone preprogrammed to link customers to their card and online banking account. The device could be used to check bank account balances (a walking ATM), transfer money between the user's own accounts, or send money to others using the bank's bill pay system or inter-institution funds transfer (A2A); and, if equipped with RFID, the device can be used to pay for purchases at the point of sale.

The bank-based mobile wallets have significant advantages over the start-up, non-financial systems:

1. Trust
2. Integrated online banking features (balance lookup, transaction history)
3. Integrated bill payment (use pre-existing bill pay merchants)
4. Mobile payment transaction history integrated with online banking history

As cool as the mobile wallet sounds, it will not replace cash or plastic until RFID-equipped POS terminals are widespread. Until then, you'll still need to carry plastic. That brings to mind a practical interim solution, a plastic clip that attaches an RFID-enabled mini-credit card to the back of a cell phone. Users would have the convenience of waving their cell phone to pay, but could also easily swipe the mag stripe through a conventional terminal.

JB

Notes from BAI’s SmartTactics Conference

Bai_smarttactics_logo_1Several interesting tidbits surfaced from today's presentations at BAI's SmartTactics conference in Las Vegas:

Citibank online account acquisition
In 2002, 6% of Citibank's new checking accounts were generated online; in 2005, the number was 20%.

Our comments: Keep in mind that Citi's experience is unique. It has a huge brand and relatively small branch network, so many of its new accounts have no choice but to open online, or over the phone. And part of the growth can be attributed to non-checking products, such as its high-yield savings, that REQUIRE a companion checking account.

Bank of America's SiteKey rollout
The rollout of mandatory two-factor authentication is complete, except in Oregon and Washington where it is expected to go live in June. Prior to becoming mandatory, users had a period of time where it was an optional feature; however, only 8% opted in during this phase. When the PassMark-powered system became mandatory, users were served notice during their first two logins that they needed to sign up before it became required on the third login. Only 4% signed up during the first two warnings, and 96% put it off until the third try.

Note: PassMark was acquired by RSA Security today.

Our comments: Taken together, only 12% of users opted for stronger security before it was required, far below the 60% or so that say they want more security in consumer-research studies.

Zions remote deposit-capture results
Zions Bank has grown its remote-deposit client base from 364 in January 2005 to 3,697 in January 2006, and they are adding nearly 100 clients per week. The bank has bagged more than $200 million in incremental deposits and has increased loans and fee income. The Utah bank is now looking for new business worldwide with clients in 49 states and five countries outside the United States. It has clients of all sizes, from the Fortune 500 to small businesses that use it for just one check per month.

Our comments: If you needed ammunition to move this up the priority list, keep your eye on Zions: It said that its main problem now is just keeping up with the all the requests.

Research results from Yahoo Search Marketing
A Forrester study of all U.S. banking customers (not just online bankers), commissioned by Yahoo and OgilvyOne Worldwide, found that 61% of all banking-product research is being done online vs. 5% via phone and 30% in branch. Similarly, 64% of account monitoring is now down online vs. 16% via phone and 13% in-branch. But account opening at branches still dominates at 84% of new account openings, compared to 14% online and 2% via phone. 

Yahoo also said they expect 50 million online credit card applications in the United States this year.

Our comments: Wow, time to pull out all the stops in your online account-opening initiatives.

Payments Processors Not Innovators?

No U.S. bank and only one payments processor made a recent listing by Business Week of the world’s 100 most innovative companies.

This was embarrassing to say the least: In a business in which revenues are relatively fixed and operating margins thin, and the best way to make money is to refine operations, you’d expect that any top 100 innovator’s list would be littered with the MasterCards and CheckFrees of the world. But only Capital One Bank (# 37) represented payments processors on the list, and only three banks made it—Australia’s Macquarie Bank (#62), Holland’s ING Bank (#68), and Spain’s BankInter (# 86). No payments vendor appears anywhere, although Woolworth’s made the list at #75.

Adding to the disgrace was the fact that there seemed little reason for it. Boston Consulting, which conducted the research for Business Week, asked 1,700 top executives—including chief information, financial, and operating officers—which companies seemed to them to be most innovative. Since any changes in a supplier’s computer system would have been brought to their attention so they could adjust accordingly, people like that would have been aware of any such events, and that awareness should have affected their judgments.

The fact that no payments processors and only one U.S. bank made the list strongly suggests that the people responding to the list hadn’t heard much from their payments processors in at least a year, the inference being that at a minimum, companies like First Data Corp., Fiserv, or Bank of America aren’t engaged in the same level of continual improvement as the companies that made the list.

Even Boston Consulting was at a loss to explain the apparent lapse: “My guess is it’s a perception issue,” says Jim Andrews, the Boston Consulting senior vice president who was responsible for the research. The list was created by asking those 1,700 senior executives—worldwide—who came to mind when the issue was posed, he says, adding, “I’m not sure their payments processor, or even their credit card company, necessarily comes to mind relative to organizations” such as Google and eBay—list members which near-daily tell customers about upgrades and changes in how they’re doing things.

What’s causing this sorry state of affairs? Perception, agrees George Thomas, executive vice president of the Clearing House Payments Company LLC. “People don’t even know who we are— we’re the plumbing,” he says. “We’re in a dull business. It’s exciting to us—it’s held my interest for 25 years—but it’s not to anybody else. Most people take payments for granted.”

Thomas says the main reason for the lapse is money. Primary payments channels—the ACH or ATM networks, for instance—are so entrenched that replacing them would not only be a tremendous headache, but also hugely expensive.

A good example, he suggests, is the $10 billion bill the European Central Bank has sent to Europe’s banks as their contribution to the Single Euro Payments Area (SEPA). And in fact, creating an entirely new payments channel—especially since the current avenues work perfectly well—could hardly pass some cost-benefit analyses. The exception: Some sort of government mandate to spend the money in the name of a higher good. This was the case with the estimated $600 million spent by all parties to create the Continuous-Linked Settlements Bank, which clears and settles most of the world’s currency transactions.

“All the innovation is in the user interface. The core processing doesn’t change, because it’s too hard to make the changes,” says Thomas. “All the constituencies that would have to be involved to make that change have to participate and spend the money, so what companies like PayPal are doing is trying to innovate on top of the existing payments systems.”

Even his own company’s innovations, which he concedes build upon the existing payments infrastructure, take long times for adoption, he says, because the constituencies resist change. Corporations, he notes, still rely on checks for most payments, despite some inroads made for the ACH network by companies like his.

True enough, says Dan Schatt, a senior analyst at Celent Communications. He agrees that many of the issues arise from perception, but says there’s also a fair amount of inconvenient truth to the list. “Most of what payments companies do is a matter of saying ‘me too,’” he says.

Another problem: Protecting the status quo, says Schatt. “Look at how Visa is rolling out its mobile platform,” he says. “They’re so concentrated in ensuring that there’s complete control over the payments stream, from the issuer’s perspective, that they kill it.”

The real problem for payment companies, though, is that however inconvenient or expensive it may be to innovate in the payments space, it’s still necessary; otherwise, over time, the alternative is to go out of business.

“What this (list) tells me is that companies like First Data are really dinosaurs,” he says. “They are being disrupted. They are not fast enough to go into this new space, nor do they have an innovative culture.”

The full Business Week list can be found at www.businessweek.com/magazine/content/06_17/b3981413.htm (Contact: Boston Consulting, Jim Andrews, 617-973-1382; The Clearing House Payments Company, George Thomas, 212-612-9200; Celent Communications, Dan Schatt, 650-627-8897)

JPMorgan Chase Launches New Corporate Payments Vehicle

Last week, JPMorgan Chase & Co. launched ExacTrac, a new card-based corporate payments vehicle designed to be integrated into a company’s purchasing systems.

The product issues users a unique credit card number, complete with spending limits, for particular events. The system automatically reconciles the transactions connected to that event and includes that special account number on all bills and payments connected to it, and populated within company books.

Bryan Clancey, chief financial officer of Embryon Inc., has been using ExacTrac for a year to control spending on his pharmaceutical marketing firm’s conferences and roundtables. Clancey says he likes the system because it allows him to closely track his expenses—and because it’s free.

“I like it because I have no administration,” he says. “When that record comes in, it goes right into my system. We send out a request for a unique card, and when that transaction is passed back to us and the transaction has occurred, Morgan passes the same meeting ID back to me, so I can automatically load it into my system.” Clancey describes that system as a financial supply-chain logistics program that was developed in-house seven years ago. Using the product, he adds, meant writing a lot of customized security software to protect the interface with the bank.

Clancey also likes the JPMorgan Chase product because of its perks. “I get rebates (when using ExacTrac),” he says. “I pay face value on the bills, and get 100 to 145 basis points back on total annual value spent.” Embryon was one of ExacTrac’s beta sites; it’s been using it since last July. Another, unidentified company has been testing the product for about 18 months. The product which JPMorgan Chase issues under both Visa and MasterCard branding is part of its PaymentNet core payments processing system.

Clancey says he pays for thousands of meetings in restaurants every year, and to have a major credit card issuer like Morgan Chase forgo a lucrative revenue stream like that may sound unusual. But Frank Dombroski, a Morgan Chase vice president of commercial card solutions, says one of the reasons for launching ExacTrac was to reinforce Morgan Chase’s card business.  He also confirms the rebates.

Because it would be a poor CFO indeed who carried an interest-earning credit card balance, clients would typically use it only as a transaction account, meaning that Morgan Chase earns only between 55 and 100 basis points per transaction—not much more than the program’s administration costs.

“We do make money on it,” says Dombroski. “The margins are thin in this business, much more so than four or five years ago, but for us, it’s a numbers game and (allows for) efficiency of processing and automation.”

That may be true, says Christine Barry, a research director at Aite Group, but it’s hardly the only reason Morgan Chase chose to promote a card system like this: It’s mostly a matter of shifting priorities, and of meeting the competition wherever it happens to be.

“There’s been a lot more investment by banks, recently, on the corporate side, instead of the retail side of their business,” she says. Barry estimates that until now, about 60 percent of bank technology expenditures have been on the retail side of the bank.

“They’re shifting focus, and a lot of the new investments they’ve been making don’t necessarily result in cost savings for the bank, or even new revenues being generated,” she adds. “It’s been a big focus on providing more service and convenience to customers. It’s the customers that are getting the benefits, and not the banks, except on paper.” (Contact: Embryon Inc., Brian Clancey, 908-231-6000; JPMorgan Chase & Co., Frank Dombroski, 212-270-7013; Aite Group, Christine Barry, 917-546-9180)

Bank of America’s SiteKey a Model for Successful Authentication Systems

Most banks around the country are busily complying with the Federal Financial Institution Examination Council’s (FFIEC) mandate that they switch their online banking sites to two-factor authentication this year. Playing out against the past year’s flood of identity thefts and data breaches, it’s a necessary and welcome step that will help banks recapture customer trust in the online channel.

Rolling out a new feature is typically as important as choosing one, though, since a clumsy, error-rich rollout can be about the worst marketing tool going. What to do? Take a page from Bank of America’s rollout of its SiteKey authentication system, says TowerGroup senior analyst George Tubin.

“The industry should look to this rollout as a model for implementing consumer-facing technologies,” says Tubin. ”BofA, being who they are, is very adept at implementing them, and they parlayed that into this rollout.”

The key to BofA’s success with SiteKey—launched in collaboration with PassMark Security Inc.(acquired this week by RSA Security Inc.)—was flexibility, says Tubin.  “Whenever you implement anything for consumers, you have to focus on the lowest common denominator,” he says. “Some consumers are very adept at picking things up quickly, but there’s always going to be a segment that doesn’t get it, and when you design these things, you really have to focus on that bottom ten percent of your customer base. The main thing is to recognize that not every idea is easy to understand.”

The bank had already quantified how much they had to lose by doing nothing, and decided to act before security concerns caused attrition, or an actual exodus, among its 15 million online customers. But instead of deciding what was best for their customers and acting by fiat, BofA began conducting focus groups in 2004, focusing on finding an approach that worked, but that was easy for customers to use.  It was conducted like a sort of police lineup, with focus group members given various authentication systems to try, but little bank input.

This gave the bank a good handle on what made a system that would be easy to use and well received. One of the results of this exercise: The bank-designed “watermark” that shows up on user’s screens when they log on to the bank’s website. The watermark got high marks for, among other things, letting customers know the bank cared about security without asking too much of them.

The bank realized that a good authentication system needed to be as invisible as possible, a perception that led them to use risk-based authentication. Risk-based authentication combines identifiers like ISP, computer type and operating system with the customer’s PIN number and other identifiers and thereby quantifies the probability that the customer is who they say they are. The registration and subsequent log-on process create a hedgerow of challenge questions, secure cookies, and other security factors, chosen in collaboration with the customer, that reinforce both the real—and apparent—site and customer security.

The bank was willing to build its own risk-based system—in late 2004 there were only a handful of companies that could deliver a practical system—but chose PassMark after the RFP process. PassMark had already installed a system with the Stanford Credit Union, and that gave it more experience than its competitors.

Then came the December, 2004 rollout, which was incremental, highly publicized, and built for speed. Sanjay Gupta, BofA’s e-commerce executive, wanted the rollout to be finished in half the time such massive projects usually take. The bank got there by taking a “test and learn” approach, initially using bank employees for a voluntary test drive in April 2005.

The data from that test drive was followed by a series of mini-rollouts around the country. This gave the bank time to discover and correct problems when they were still small, avoiding the possibility that unnoticed glitches could become big headaches in a mass rollout. The idea worked: BofA now runs three SiteKey sectors—for California, the Northwest, and the rest of the country.

The bank’s success probably helped the FFIEC bite the bullet on mandating two-factor authentication for all banks, thinks Tubin, who cautions newcomers to be prepared for spikes in call center activity related to implementation when rolling out a two-factor authentication system. He recommends banks take advantage of that phenomenon to harvest feedback from users, allowing the bank to adjust their rollout accordingly. That might mean some training for call center personnel, but the training bill is likely to be significantly cheaper than correcting mistakes before they get big.

BofA also discovered that some customers just don’t take the registration process seriously—leading to forgotten challenge questions, for instance—and that they benefited from employing some fuzzy logic in accepting the answers, since customers don’t always remember the exact form of a challenge answer.

As a result of their experience, says Tubin, BofA incorporated two new security features in 2006: A BofA-licensed version of Earthlink’s ScamBlocker on their toolbar, which alerts users when they’re accessing dangerous or fraudulent sites; and a program of fraud alerts that allow customers to be proactive in protecting themselves and their accounts. Aside from allowing customers to do this without logging on to the BofA site, there’s obvious marketing value to letting a customer know the bank is watching their back. The bank also monitors potential fraud across all delivery channels.

Taken together, BofA obviously didn’t wait to be told what to do, and reaped the benefits, just like it reaped the benefit of offering its customers free online bill payment. At the time the bank did that, giving a billable service away was considered a bit odd, at a minimum; now, it’s considered the gold standard of customer retention. It was somewhat a matter of protecting BofA’s flanks, of course—think what it would have cost if its 27 million customers began flocking to branches for ordinary transactions—but it lit a candle in the darkness.

Why haven’t more banks come as far as BofA? “It’s a hard decision for most banks, because they have a lot of options, and they have to think about which solution is appropriate for them,” says Tubin. Luckily, most third-party providers have made it easy for them, by cutting deals with companies like PassMark; but there’s a lot of work to be done. Lucky, these systems are cheap: Between $0.15 and a dollar per user. (Contact: TowerGroup, George Tubin, 781-292-5213)

Brokers Push Margin Loans

Flipping through the latest issue of SmartMoney magazine, it came as no surprise to see a full-page advertisement from Fidelity. But what caught my eye was the subject matter. Margin loans.

And this was no soft-sell pitch with smiling 50-somethings sipping Chardonnay on their deck. It was all business, showing how Fidelity's margin-lending rates fared against those of its major competitors. The hard-hitting approach isn't carried through to its website though, which opts not to show any comparative data.

E*Trade, one of the best financial marketers, is said to be offering teaser rates as low as 3.99% to encourage investment clients to transfer higher-rate debt to their margin accounts (WSJ, 4/20/06). However, its published rates vary from 6.74% to 9.74%. The retail banking sweet spot, loans of $50,000 to $250,000, are priced at 8.74%.

Fidelity_marginratesFidelity doesn't go quite that low. Rates vary considerably depending on the balance, but under $500,000, borrowers pay 8.5% to 10.5%. Only those borrowing more than $500,000 pay an ultra-low rate of 5.5% (see inset for current rates).

Analysis
What's going on here? Brokerage firms are finding that customers are willing to borrow against their securities to finance all types of non-investment purchases. UBS AG's wealth management unit says that 75% of its $10 billion in margin-loan outstanding has been used to purchase things other than securities.

Expect more competition from brokerage firms as empty nesters and younger retirees finance portions of their lifestyles with loans against their investments. Deferring tax liability on portfolio gains is a big part of the decision to borrow. But there's also the psychological aversion to seeing investment balances decline.

Financial institution loan officers should be well versed on the risks of margin loans, and instead offer home-equity loans and cash-out refinances with similar rates and no risk of a potentially disastrous margin call.

JB

Making the “Back” Button a Bank Profit Center

Nothing frustrates a Web user more than clicking the browser's back button during the middle of an online form, only to be hit with a browser-error message, followed by losing all the data previously entered.

There are a number of website-design techniques to reduce this problem, such as disabling the browser navigation, but those solutions can impact overall usability.

Getsmart_backbuttonwindow_1We like GetSmart's approach (click on inset for closeup). Rather than hiding the back button, the LendingTree unit (owned by IAC/InterActive), delivers a pop-up message with two choices:

  1. Continue: Users that inadvertently used the browser's back button are provided instructions on how to use the navigation tools within the webpage.
  2. Exit: Those truly wishing to leave the application are transported to the About Us page in case they need reassurances about the authenticity of the company.
  3. Search: Users not opting for doors one or two can go directly back to searching the Web through an Ask.com search box. GetSmart earns a few pennies on the transaction and keeps their name in front of prospects with a co-branded search screen at sister company Ask.com.

Action Items
Financial institutions could use a similar strategy on their forms. Any customer abandoning a form, either on purpose or by accident, should be greeted by a pop-up screen containing several of the following choices:

  • Talk to a specialist via phone, chat, or email
  • Go back to read more about the product's features and benefits
  • Save the form to complete later
  • Review other product options
  • Go to a special landing page designed to encourage completing the application
  • Search the bank's website for more info

Finally, one of the most important functions of the popup, something missing from GetSmart's, is snagging the customer's email address and permission for follow-up communications.

JB

Wachovia’s “Free Checking” Marketing

Wachovia_google_resultsEveryone wants free checking. So it's no surprise to see Wachovia the top bidder on the term at Google (click on screenshot right). The bank also managed to snag the top organic listing (directly below the paid ads), a coup for its search-engine-optimization consultant.

Wachovia_landing_google_freechecking_1As much as Internet users love a good deal, they are skeptical when they see "free," especially when a company is spending money to advertise on the term. Wachovia wisely meets the skepticism head-on with a landing page entitled (click on inset for closeup):

Free checking. No catch.

 

The page also includes six bullet points, three of which relate to online banking. And there are two "Apply Now" buttons, at the bottom of the bank and the upper right.

Analysis
While this landing page won't win any Webbys, it's fundamentally sound. The first three bullet points meet the likely customer objections by affirming that there is no minimum balance, no monthly fee, and no direct deposit requirement.

Clicking on the Apply Now button leads to a page explaining the process and what's needed to apply. Unfortunately, the user is forced through three screens of disclosures, the last one a record-setting 69-screen monster before the application begins. With such a tedious first phase, the bank is losing most of its prospects before they've even entered so much as an email address.

To avoid massive application abandonment, you must get customers engaged in the application before the trip down disclosure lane. Wachovia also stumbles by offering too much product choice. The customer that started at Google looking for free checking is forced to choose from 12 checking account options on that same 69-screen testament to the power of a large bank's compliance department.

Grades:
A for search-engine marketing
B for landing page design
C- for application design

JB

Verifone Acquires Lipman—and the Future

 

Verifone Holdings Inc. bought Israel’s Lipman Electronic Engineering Ltd. last week for a total of $793 million, giving Verifone pole position against its nearest rival in the point-of-sale terminal business, Hypercom Corp.

The deal, expected to close following regulatory and shareholder approvals in the fourth quarter, is engineered around a complex combination of cash and stock. It includes a special dividend that the companies would only say would likely exceed $23 million. An unspecified cap on the deal, based on undisclosed conditions, makes it almost impossible to fully value the transaction. Verifone is borrowing most of the money for the deal from an unidentified lending syndicate, and refinancing its existing debt, for a total of $540 million. 

The stock market liked the deal: Verifone’s shares spiked more than 10 percent on the news before trending back to the $30 range at which they had been trading before the news.

One good reason for that approval is the fact that Lipman’s business is strongest in relatively untapped markets like India, China, Eastern Europe and Brazil, all of which have relatively under-developed point-of-sale terminal markets. Lipman's product line is strong in advanced point-of-sale terminals, including contactless and Internet-protocol devices, and advanced ATMs.

“Arguably, the growth of this industry is in the emerging markets,” says Sam Ditzion, president of Tremont Capital Group. “Look at China. The percentage of consumers that have credit or debit cards today, versus five or ten years form now, is going to be absolutely extraordinary.”

That phenomenon is also in operation in the other markets Lipman has been active in, says Ditzion, and should greatly help Verifone’s future growth, assuming Verifone can preserve and extend Lipman’s footprint in those markets.

The deal will also reinforce Verifone’s bottom line. Verifone’s 2005 net income was $33.2 million on revenues of $485.3 million, and Lipman’s were $20 million on revenues of $235.4 million. Hypercom, by contrast, reported a 2005 net loss of $33.3 million on revenues of $245.2 million.

What the deal will not do is bring Verifone into the ranks of corporate point-of-sale vendors, a space currently dominated by IBM and NCR Corp. Aside from the sheer size disparity—NCR’s 2005 net income was $529 million on net revenues of $6 billion—Verifone and Lipman both sell to smaller operations than the large retail chains that typically use IBM and NCR systems.

This fact hasn’t diminished investor enthusiasm for Verifone. Since it went public last May, Verifone’s stock has risen over 300 percent; shares originally priced at $10.50 now trade in the $30 range.

The general approbation on Wall Street wasn’t universal, however; Standard & Poor’s, for instance, lowered its outlook on the announcement to negative from stable, mainly because of execution concerns. S&P left its credit rating of Verifone at BB-.

“It does seem that this acquisition cements Verifone’s lead [in its niche],” says Lucy Patricola, the S&P analyst who covers Verifone. ”Our concerns were really that they have yet to do an acquisition this substantial. From what I know, management has done very well running Verifone, so they certainly bring something to the table, but this acquisition is of a size and a scope in which they’re untested.”

The problem for Verifone is that it is already composed of several product lines from previous acquisitions, and it’s acquiring quite advanced systems from Lipman, including terminals in which Verifone has little experience manufacturing  or supporting.

That combination—unabsorbed product lines combined with new, advanced products—will be a challenge for Verifone executives, despite their good track record, and is an issue that’s tripped up acquisitions before.

This is especially true because acquisitions typically result in a certain exodus of top executives and important technical staff of the acquired company, stripping the buyer of the talent and internal knowledge it needs to hit the ground running with its new products. Considering the fact that so many of Lipman’s recent sales have been in relatively underdeveloped markets—markets that lack the sort of readily available, technical support infrastructure that’s a commonplace in the United States—those facts may result in unexpected problems for Verifone, in turn creating sudden expenditures.

“Those are some of our concerns,” says Patricola. “There’s also the concern that the increase in leverage might be worse than they’re projecting because of some issue [related to integration matters] that might lead them to spend more money than they’re planning to.” Integration costs, she adds, “are always the issue.” (Contacts: Tremont Capital Group, Sam Ditzion, 617-482-8866; Standard & Poor’s, Lucy Patricola, 212-438-3006)