Capital One’s Savings Accounts

By Jim Bruene Posted on
Categories: Capital One, Deposits, Checking, Savings, CDs

Capital_one_savingsWith the success of ING Direct and other direct banks, there has been a lot more attention given to selling savings accounts and certificates online.

One of the new players to watch is Capital One. They are beginning to apply their marketing skills, honed in the brutal credit card market, to deposit products.

Cap_one_google_ad_1Googling "online banking" today, we noticed Capital One in first position on the right-hand sponsored links area (see inset).

Clicking through you are delivered to a page that markets deposit products much more aggressively than most banks (see screenshot below). Capital One leads with a chart showing its rate compared to the national average (see inset above).   

The bank offers five different savings products on the main page, each with its own distinct Open Account button:

  • 3.15% High Yield Savings Account (the lead product at the top)
  • 4.03% No Regrets CDs (allows purchasers to bump-up their rate)
  • 3.25% Money Market Accounts
  • 4.50% Certificates of Deposit
  • 4.29% IRA CDs

Analysis
The relatively high rates (APYs) are a big part of the appeal. But there is more to it than just price.

Capital One does a great job of laying out the options, including:

Capital_one_savings_pageClick on this thumbnail for a look at the main savings page at Capital One.

JB

Share this:

Send Post Twitter LinkedIn Facebook

2004 Online Financial Services Ad Spending

By Jim Bruene Posted on
Categories: Advertising & Promotion, Chase Bank, Citibank, Metrics & Market Research, NetBank

JP Morgan Chase and Citibank led all banking and lending companies in online ad spending according to the most recent American Banker survey of financial services spending (May 2005).

Chase’s $50 million in online advertising was 21% of its entire advertising expense, the highest among major banks, and considerably above the 11% online share across all financial services companies. In comparison, Citi’s $49 million spent online was only 9% of its total advertising expense, slightly below the industry average.

NetBank, the 16th biggest online advertiser, was the percentage leader, funneling all but $100,000 of its $4.9 million in advertising into online initiatives. Two other major online advertisers spent more than half their money online last year: ING Direct spending 60% of its $40 million total online, and MBNA spending more than half its $14 million online.

Lending Tree, Quicken Loans, HSBC, Sovereign and East-West Mortgage all devoted about one-third of their advertising into the online channel.

Top-20 Financial Institutions Online Advertisers*
2004 Online Advertising (% of total advertising)*
1. JP Morgan Chase  $50 million (21%)
2. Citigroup              $49 million (9%)
3. American Express $28 million (9%)
4. Bank of America    $25 million (9%)
5. ING Direct            $24 million (60%)
6. Lending Tree        $22 million (31%)
7. Ameriquest           $16 million (13%)
8. Quicken Loans       $10 million (33%)
9. Wells Fargo           $9.2 million (14%)
10. HSBC                  $8.3 million (39%)
11. MBNA                  $7.0 million (51%)
12. Wachovia            $6.3 million (7%)
13. E-Loan                $6.1 million (21%)
14. NetBank              $4.8 million (98%)
15. Discover             $4.7 million (6%)
16. GM                     $3.8 million (4%)
17. Royal Bank          $3.2 million (12%)
18. Sovereign           $2.8 million (33%)
19. East-West Mtg.    $2.7 million (32%)
20. WAMU                $1.9 million (2%)

*Banking, Lending, Mortgage, or Credit Card segments only, does not include online brokerage, insurance, or investments.

If you look at the brokerage and mutual fund category, the spending accelerates. Four online brokers Ameritrade ($65 million), Scottrade ($63 million), Schwab ($58 million), and E*Trade $52 million) each outspent even the largest financial institution, and Netstock Direct ($32 million) outspent all but Citi and Chase.

Top-10 Brokerage & Mutual Funds

2004 Online Advertising (% of total advertising)

1. Ameritrade   $65 (64%)

2. Scottrade     $63 (87%)                              

3. Schwab        $58 (35%)                              

4. E*Trade        $52 (77%)                              

5. Netstock       $32 (99%)                              

6. Harrisdirect  $24 (78%)                              

7. Vanguard      $12 (31%)                              

8. TD Bank        $10 (17%)                              

9. Fidelity        $5.3 (4%)                               

10. T.Rowe Price $3.8 (5%)

Download the Excel file with more details.    

 

JB                     

Share this:

Send Post Twitter LinkedIn Facebook

Stonebridge and American Bank Offer Secure Account Login

By Jim Bruene Posted on
Categories: Security & Privacy

Etrade_rsa_tokenToday's American Banker reports that $365 million-asset Stonebridge Bank (West Chester, PA; $365 million) and American Bank (Allentown, PA; $500 million) are following E*Trade's move to offer hardware tokens to authenticate consumer logins.

As of May 30, Stonebridge is offering the token free-of-charge to any of its 4500 consumers who request one. The token will be mandatory for its 500 business customers. In its security FAQ, the bank says it will charge $25 annually, its out-of-pocket expense for the device, after the first year. They also charge $25 to disconnect the token during the first year and $25 to replace it within 5-7 business days, or $45 total for overnight delivery.

American Bank is sending the token to 1000 customers who said they would like one in a recent survey. There is no charge for the service. The bank expects to order another 1000 from RSA Security next month. It pays approximately $20 each, which does NOT include maintenance costs to operate the system.

Analysis
We applaud these three financial institutions for moving beyond the username/password. However, except for the most demanding customers, primarily businesses, hardware-based solutions are overkill.

The Bank of America/Passmark approach is much better. Not only is it more cost effective, it also much easier to use and also helps prevent the user from logging in at a fake site. 

JB

 

 

 

Share this:

Send Post Twitter LinkedIn Facebook

Citibank Fights Fraud with Personalized Emails

By Jim Bruene Posted on
Categories: Alerts & Messaging, Best of the Web, Citibank, Email Marketing, Security & Privacy

Citi_secure_email_closeupIt’s fitting that the financial company most targeted in phishing attacks, Citibank, would be the first to introduce a new email format that goes a long way towards helping users identify legitimate email messages.

Citi_secure_email_message The personalized emails (click on inset to enlarge) include not only the name of the recipient, but also the last 4 digits of the user’s ATM card. While simple personalization with the customer name would help many users identify legitimate emails, it’s far from fool-proof.

First, there’s the relatively common practice of including first name and/or last names in email addresses. Also, some phishers are using direct marketing tactics and first running email addresses through various databases to append actual names and other info to the email record in order to develop a personalized pitch (see ZD-Net article).

Citibank’s new email format was announced to customers through a short message on the top of the online banking screen in early May. It is also now mentioned in the bank’s main FAQ page.

Analysis
This is a great first step in winning back the confidence of users. Eventually email standards will evolve so that the email client will be able to readily identify legitimate emails, but that could be years in the future.

If you are considering a similar approach, you might want to let users choose the name and identifying information that appears in the personalization box. In February, we reported on a UK security initiative that took that approach.

For more information:

JB

Editor’s Note: Citibank received an OBR Best of the Web award for this and other security features in Online Banking Report #119, "Marketing Security."

Share this:

Send Post Twitter LinkedIn Facebook

Bank of America Unveils Multi-Factor Security for Consumer Accounts

By Jim Bruene Posted on
Categories: Bank of America, Best of the Web, Security & Privacy

Obr_bestofwebBank of America wins the race to be the first with a viable plan to secure consumer online banking accounts. In an announcement today, it becomes the first major U.S. bank to endorse multi-factor authentication for consumers at login.*

The system, already in use at Stanford Federal Credit Union, is called SiteKey. The clever approach from Bill Harris’s PassMark Security provides several layers of security to defeat phishing and keylogging attacks. The company calls it two-way two-factor authentication because not only does the end-user authenticate themselves to the bank, the bank authenticates itself to the user to defeat phishing schemes.

Here’s how it works (click on inset below for BofA page):

  1. User provides username
  2. BofA verifies that the login request is coming from the user’s previously registered computer; if NOT, user must successfully answer a challenge question based on previously registered shared secrets
  3. After passing steps 1 and 2, the user is shown their previously selected image, so they know they are logging into the true BofA server
  4. User enters their password

The service launches in mid-June in Tennessee with full roll-out by the end of the year.

Bofa_sitekeyAnalysis
Even though it’s long overdue, we applaud Bank of America for moving the industry forward. While the program won’t be available system-wide until year-end, we’re giving it an Online Banking Report "Best of the Web" now because it’s the biggest development in U.S. online banking for several years.

The BofA/Passmark system is ingenious for several reasons:

  • Unless a user logs in from a new computer, there is little extra work involved; just a two-step login with username, followed by the password
  • Requires no hardware or out-of-channel coordination by the end-user; shouldn’t cause a major increase in customer service expense
  • Defeats phishing by displaying a personal image prior to asking for password
  • Defeats keylogging with the rotating challenge question

If you are at one of the other 15,000 financial institutions in the United States, the clock is now ticking. As your customers find out they are not among the 13+ million consumers (BofA’s current online base) receiving extra protection, they will be demanding the same from you. And if you thought BofA was aggressive in its free bill pay promotion, wait until you see the marketing blitz on this one. Extra authentication simply MUST BE in your 2006 plans.

JB

*For several years, ING Direct has asked for a third bit of info at login, but the necessary info is relatively easy to obtain (for example, zip code). Also, earlier this year, E*Trade launched security tokens for its high-rollers. But BofA is the first with a broad, secure, and non-hardware-based approach.

Share this:

Send Post Twitter LinkedIn Facebook

NBC Nightly News Takes the Banking Industry to Task Yet Again

By Jim Bruene Posted on
Categories: Public Relations, Security & Privacy

Nbc_nightly_news During the past year, NBC Nightly News, more than any other national show, has publicized fraud concerns in the online channel. They played a large role in publicizing the $90,000 apparent key-logging loss by a Bank of America small business customer in Florida. They also covered, rather sloppily, last summer’s flawed Gartner study about multi-billion dollar losses in identity theft.

QchexThe most recent story, which appeared on television last night, covered demand draft fraud initiated at Qchex.com among other locations. The NBC Nightly News story appears to have been based primarily on a May 24 article by MSNBC’s Bob Sullivan in his closely watched online column on ecommerce. Sullivan was also the primary source for the Gartner story.

Analysis
When NBC goes on the air pointing fingers at the banking industry’s security practices, you better be ready with a response. Your branches and customer support personnel should be briefed on the subject and be prepared to answer customer concerns. You should also prepare a response in your online service HELP/FAQ area that addresses the issue.

In the future, you might want to pay attention to Bob Sullivan’s columns. If he’s writing about it, and if it’s a new twist on an Internet scam, there’s a good chance the Nightly News will pick it up. Had you been reading his column yesterday morning at 8:15 am, you’d have had a day to prepare damage control.

As far as solving the demand draft problem, that’s something we’ll leave to the regulators. But requiring Internet originators like Qchex.com to verify account ownership before processing a debit, would be a good first start.

JB

Share this:

Send Post Twitter LinkedIn Facebook

Online Banking Account Authentication Tips & Tricks

By Jim Bruene Posted on
Categories: Security & Privacy

Although the cyberthieves have made in-roads this year, there are a number of clever low-cost authentication methods being tested. The thing they have in common, simplicity with no new hardware.

Here is a quick recap of the available techniques. Generally, these techniques would be used in addition to a username and password:

To thwart keylogging (but not phishing):

  • virtual keypad (or string of numbers from 1 to 10): user selects numbers from the keypad/list instead of typing (for added security the numbers should be positioned differently each time)

To thwart keylogging AND phishing:

  • picture/graphic selection: instead of a numerical ID, users identify the correct graphical image or picture from a everchanging pool of choices
  • bingo card: user enters the requested coordinates (which change each login) from a preprinted "bingo" card (">refer to previous NB article)
  • one-time PINs: user enters a number from a list of one-time-use PIN numbers previously mailed, emailed, text-messaged to a mobile phone, or voice messaged to any phone
  • shared secrets: the bank and the user establish a serious of shared secrets, one of which must be answered correctly to complete login
  • random partial passwords: similar to the shared secret approach, the bank asks for a different portion of the PIN number at each login

For more information, refer to our previous security NetBanker security articles and Online Banking Report (#93/94).

JB

 

Share this:

Send Post Twitter LinkedIn Facebook

Put an End to “3 Strikes and You’re Out” Password Management

By Jim Bruene Posted on
Categories: Security & Privacy, Service

3_strikesPassword management is a pain and only promises to get worse as banks and other ecommerce providers tighten up access controls due to sophisticated fraud attacks.

However there is one area where some banks are still "penny-wise and pound foolish." Specifically, the old-fashioned notion of locking an account after three unsuccessful password attempts.

It’s just too easy for to miss three times. Here’s what just happened to me at Bank One’s credit card site:

1. Correct username, incorrect password
2. Correct username, retype same (incorrect) password in case I made an inadvertent typo the first time (since the password is masked and I can’t see what I typed the first time)
3. Correct username, another shot at the password which turned out to be incorrect (probably because I changed it last time I was locked out)

RESULT: Locked out and in need of an account reset, which luckily you can do online if you have the card number, expiration date, 3-digit code, and primary social security number.

Analysis
The last time we took an in-depth survey, in our April 2003 report on Security & Privacy (OBR 93/94), 4 of the 14 major financial institutions we tested locked users out after just three attempts, while 6 of 14 fell within the recommended range of 5 to 10 attempts.

We recommend that you allow at least five unsuccessful logins, and preferably closer to 10, prior to freezing the account. The amount of fraud deterred between locking out at three attempts vs. locking out at six is so small as to be virtually unmeasurable. However, there is a real cost in customer service and consumer dissatisfaction for constantly requiring password resets.

OK, I feel better now. Thanks for listening.

JB

Share this:

Send Post Twitter LinkedIn Facebook

Monetize Your Online Customers with Insurance

By Jim Bruene Posted on
Categories: Insurance, Strategies

Insurance_signNow that financial institutions are interacting with a substantial portion of their customer base online, it becomes feasible to cross-sell niche products that don’t necessarily have broad appeal.

One relatively untapped area is insurance, especially products outside the highly competitive term life and auto market. For example, in today’s Wall Street Journal Family Finance column, Jennifer Saranow discussed new all-in-one insurance policies combining auto and homeowner coverage.

Other possible insurance offerings that might interest your online customers:

  • Small business coverage
  • Umbrella liability
  • Combination credit insurance that covers multiple loans and revolving balances under one policy
  • Bill insurance that would pay all previously scheduled bills for a defined period

Analysis
As any insurance sales rep can tell you, it takes time to build an insurance clientele, but once built it can be quite lucrative.

For example, if you could sell a new policy to just 1% of your online banking customers each year, by the end of 10 years you’d have 10% penetration (ignoring attrition for the sake of simplicity).

If you had 25,000 online banking subscribers and you earned $100 per year per customer on insurance, by the end of the decade you would be earning $250,000 per year from your online insurance business.

While that may not be a huge number, if you put together a half-dozen niche-product cross sales programs, you could soon be earning $1 million or more per year; money you wouldn’t have had without the online channel.

We’ll get back to this issue in future articles.

JB

Share this:

Send Post Twitter LinkedIn Facebook

Intrust Pays $6 Per GB for Online Archives

By Jim Bruene Posted on
Categories: Deposits, Checking, Savings, CDs, Images & Online Archives

If you are wondering how much it might cost to enable long-term or lifetime archives for your customers, here’s a data point from an article in today’s American Banker about the pros and cons of pooling image archives with other banks.

Intrust_logoIntrust says that it’s latest 5-terabyte upgrade cost just $30,000. Doing the math, that’s $6 per gig for approximately 5000 gigabytes of storage. Here’s the exact quotation attributed to Jim Simon, Intrust’s VP of operations:

Last summer (Intrust) put its entire (image) archive online as a result of a five-terabyte storage system upgrade that cost just $30,000.

Analysis
At $6 per GB, storage space for online archives is already so inexpensive that it won’t be long (2 to 3 years) before real-time online access to 7+ years of image/statement history is the norm in banking; and by the end of the decade, we expect most financial institutions to offer lifetime archives.

So if you want to use lifetime archives as a point of differentiation, you better move fast. You only have a one- or two-year window before it’s just another me-too upgrade.

For more information:

JB

Share this:

Send Post Twitter LinkedIn Facebook

Honor System for Bank Remote Deposits

By Jim Bruene Posted on
Categories: Deposits, Checking, Savings, CDs, Remote Deposit Capture

Psecu_upostFew innovations of the past five years can top Pennsylvania State Employees Credit Union’s (PSECU) Upost@Home service. Launched in late 2001, the service allows qualified members to enter deposit items online for instant credit to their account. Members then send the paper items to the CU through the mail for reconciliation.

The service was named an OBR Best of the Web winner in 2003 and earned the #23 spot on the OBR list of the Top 25 Innovations of All Time (see OBR 103).

Now the service is being marketed to other financial companies through PSECU’s CUSO affiliate, eCU Technologies. The service is already in place at Southland Civic Credit Union and Deere and Company Credit Union.

As part of the marketing effort, eCU has released updated metrics on the usage at PSECU and the estimated cost savings:

Total deposit sessions: 700,000
Total deposit dollars: $300 million
Deposits per session: $430
Total losses: $13,000
Losses as a percent of deposits: 0.4 basis points (0.00004)
Losses per deposit session: $0.02
Savings per deposit session (vs. teller or ATM): $1.14
Total program savings: $800,000

Action Item
Specific results from three credit unions along with program details will be discussed at a free Webinar May 23. We urge you to attend.

JB

Share this:

Send Post Twitter LinkedIn Facebook