Beating Debit Card Fraud with Mobile Banking

ClairMail schematic of actionable text message alert 

There is no doubt consumers love debit cards. Despite cloudier fraud protections, no free float, and the confusion of "signature vs. PIN," growth continues at a 20% annual clip, with total U.S. transactions surpassing credit 15 to 18 months ago (see numbers here).

But continued negative press coverage could slow the growth. For instance, today's lead article in the Wall Street Journal's Personal Journal section, How to Protect Your Plastic, focused on recent debit card skimming incidents. 

What can a financial institution do to counteract the negative press?

1. Educate customers on their limited liability

2. Provide clear and understandable zero-liability fraud protection guarantees

3. Provide tools for monitoring checking accounts, such as transaction and security alerts

But once you have those "best practices" in place, you can still boost usage, and differentiate your debit card and checking accounts by integrating actionable text-message alerts (see ClairMail example above). 

While the industry-standard email alerts are helpful, the phishing epidemic, spam filling up the in-box, and  the time lag for reading and responding to bank emails, make them less and less effective for time-sensitive communications such as fraud alerts.

Enter the mobile phone. Most banking customers now keep a mobile device with "three rings" of their person much of the day, and almost always when out of the house. Therefore, a real-time text message each and every time a debit cards is used, will go a long way towards making users comfortable that their card has not been comprised. And in the event their is a fraudulent transaction, a quick text message back to the issuer can lock the debit card down, avoiding any additional unauthorized transactions.

This is about as win-win as you can get in banking. The user is happier with his debit card leading to increased loyalty and more debit transactions, boosting both short- and long-term revenues for the bank, credit union, or card issuer.

For more information see our latest Online Banking Report, Mobile Banking & Payments 2.0 (OBR 138/139).

Chase Advertises Security Alerts in the NY Times

Chase ad in New York Times featuring mobile security alerts

Once again (previous post here), Chase used a three-quarter page color ad in the front section of the New York Times (p. 17, National Edition) to showcase its alert services (see partial screenshot right). The ad shows a man relaxing in the stands at some type of sporting event, Yankee Stadium perhaps.

The camera looks over his shoulder, focusing in on the image displayed on his Treo smartphone, which says "SECURITY ALERT" in large white letters on a light-blue background.

You had to feel for this poor guy, jarred from his leisure time with an urgent missive from the bank. Within a few seconds, three things likely crossed his mind: 

1. What the (expletive deleted)? Pretty poor timing to be interrupted at a baseball game with a security alert from the bank (which, these days is 99.9% likely to be a false positive, or a phishing attempt, see number 2).

2. Is this even from Chase? How do I know it's not a new kind of mobile phishing attach (mishing?). Should I ignore it? Does my liability go up if I don't respond immediately?

3. Now what? Can I click the message and find out if this was just a notification that I'd used my debit card to buy beer at a Yankees game, something I'd never done before, or has someone just transferred my 401k to a numbered account in the Jersey Islands? Or will I have to excuse myself and make a voice call, spending the 6th and even part of the 7th inning, talking to a Chase CSR, who may not even have enough info to explain why I got the alert? 

Analysis 
The ad demonstrates the pitfalls of using a very negative attribute, security breaches, in marketing your brand. But despite the uncomfortable thoughts that come to mind, we think it's an effective ad because it grabs attention and positions Chase as caring for the financial security of its customers. However, given that Chase's actual alerts look nothing like this, it's a bit of a stretch. I suppose they're allowed a bit of creative license; it's advertising after all. 

We'll give it an A-

Wachovia is Developing User-Managed Security Controls

Link to Wachovia Security Plus page In an American Banker article today (here), Wachovia says it is developing security controls that will put users in charge of some of their own security settings such as the size of a funds transfer allowed. According to John Watkins, Wachovia's Director of Online Services, the new capabilities will be available "sometime this year."

This is not a new concept. The first full-service online-only bank in the world, Security First Network Bank, offered user-set bill payment limits more than ten years ago. Other international banks, such as ABSA Bank in South Africa, have long allowed users some control over security matters.

However, in the United States user-controlled security has been slow to catch on, other than via triggered email alerts, which remain the first line of defense. For several months, Bank of America has been reminding online banking users that alerts can help them prevent fraud in their accounts. 

While it's too early to speculate on what Wachovia will or won't do, the concept is a good one, and will eventually be used to some extent by all financial institutions. It's a win-win, providing users a better sense of control while reducing actual fraud losses within the bank.  

For more information:

See Online Banking Report #119, "Marketing Security" for more ideas on how to turn security concerns into a marketing advantage.

Finding New Subscribers for Your Email Newsletters and Alerts

How do you convince already-registered users to sign up for your latest email newsletter? One way is to offer an incentive. Earlier this week, the Seattle Supersonics offered users the chance to win a $500 shopping spree if they logged into their account and opted-in for the latest email newsletter.

An even more effective method was demonstrated by the New York Times today in the online version of its Business Section. In the upper-right corner, the user's existing email address is shown, along with a sign-up button (see screenshot below). All it takes is a single click to begin receiving the daily DealBook email.

The newspaper also provides a link to view a sample of the newsletter, a proven strategy for increasing response, and links to its Privacy Policy and back to account preferences to change the email address.

New York Times email signup CLICK TO ENLARGE

Once users click on the sign-up button, the text is changed to a thank-you message along with a link to change email preferences (see inset above).

New Instant Voice Messaging Service Combines Voice/Text Messages

Startup Pinger <pinger.com> launched a service last month that makes it easy to send voice messages to mobile phones or computers along with an email or SMS alert.

It combines the immediacy of instant messaging, the functionality of email, and the more personal nature of a voice message. And it's free.

To use the service, which is currently in public beta, users upload recipient email addresses to the Pinger server where communication preferences are stored. Voice messages are created using any phone or a PC microphone.

The San Jose, CA-based firm received $3 million in funding from A-list VC Kleiner Perkins in Nov. 2005.

How it Works
To send a message from a phone, you simply call the service, say the name of the recipient, record the message, and hang up.

To send a message from a PC, you select the recipient from your address book, record the message on your PC microphone, and send. 

Either way, the recipient is notified via SMS and/or email. If on a mobile phone, they dial the number in the SMS message and listen. If at a PC, they can click on the link and listen to the message on their PC speakers.

The recipient can sort, replay, forward, store, and even reply via voice to the messages, which makes them as functional as email.

Pinger demonstrated the service last week at Demo's fall conference (see the demo here).

Pinger instructions CLICK TO ENLARGE

Financial institution opportunities
With believability of financial emails at an all-time low, short voice messages could be more effective for complex information, such as explaining options to someone late with a loan payment, or who has just been given a credit line increase.

And since many banks have stopped using links in their emails due to phishing concerns, voice messages could be used to say, "See us on the Web at www.yourbank.com/loans" or "Log in to your account and go to the Your Loans tab."

The novelty of the voice message will also provide a boost to marketing efforts, at least temporarily. The first few messages are likely to generate quite a bit of interest, until users learn to ignore them like other marketing messages.

Voice messaging isn't for everything. Routine information, such as balance alerts and deposit confirmation, should continue to be sent via text only.   

It's yet to be seen whether Pinger takes off. But it's a safe bet that something similar will soon enter the lexicon along with Googling, IMing, and texting. With dozens of voice-over-Internet-protocol (VOIP) startups challenging the bigger players, such as Vonage and eBay's Skype, we are sure to see interesting, cost-effective new ways to reach customers.

For more information:

  • TechCrunch article on new VOIP providers here
  • Coverage at Under the Radar blog here
  • Short article in New York Times Sep. 27 here

Amazon.com Uses Feedback Link to Measure Effectiveness of Customer Service Responses

Email response from Amazon customer service with links to rate the answer CLICK TO ENLARGEHoping to download a movie to watch on the long Seattle-NYC flight, I sent Amazon an email with a question about its new Unbox video service. Not only did they answer within the hour, they also included a link to indicate whether the answer solved my question or not. 

Choosing the "yes" option, I was delivered to a "Thanks for your feedback!" message, which not coincidently put me back onto the Amazon site. The thank-you also contained a link to provide additional feedback.

Landing page after selecting "yes my question was answered" CLICK TO ENLARGE

Following that link leads you to a page to provide detailed comments:

Form to provide additional feedback CLICK TO ENLARGE

If you responded "no" to the original question, you are taken to a similar page to rephrase the question (see below).

Analysis
This simple feedback mechanism provides five important benefits:

  1. Demonstrates you actually care whether the user's problem is resolved satisfactorily
  2. Allows customer to easily submit another question if not satisfactorily resolved
  3. Allows you to quantify the performance of the service department
  4. Identifies areas where better answers are needed
  5. Helps identify tricky problems that can be corrected

All financial institutions should consider similar techniques for improving electronic customer service.

Now, if only the Amazon video-download service were as efficient as its service reps. First, it took two tries to get the player downloaded. Then the 90-minute, 1.7 GB movie took nearly eight hours to download via my Wi-Fi connection to our Comcast cable modem, never going much faster than 80k per second. Bottom line: For $2.99, it's still worth doing, provided you plan far enough in advance.

US Bank Introduces Email Alerts 2.0

Friday, US Bank <usbank.com> began using a new design for its email alerts. It has a softer, more modern look to it (see before and after screenshots below). The layout and copy are identical to the previous version.

The new look arrived about the time we intended to post a rant about the lack of creativity in bank messaging. One of our examples was US Bank, which had sent us the same basic confirmation message more than 1,000 times over the past three years.

While it's good to see an improved design, it's still pertinent to note that there is more to the lack-of-creativity argument than just the font and background colors. The problem with email alerts is that after receiving them two or three times per week for several years, many users may ignore them. To keep that from happening, financial institutions need to upgrade their messaging system; let's call it Alerts 2.0.

Here are some important features of Alerts 2.0 (for a detailed look at bank messaging, see Online Banking Report #91/92) :

  • Educate about preference changes: Once or twice per year, perhaps more frequently for those receiving a large number of alerts, remind customers about the types of alerts available and how to change them.
  • Provide periodic summaries: Someone getting six alerts each week would likely appreciate a weekly summary of all changes.
  • Change the "look & feel" periodically: Don't wait three years to change the design. Create a template so that the alert design can easily be changed to fit the season or holiday.
  • Gently cross-sell: Alerts should be kept primarily factual. But every once in a while, most of your customers would appreciate a low-key "reminder" of relevant services, such as overdraft protection, credit report monitoring, and so on.
  • Give thanks: As trite as it sounds, don't forget to thank the customer, at least every once in a while. For example, you might add a thank-you when receiving a large deposit (or ANY deposit for that matter). Also, a periodic "thanks for participating in online banking" and/or email alerts would be appropriate. This would also be a good time to ask for feedback on the service.

US Bank email alerts redesign (click on images to enlarge):
New  Usbank_alert_new_1 Old Usbank_alert_old_1

–JB

Fee Income Opportunities from SMS Alerts

Ebay_logo_1While most banks in the world charge fees for at least some aspect of online banking, the service has been almost entirely fee free in the United States, at least ever since Bank of America rolled out free bill payment in 2002.

At first glance, it seems like a great deal for consumers; however, the lack of direct revenue has hampered investment in the channel and deprived U.S. customers from the more sophisticated services common throughout the world, such as SMS alerts, multi-factor log-in controls, and so on.

Ebay_sms_alert_mainWe're always on the lookout for fee-based opportunities (see Online Banking Report 122/123 for a laundry list of online fee opportunities), and we are encouraged by eBay's latest innovation, SMS auction alerts with a fee of $0.25 per auction. This is the first time eBay has attempted to charge fees to bidders. The site has offered free email alerts since the beginning.   

Here's how SMS alerts work (see screenshot below):

  1. Ebay_sms_alert Select "Get SMS alert" (see red circle in screenshot at above, click to enlarge).
  2. Select mobile phone provider from drop-down list and enter mobile phone number; currently Cingular, Verizon, Nextel, Alltel, Sprint, and TCRcom participate
  3. Check "Watched item ending alert" or "Outbid alert"
  4. Click "Continue" which initiates a confirmation message to the user's mobile phone
  5. Send a text-message reply from the mobile back to eBay to agree to the charges

SMS-alert users pay $0.25 for each auction entitling them to up to 10 alerts. Each 10 thereafter cost another $0.25. It would be unusual for the number of alerts to exceed 10. After receiving an alert, users can submit a new bid via text message by responding to the text message with their new bid amount. Bidding can be protected with an optional PIN.

Instant messaging alerts work in a similar manner (click on screenshot for closeup):

  1. Ebay_im_alert_main_1 Select "Get IM alert" 
  2. Select IM provider; eBay supports the big three: Yahoo, AOL, MSN
  3. Check "Watched item-ending alert" or "Outbid alert"

There are no fees for IM alerts. After receiving an IM alert, users can submit a new bid via the provided link.

In addition to SMS-alert links in the main auction listings, successful bidders are also prompted to set up an alert on the bidder's confirmation screen (see below).

Ebay_sms_alerts

What it means for financial institutions
There is no reason why banks cannot charge for triggered alerts. Unlike account access, alerts are a value-added service with no sQwest_premium_menuimilar "free counterpart" in the offline world. You don't see telecom giants giving away any of their specialized services such as caller-id, custom ringing, call forwarding and so on. Banks should work on developing premium service bundles. For inspiration, take a look at your local phone provider's website (see Qwest screenshot right).

Resources:

ING Direct Personalizes Emails for Security

Ingdirect_personalized_emailING Direct <ingdirect.com> is the latest bank to move to greater personalization in order to distinguish its messages from phony phishing attempts. The bank has added the customer’s first name and masked all but the last three digits of the customer’s number (click on inset for a closer look).

The message at left was sent to customers to market ING’s latest deposit promotion: 4.75 percent APR for new money.

Ingdirect_personalized_alertThe same technique is also used for routine account alerts (see inset right).

Note: The high-impact sales pitch for its 4.75 percent deposit promotion.

Analysis
While it doesn’t prevent phishers from attempting to recreate the same look (see footnote), it’s an effective first line of defense. Besides, the personalized greeting is a friendler way to communicate with customers. Citibank has been using a similar approach for more than a year (NetBanker, May 30, 2005).

Citi_phishFootnote: Yesterday, we received a fake email that recreated the Citibank personalized area in the upper-right corner. The crooks just left blank the Email Security Zone in the upper-right corner, figuring many users won’t look that closely at the box (click on inset for a closer look).

JB

Bank Alert Welcome Message

Bofa_alertwelcome_emailWhenever online banking users make changes to their account preferences, you should confirm with an email. It not only shows you are paying attention, but also provides customers the peace of mind that they accomplished the intended task.

Today we changed one of our account alerts at Bank of America <bankamerica.com>. Within a few minutes, we received this attractive email (see inset). However, you can tell that this particular message was crafted in the pre-phishing days, as evidenced by the old 2004 copyright date (lower left corner), the old 2000-2004 Olympic sponsor logo in the lower right, and hyperlinks back to the log-in page.

Action Items

  1. For better authenticity, include a personalized greeting, shared secret, or truncated account info in your message.
  2. Do not include hyperlinks back to the bank on routine, non-personalized messages.
  3. Update all messages at least annually so they don’t carry outdated corporate branding and/or copyright dates.

JB