Security & Privacy Archives - Page 3 of 11

Mobile Banking Increases Need for Read-Only Account Access

By Jim Bruene Posted on March 9, 2012
Categories: Mint, Mobile Banking, Security & Privacy

It had been a while since I’d logged in to Mint.com from my iPhone and I had forgotten just how easy it is. The online PFM pioneer has boiled the process down to the bare minimum (assuming you’ve enabled "passcodes," see note 1).

Logging in takes just four numerical "keystrokes." You don’t even have to press a login or done button (inset). As soon as you press the last digit, you are automatically logged in.

As an added bonus, PIN authentication is handled on the phone instead of the server, so you get an immediate error message if you type in the wrong one.It’s a great user experience, though I wish Mint still supported the stay-logged-in option, which is fine when accessing a "read only" data file (note 2).

This brings me to my main point (finally!). Banks need a "read-only" account access option (note 3). Than means no account numbers are shown. No check images are accessible. No personal info is available. And of course, you can’t perform any transactions (note 4). And the read-only password should be different than the "normal" one.

The read-only option would make customers feel more secure about banking online, especially from:

Mobile phones
Tablets
Wifi hotspots
Hotel rooms
Friend’s house
Public terminals
Home (if you don’t trust your own network)
PFM or third-party programs (note 3)

With read-only services, bank security folk can ease up on unwieldy password requirements for mobile access. And it might even prevent a crook or two from gaining full account access due.

———————

Notes:
1. The four-digit PIN option is for users that have enabled passcodes for login from the Settings area in the Mint.com app. Otherwise, users must enter their full Mint username and password.
2. While it’s a privacy concern, read-only account access with no login should be an option for a PFM. Of course, you must make it absolutely clear to users the danger of non-password protected data.
3. ING Direct offers read-only access to PFM programs
4. Funds transfers among existing accounts or even to existing billers could be OK, but it muddies the waters a bit from the perspective of the user.

Share this:

Send Post Twitter LinkedIn Facebook

Suspicious Activity Messaging: When You Urgently Need to Contact Business Clients

By Jim Bruene Posted on January 26, 2012
Categories: Alerts & Messaging, Security & Privacy, Service

I get that multi-channel messaging is a mess. I understand that new regulation is creating huge backlogs in project queues. But 17 years into the Web-banking era, I should be able to service my bank account entirely online, if that is my choice. And more importantly, if I’ve signed on for alert services, there shouldn’t be any surprises when I go to log in to my account.

Yesterday, <largebank> failed me on both accounts (see note 1).

With Finovate Europe less than two weeks away, we are wiring large sums to London to pay for it. My bank got a bit concerned about all this outbound activity, which is good. I’m glad they are paying attention.

But how they went about notifying me about their concerns was simply outdated. Here’s how it went down:

The bank called me from a toll-free number and left a voicemail asking me to call them back. Despite the fact that I get every alert under the sun, the bank did not send an email or text message. I don’t know about you, but listening to voice messages from random 800 numbers is very low on my priority list. By mistake I did happen to hear it a couple hours after the fact.
As soon as I listened to the message, I first went to my email to see if I’d also received a message from the bank to verify the authenticity of the phone call. Seeing nothing there, I attempted to log in to online banking to verify the call and assure myself that my account had not been drained. But guess what? The bank had disabled my account access and gave me a vague error message with instructions to call a toll-free number. The number matched the one on the voice mail so at least I could confirm it wasn’t a vishing attack. There had been no mention in the voice mail of my account access being disabled.

Now, when you are 11 days out from an event and the cash in the bank is needed to pay for it, it’s beyond disconcerting to be locked out of your account for no known reason.

Luckily, we were able to quickly assure the bank that yes, we really did need to wire that much money. So we are back up and running and our patient vendor simply had to wait one more day. (Update: I wrote this post yesterday. Today, the same thing happened again with another wire. While it wasn’t a surprise this time, it’s annoying.)

________________________________________________________________________________

A Better Process
________________________________________________________________________________

Let’s repeat this scenario using an approach that preserves your customer’s sanity while making it more convenient for those that favor digital channels:

Bank sees something odd so it freezes outgoing wire-transfer capability and sends me a text message, an email message, and also leaves a voice mail.
Instead of shutting down my account access, they let me into my account so I can verify that the balances are still there. And for extra credit, the suspicious activity is highlighted.
After confirming the transaction through an extra authentication step, the bank re-opens my outgoing wire capability.
For extra credit, let me simply authenticate the suspicious items by replying back to the messages (at least on smaller dollar items).

Now that I can breathe again, I can lay out three rules to guide your “suspicious activity” messaging:

Contact the customer via the channel of their choice (but also use others for backup in urgent situations).
Allow the customer to authenticate transactions without moving out of that channel.
Never completely disable online access (unless absolutely necessary). Yes, shut off transfer-out functions, but continue to allow “read only access.” And post a red warning graphic within the account to draw attention to the suspicious activity.

————————–

Notes:
1. I’m not identifying the bank because my “data point of one” may not be indicative of what other customers experience. But I will disclose the name “off the record” if you email me jim@netbanker.com.
2. For more on messaging, small business, security and much more, see our Online Banking Report (subscription required).

Share this:

Send Post Twitter LinkedIn Facebook

Is "Family Security" a Product Opportunity for Online Banks?

By Jim Bruene Posted on December 13, 2011
Categories: Identity Theft, Security & Privacy, Strategies, Student Banking, Youth market

In the digital era where teenagers might keep their bank accounts for the next 80 years, it’s important to offer services that encourage kids to sign up for a bank account. There are some cool ideas around financial education, money management, and gamification which we explored in our Online Banking Report earlier this year (note 3).

But what’s the one issue that really drives parents’ behavior towards their kids? Fear. Fear for their physical safety on the way to school, fear of bad influences at school, and fear of the idiots kids will encounter online. The list goes on and on.

You may not be able to protect kids from Facebook bullies, but you can help on the money side. Financial institutions can offer services that help protect children from online scams, ID thieves, and so on. You can offer prepaid cards with controlled access. You can keep parents apprised of their child’s spending so they can recognize early-warning signs of dangerous behavior.

It’s win-win product development. Parents will pay for it through fees and/or loyalty. You’ll lock in more youth accounts, and everyone will get a bit more peace of mind.

Bottom line: While family financial security is a promising area, it’s no small project. Most banks will need partners to provide at least some of the services (credit-reporting specialists, account-aggregation providers, data analytics, and so on). But once the data feeds are available, they can be bundled together into different packages for various segments.

And mobile delivery will be crucial. For inspiration, look at Life360, a fast-growing mobile service whose core offering is GPS tracking for family members (see screenshot below, note 2). Life360 is free, but offers an optional identity-theft protection family-plan at $14.95/$19.95 per month. Since going free, the company has mushroomed to 6 million families.

——————————

Life360 is a fast-growing startup offering “mobile family safety” (13 Dec 2011)

——-

Notes:
1. Graphic: From the FTC-sponsored one-day seminar on childhood identity theft this summer (link).
2. For more info on Life360, read the series of Techcrunch posts on the company.
3. For more on family/youth banking, see our recent Online Banking Report (subscription).

Share this:

Send Post Twitter LinkedIn Facebook

Mobile: USAA Introduces "Stay Logged On" Option for iPhone App

By Jim Bruene Posted on November 30, 2011
Categories: Mobile Banking, Security & Privacy, USAA

I’m not sure if this is normal or not, but I enjoy the process of updating the 100-some apps on my iPhone. I’m always interested in what’s changed and how the company communicates the new info to users. I’ve noted before that banks aren’t good at leveraging this customer touchpoint, but they are getting better.

In the latest round of app updates, I noticed a nice improvement from USAA (see inset; note 1). Instead of automatically logging you off whenever you move out of the app, say to take a call or fire off a text, the bank provides the option of staying logged in for up to 20 minutes.

Sure, there’s a tiny risk that if you were to lose your phone or loan it to someone during that time, they could get into your account. But your average smartphone thief is unlikely to click on the USAA button during those first 20 minutes. And even if they did, it’s unlikely they could do much with the info.

Bottom line: I want this option on all my banking apps.

———————

Notes:
1. This iPhone update (v. 4.0) was pushed out, 8 Nov 2011
2. For more on mobile banking, see our subscription publication, Online Banking Report.

Share this:

Send Post Twitter LinkedIn Facebook

ING Direct Read-Only Access Code for Third-Party PFMs

By Jim Bruene Posted on October 20, 2011
Categories: ING Direct, Personal Financial Management, Security, Security & Privacy

To my knowledge, ING Direct is the only major U.S. bank blocking third-party PFM access. But users can direct their PFM around the gate with a special "read-only" access code.

How it works
It’s not particularly easy to find, buried three levels deep in MyAccounts | Preferences | Access Code.

The default setting is Blocked, as you can see in the first screenshot below.

But once you find the page, it couldn’t be simpler to set up. Simply press the blue Create Access Code button in the upper right, and in a split second, you have created a read-only access code and opened your account to PFM access.

To change back, you merely click the "Block" button in upper right.

The only thing missing is an explanation of what to do with the Access Code. Is it the username or password? While that’s explained in an link from the first page, it’s not on the second page where you need it. (BTW, it’s the password).

The bank also confirmed the new code via email right away (third screenshot).

—————————————————–

Access code main page (20 Oct 2011)

New access code

Email confirmation

———————————-

Note: OBR subscribers can access our previous reports on security at OnlineBankingReport.com (published in 1999, 2003, 2004, 2005, 2007 and 2008).

Share this:

Send Post Twitter LinkedIn Facebook

BillGuard’s Monthly Credit/Debit Card Scan Report

By Jim Bruene Posted on October 5, 2011
Categories: Credit/Debit Cards, Fee Income, Security & Privacy

We’ve been impressed with BillGuard since we first learned about it earlier this year. And they wowed the crowd at Finovate two weeks ago with a great demo, dynamic presentation and more importantly, a product that resonates with consumers across many demographic segments.

One great thing about becoming a trusted consumer watchdog, like identity theft monitoring services, is that your monthly emails are actually read by customers. And unlike FICO scores which usually don’t fluctuate that much month-over-month, there’s usually something new to look at when BillGuard scans a month’s worth of card transactions looking for oddities.

For example, my scan for September across two credit card accounts showed the following activity (see first screenshot below):

Green: 61 transactions that were identifiable as "normal" activity
Orange: 2 transactions that were "unknown"
Red: None were flagged red indicating suspected fraud

Clicking through to the website, I can mark legitimate transaction "OK" and that information is fed back to the network and disseminated to other via the Merchant Transaction Reliability score (see second screenshot).

Bottom line: This is the kind of value-added service that FIs could bundle with other products, even a debit card for example, that could help justify a monthly fee. $5 perhaps?
(Note: BillGuard is currently offering free of charge to expand the customer base.)

—————————-

1. BillGuard emails a monthly Scan Report to customers (4 Oct 2011)

2. At the BillGuard website, each merchant’s score across all users is tracked
Note: Apparently, 17 BillGuard customers are using Quickbooks Online and none have flagged the transaction (which makes sense)

Share this:

Send Post Twitter LinkedIn Facebook

Notifying Card Issuers that You Are Out of the Country

By Jim Bruene Posted on August 17, 2011
Categories: Bank of America, Capital One, Chase Bank, Credit/Debit Cards, Security & Privacy, Travel, US Bank, Wells Fargo

We were lucky enough to take a quick trip to Europe this summer and one of the many rituals of modern travel is convincing your card issuers not to block international transactions. The conventional wisdom is to notify issuers in advance. While not an absolute necessity, it is said to improve your odds.

The process is very straightforward. All the bank needs is your travel dates and where you are visiting. However, it is tedious over the phone due to redundant authentication requirements.

Consequently, it’s an ideal service to automate with online, or even better, mobile form. I wrote about it the last time I traveled. But this time I put a clock on the process, just to see exactly how much time was wasted, for both the consumer and bank, on the phone.

Summary: It took about 1 minute per card to register online at Capital One and Chase. Over the phone, it took 6.5 minutes at Wells Fargo and 9.5 at U.S. Bank. No one has it in their mobile app yet (see details below).

I realize that online travel notifications are not a high priority these days. But, it’s such a win-win service, I wish more banks offered it. However, the real end game is to build automatic location notification into mobile-banking apps. Even if customers won’t agree to being tracked 24/7, there could be a button in the app that users press to submit their GPS location whenever they land in a new city or country.

That gives customers total control, but makes it super easy for them to communicate. And it gives you a highly secure method of knowing your customers are in the same location as their card.
__________________________________________________________________________________

Capital One: Online — 2 minutes to register 2 cards (see screenshots in previous post)
__________________________________________________________________________________

Luckily, Capital One, my go-to card abroad with no international transaction fee, has an online form to do this. It’s not easy to find, but I’d written about it before so I knew roughly where to look. The form is a little convoluted; if traveling to multiple countries, you have to keep pressing “add another destination,” but it took less than a minute to add the five countries were we passing through.

I have Capital One personal and business cards which are integrated into the same online banking platform. But unfortunately, you have to do each card separately, so total time expended, including login, was about 2 minutes.

Capital One gets extra credit for sending me an email on my scheduled departure day asking me whether I needed anything and providing their international call-center instructions. _________________________________________________________________________________

Chase Bank: Online — less than 1 minute for 2 cards (see screenshot in previous post)
__________________________________________________________________________________

I couldn’t remember whether Chase had an online option, so I logged in, didn’t see it on the right-hand column of common links. So I went to customer service and found it on the list of available tasks. The form was super-easy; I could do both of my cards at once and just free-form input the countries. Total form-completion time was under 10 seconds, but if counting login and function-search, it took just under a minute. __________________________________________________________________________________

U.S. Bank: Phone: 9.5 minutes on phone + 2 minutes searching online for 1 debit card (with 2 different account numbers)
___________________________________________________________________________________

I first checked online to see if travel notifications had been added since the last time I checked. No such luck, so about 2 minutes were wasted. Because we needed ATM access abroad, we had to have this card working, so I reluctantly called the 800 number on a Friday evening, and was told that wait times were approx 4 minutes. I think they were only half that, but it still took me a full 9.5 minutes to get my ATM cards registered. About one minute of that was spent finding my wife’s debit card, which I now know has a different number than mine.

Why the agent couldn’t handle both ATM cards from a joint account without needing the other number is beyond me, but he insisted.

Total time expended was 2 minutes online and 9.5 on the phone: 11.5 minutes total.

Extra credit goes to the U.S. Bank agent who activated my new debit card that had recently come in the mail. My old card would have expired during the trip.
___________________________________________________________________________________

Wells Fargo: Phone: 6.5 minutes on the phone + 2 minutes searching online for 1 card
___________________________________________________________________________________

My wife carries a Wells card at all times, so usually she handles travel notifications. But since I was already on a roll, I took on the task. Although I didn’t recall ever seeing it, I assumed Wells would have an online option, but after a search of the site, I found that my hunch was wrong and that I’d wasted a few minutes.

I called the 800 number and was able to complete the process in about 6.5 minutes. Much of that time was spent listening to menu choices and current balance info (which I didn’t want). Had I known how to skip through the menus, it would have taken only about 3 minutes. The agent was friendly and efficient, although she twice asked if she could also activate my debit card even though I don’t have a checking account there. But I appreciate that she was trying to be thorough. ___________________________________________________________________________________

Bank of America: Phone — 2 minutes, 0 cards
___________________________________________________________________________________

I was going to take my Bank of America card along, but after searching customer service I could not find an online form to complete, so I decided to leave it at home. Score 1 for the more online-savvy approach at its competitors.

Share this:

Send Post Twitter LinkedIn Facebook

Bank of America Offering Trusteer’s Rapport Plug-in to Protect Online Banking Customers

By Jim Bruene Posted on April 8, 2011
Categories: Bank of America, Security, Security & Privacy, Trusteer

If there was any question as to whether Trusteer had become the industry standard in online banking protection, it was answered this week. Bank of America is now offering the optional Rapport protection to its 29 million online banking customers. Ann Carrns in the NY Times Bucks blog wrote about it a week ago, but I guessed I missed it in all the April Fools Day commotion.

ING Direct was first to offer the program, launching in May 2008. Since then dozens of financial institutions have followed including Zions, PSECU, CIBC, PayPal, Santander, RBS and about 70 more (see full client list below in note 2).

In total, Trusteer says it’s been downloaded more than 20 million times.

Analysis: It’s a good move by Bank of America. While Rapport does not protect from all possible threats, it does seem to provide material improvements. The bank gets a double benefit: less fraud and improved perceptions from customers concerned about security.

The program is not without downsides, however. It requires a download and installation, though thankfully not a full reboot (see second screenshot). And like any software program, there are real and perceived compatibility and performance issues (see the comments on the NY Times blog entry).

Bank of America would be wise to make it easier for customers to find out more info on the program. There is only a tiny link buried at the bottom of the interstitial ad for more info. And that screen goes away after you press the download button.

Users who are surprised by the download warning, and even worried that they’ve been attacked by a virus, will find it difficult to find more info at that time. Rapport is not yet mentioned in the bank’s security area accessible from online banking. Only by going back to the public site and searching for “Rapport” was I able to find the page offering more info (third screenshot).

Many users are going to need more hand-holding and reassurances before they install the program (note 1). The bank could save itself, and its customers, from thousands of harried support calls, by adding a detailed a “how it works” tutorial integrated into the interstitial.

Bank of America interstitial ad after online banking login (7 April 2011, 2 PM):

To use the service, users must download and run an executable file (Windows version below, there is also a Mac version)

Bank of America Trusteer Rapport info page (link)

——————–

Notes:
1. For more info on Trusteer and other security topics, see Online Banking Report: New Security Techniques (Sep. 2008)
2. Trusteer financial clients (per company)

Share this:

Send Post Twitter LinkedIn Facebook

Self-Service: Bank of America’s MyFraudProtection Allows Online Review of Suspicious Card Transactions

By Jim Bruene Posted on January 19, 2011
Categories: Bank of America, Credit/Debit Cards, Security & Privacy

The reason bank call centers still field millions of calls from online banking customers is that most account problems cannot be solved online. It’s not that banks don’t have the technology or the business case, it’s just a priorities challenge. Effective self-service modules are time consuming to build, test and integrate, while employee and customer education pose an even bigger hurdle.

But slowly, as more and more consumers look to resolve issues with a mouse click or finger flick, financial institutions will add self-service troubleshooting wizards to online/mobile banking.

The latest example comes from Bank of America.

I’ve been a BofA cardholder for the better part of two decades, and every year spend an hour or so verifying flagged transactions via phone with bank-fraud reps. It’s an annoying, but necessary, part of making 50 to 100 charges every month for home and business.

But my most recent experience was very different. When I went online to pay the bill, not realizing (but suspicious) that my card had been cut off, I was greeted with the following message underneath the card balance on the main Account Overview page (see screenshot 1):

Online access is not available for this account. Please go to
www.myfraudprotection.com and verify recent transactions. Or you may call
1-800-427-2449 for additional information.

_____________________________________________________________

How it works
______________________________________________________________________

Step 1: Following the link, I ended up at an entirely new site, running outside online banking where I was required to re-enter my account number (screen 2), last 4 of SSN, Zip, and phone number (see screen 3).

Step 2: I was then required to answer random questions pulled from the credit bureau to authenticate myself (screen 4).

Step 3: Finally, I was able to review and approve the transactions in question (screen 5). I was then thanked and told I could use my card again (screen 6).

However, after all this, I was still not able to pay my account online and had to call after all. The rep told me that it takes between two and 24 hours for online banking access to become available (note 1).

______________________________________________________________

Analysis
_______________________________________________________________________

All-in-all, I liked the system. However, it needs to be more integrated into online banking (see note 2). Given all the extra work required to authenticate myself, it would have been faster just to call the 800-number. If I were a normal customer, that’s what I’d do next time. I hate the stress of going through the authentication process: With everything on autopay, who can remember their exact payment amounts anymore?

And worse, there is a security disconnect here. I log in to my credit card account only to be told it’s unavailable and that I should log in to some site I’ve never heard of (that doesn’t even have a Bank of America URL, note 3) and turn over personal info. It looks more like a crude phishing ploy than something from a major bank. And as far as I can recall, there was no customer education on this process.

So, I applaud Bank of America for making transaction verification self-service. But there’s still much work to be done before it replaces the phone process.

1. Main Bank of America Account Overview screen (14 Jan. 2011)

2. First screen at MyFraudProtection.com (link, note 2)

3. Step 2 of 3 of authentication process

4. Step 3 of 3 of authentication process

5. Transaction review

6. Confirmation message (and survey invitation)

———————————-

Notes:
1. This was the weekend that BofA was having website trouble, so it may not always be delayed.
2. I realize the bank is using the fraud-protection site as a standalone system so it can direct any cardholder to it without first needing to log in to online banking, hence the authentication requirement. But for logged-in bofa.com users, it seems unnecessary. Although it does provide an extra measure of security, in case the cardholders’ online access had been breeched by the person attempting to use the card, that extra security comes at too high of a usability cost, in my opinion.
3. The www.fraudprotection.com URL does redirect to myfraudprotection.bankofamerica.com, which helps.

Share this:

Send Post Twitter LinkedIn Facebook

Wal-Mart Sells Paper-Check Fraud Protection for Just $1.95 per Box

By Jim Bruene Posted on September 8, 2010
Categories: Fee Income, Security & Privacy, Wal-Mart

Naturally, we use online payments as much as possible both at home and in our business. But even so, we still go through a box or two of old-school paper checks every year.

Running low on business checks, I today logged in to my bank to order a box. Unfortunately, it does not support online reordering of business checks, only personal ones. I was referred to a toll-free number. But rather than go through an unknown phone ordering process, I went back to WalmartChecks.com (note 1), a service from Wal-Mart that I had tested many years ago.

The reordering process was drop-dead simple: Just click Quick Reorder on the homepage, type the bank’s routing number, account number, and beginning check number, then make a few selections from the menus, and press reorder. It takes all of about 60 to 90 seconds. You don’t even have to input payment info, because the total is simply deducted from your checking account.

But the reason for this post is to highlight the interesting cross-sale made during the reordering process. For $1.95 per box, Wal-Mart offers a check-fraud protection service called EZ Shield from a company of the same name, a recent spin-off from printed-check marketer, Custom Direct (CDI). I was pitched the product through a yellow-highlighted box in the middle of the order-confirmation screen (see first screenshot below).

I wasn’t sure what it was, so I clicked on More Details to learn that EZ Shield reimburses users for fraudulent use of the checks in the box (see second screenshot). The service provides coverage of up to $25,000 total if one or more of the 200 checks is altered, stolen from the payee and deposited, or used with a forged signature. The EZ Shield logo is printed on the checks to remind users that they are protected.

Bottom line: While paper-check fraud is not a major concern to me, I still value the small improvement in peace of mind I get for just $1.95. And for Wal-Mart, the $1.95 was a 28% revenue lift to a $6.96 box of checks. More importantly, the value-add makes it more likely I’ll be a repeat customer even when my bank eventually enables online check reordering.

WalmartChecks.com shopping card with EZ Shield cross sales (9 Sep 2010)

Popup explanation of EZ Shield (link)

Note:
1. According to Compete, the check-ordering site gets about 150,000 unique visitors per month and traffic has been relatively flat the past year.

Share this:

Send Post Twitter LinkedIn Facebook

The Need for Context-Sensitive Login Security

By Jim Bruene Posted on August 10, 2010
Categories: PayPal, Security & Privacy

I’m a frequent PayPal user and need access to it on the road while logged in to who-knows-how-secure coffee-shop WiFi. Whenever I entered my password, I was hit with the unsettling realization that this could be the time I handed over my credentials to a hacker.

So a few months ago I began using PayPal’s optional out-of-band, one-time password solution. Each time I log in, a random six-digit code is sent to my mobile phone. That code must be entered to complete the login. And while I feel much more secure, the extra 20 to 30 seconds it takes is a hassle, especially after a decade of password-only access (note 1).

To improve the user experience, while maintaining the extra authentication security, I’d like to see PayPal make the following changes:

Instead of requiring the user to press the “send SMS” button after logging in, just send the SMS code automatically. I’ve logged in at least a dozen times since enabling this feature and I still forget to press the button. I usually look at my phone for 10 seconds waiting for the code until I remember that I must click the button.
Allow low-risk transactions to be authorized without the extra SMS code. I bought some iPhone chargers on eBay today for a total of $30. I would have preferred to skip the out-of-band authorization on this low-risk transaction, a small purchase made on eBay through my authenticated eBay account.

Relevance for Netbankers
The second suggestion (above), what I call “context-sensitive security control,” is an important part of the tradeoff between security and usability. As long as customers are hassled for extra info only when the risk is higher, there’s a much better chance of gaining their cooperation, and attention, in security monitoring. Many banks feed an extra security question when customers log in from an unrecognized computer. That’s a great use of context-sensitive extra security.

Another situation where context-sensitive security controls can be deployed is for determining when an account is locked for excessive login attempts. If a user is logging in from a recognized computer, they should get far more leeway in the number of password attempts before the nuclear option, full lockout, is deployed. Unfortunately for me, Chase Bank has not yet taken this step (notes 2, 3).

————————-

Notes:
1. When we go shopping for a new business-banking relationship, out-of-band authorization capabilities will be a non-negotiable requirement.
2. Yesterday, Chase locked me out, without warning, after just 4 attempts (or was it 3?) from my main computer, which the bank knows very well. That’s ridiculous, from a recognized computer I should be able to try at least 7 or 8 times. I have multiple Chase accounts with different usernames and passwords and with a typo or two it’s easy to surpass 3 or 4 attempts.
3. Yes, I’ve whined about this before, but it’s been 3 years, so I was due.

Share this:

Send Post Twitter LinkedIn Facebook

Launching: The First Location-Based Fraud Monitoring Service, Finsphere’s PinPoint

By Jim Bruene Posted on August 9, 2010
Categories: Account Aggregation, Credit Reports & ID Theft Protection, Credit/Debit Cards, Finsphere, Security & Privacy, Yodlee

I’ve been looking forward to the day when financial companies would begin to leverage mobile phone location to fight payments fraud. That day has arrived with the launch of Finsphere’s PinPoint which began its private beta a few hours ago. We have 100 invite codes if you want to test the service free of charge (enter “Finovate” in the Promotional Code box on the signup page).

PinPoint is a subscription-based alert service that runs on top of online banking. Using Yodlee’s aggregation technology, PinPoint monitors all of the user’s card-based transactions, and sends email and text alerts on potentially fraudulent transactions based on a number of factors, one of which is the consumer’s physical location as indicated by the location of their mobile phone. Pricing has not been finalized.

The service competes with aggregated alerts from OFM’s such as Mint.com or Strands. But PinPoint’s main competition is the card issuers themselves. The service holds several potential advantages compared to financial institution services (note 1):

The addition of the consumer’s location is a huge help in identifying potential fraud and reducing false positives.
Receiving fraud alerts from a single, trusted source with a consistent design and methodology makes it more likely that the consumer will actually pay attention and take action.
The service provides contact info and help for reporting fraudulent transactions.
PinPoint’s entire mission is to identify fraud and help the end-user avoid paying for it; while financial institutions have similar high-level goals, they also have competing priorities that sometimes get in the way.

The startup also plans to connect the service to credit bureau data where it will compete with the credit monitoring players such as Experian, TransUnion, Equifax, Intersections and others (note 2). The demo videos show a mobile app, but that’s not part of the initial release.

Finsphere is a Seattle-based startup that’s been operating in stealth mode since 2007. The company has raised nearly $20 million in two rounds from Bezos Expeditions, Mohr Davidow Ventures, Shasta Ventures, and Frazier Technology Ventures. The CEO and co-founder is Mike Buhrmann, a serial entrepreneur in the wireless/mobile space who originally worked at McCaw/AT&T. President Robert Boxberger is a former Wamu/Providian card exec (note 3).

Until today, press reports have been limited to reports of its first two rounds of venture funding (see previous Netbanker post). The company had developed a broad range of patented technologies dealing with location-based fraud tools. In addition to the consumer service launched today, the company has its eye on enterprise fraud-management tools.

PinPoint homepage (9 August 2010)

Activation screen
Users must confirm email address and mobile phone, then add one or more cards

Alert preferences
Users establish dollar thresholds for alerts, whether they want text and/or email delivery, and how often they want to receive then (daily or weekly)

Notes:
1. For more information on alerts, see the most recent Online Banking Report: Transaction Alerts & Streaming.
2. For more information, see Online Banking Report: Credit & Fraud Monitoring Services (August 2007).
3. Check out the company’s About page, where five top execs introduce themselves and provide a 60-90 second overview of the features and benefits of the service. A very good use of video.

Share this:

Send Post Twitter LinkedIn Facebook