U.S. Travelers Need Chip & Pin Prepaid Travel Cards

imageLast summer, I had the opportunity to spend a week in an apartment in Paris’s 6th. The wonderful 1920s building overlooked a transportation solution even older: bicycles.

But Paris’s popular Velib bike-sharing program has a modern twist, an automated rental system run entirely by unmanned kiosks that accept only debit and credit cards.

Subscribers (29 Euros annually, 5 Euros weekly) can ride the bikes free for the first half hour, then the price rises steeply to 3 Euros per hour and higher. But with stations every 300 meters, you can tool around the city very cost effectively. That is, if you are not American. 

imageWhy? Our old-school mag-stripe cards are no longer in step with the international gold standard of security, the imbedded computer chip unlocked by PIN entry, i.e., chip & pin or EMV. 

At most European merchants, it’s not a problem. They are plenty willing to take the old-school mag stripe card in order to make the sale. Last year, we never had any trouble using plastic from our friends at Wells Fargo and Bank of America. But in certain situations, such as unattended ticket machines, U.S. cardholders can be out of luck.  

The Paris bikes are one very visible place where mag strip cards are not honored (see note 1). That explains the perplexed tourists I watched last summer struggling at the Velib kiosks trying repeatedly to get the machine to release a bike.

Financial institution opportunity: Here’s a great way to pick up market share among well-heeled international travelers. Offer a chip & pin prepaid card. It’s a modern-day travelers check, something every traveler will tuck in their wallets and purses, then forget about when they get home (note 2). And it’s perfect for Internet distribution, especially if you issue cards nationwide.

Besides card fees, interchange, and travelers-check-like float, first movers could gain real market share with a great demographic.

According to Payments News, Gemalto is offering a chip-and-pin solution for U.S. card issuers. A few weeks ago, United Nations Federal Credit Union became the first U.S. financial institution to announce deployment of the Gemalto card (press release). The CU says it will be available in the second half of 2010. But, you’ll have to be on staff at the UN to get it.

Notes:
1. Apparently, there is an exception. American Express cards, with or without a chip, can be used at Velib machines. I wish I’d known that when I was in Paris.  
2. Closer to home, Canada is also in the process of converting to the new standard.
3. Photo credit: Clive Andrews. This was the typical tourist look at the Velib kiosk queue, utter confusion.

USAA Makes Mobile Banking Better than Online Banking

image Here’s a test that tells you when you’ve built a successful mobile app:

  1. Place your laptop next to your iPhone/Android
  2. Choose a task
  3. Reach for the device that’s easiest to use for that task 

If you don’t reach for the mobile phone first, you still have work to do on the user experience. 

I’ve always chosen the laptop for banking, even though I’ve ported more than a dozen other routine tasks to the iPhone (note 1). The hassle of logging in with those tiny iPhone keys pushes me to the laptop. But as of Tuesday, USAA’s latest iPhone app, version 2.2, has changed the equation, and there’s no looking back. 

Mobile vs. online banking
The key to making mobile a profitable channel is to make the user experience BETTER than online. And USAA is the only U.S. financial institution doing that today.

USAA’s biggest mobile “wow” is mobile check deposits (see Deposit@Mobile screenshot below) introduced six months ago for the iPhone. While it may not seem novel to those in the industry familiar with scanner-based remote deposits, the average consumer considers an iPhone check deposit to be almost magical. Other than a few small credit unions, no other major banking competitor offers it, so USAA continues to own mobile magic.  

imageBut with Bank of America rumored to be readying a launch mobile deposits, which will no doubt be featured in Apple TV ads, (see latest one here), USAA needs to keep innovating. 

And this week, USAA delivered with a single-PIN login with authentication powered by VeriSign VIP service. The optional 4-digit sign-on process is available now on the iPhone and will be available in April for Android and “shortly thereafter” for Blackberry (note 2).

In a time when it’s more tedious and less secure to log in online, USAA takes us back in time to a simpler day, when you could log in with just a few digits.

And by using techniques that authenticate the mobile phone during login, the bank says that mobile access is more secure than online.

Think about that for a moment. Mobile is MORE SECURE than online. With tens of millions of customers deathly afraid of logging in via their virus-laden PCs, imagine what that could do for mobile adoption.

It will take time to educate the market. Currently, most consumers believe the mobile channel is far less secure. But if they can be convinced the opposite is true, many will kiss online banking goodbye forever.

Notes:
1. According to yesterday’s release, USAA has 1.3 million mobile users, 17% of its 7.4 million customer base.
2. Previously, USAA users were required to sign on with username, password and PIN. The simple sign-on process is optional for those not trusting the simpler process.
3. For more info on financial services opportunities on the iPhone, see our March 2009 Online Banking Report.

Bank of America Finally Forces Username Change, No More Social Security Numbers

image When I first started banking online with Bank of America, ten or more years ago, no choice in username existed: it was set to your Social Security Number (SSN). But that was back in the days before hackers had become proficient in stealing usernames.

While I’ve been advised to change the username a few times over the years, the bank finally laid down the law in January. I had two more logins available with my SSN, and then I was required to change. The message was delivered via splash screen after login (see #1 below).

The process was simple and took just a few seconds (screenshot #2). The bank’s interactive script helps users make good username/password choices (screenshots #3-4).

While this change isn’t likely to do anything to help the bank’s bottom line (it probably just drives up tech support calls as users adjust to their new usernames), it’s the right thing to do. Helping customers protect their own privacy should be part of every financial institution’s mission.

#1: Bank of America splash screen at login (13 Feb. 2010)

image

#2 Landing page after choosing “update” button above

image

#3 Interactive help for creating an allowed username

image

#4 Confirmation when all is well

image

Out of the Inbox: Citibank Offers to Help Users Restart their Online Banking

imageMy Citibank checking account dates back to when iPods were novel and 1GB was enough to satisfy your iTunes cravings (see Jan. 2005 post). For several years, Citibank gave iPods away to anyone who’d open up a checking account online and do a few bill payments. 

I haven’t accessed my Citi checking account in at least a year, because last time I tried, I locked myself out with too many password attempts (note 1). And I’ve been too lazy to go through the often tedious reset process (see below).

So I was pleased to receive an email this morning offering to help me get restarted (see screenshot below). I figured the bank had noted my previously futile attempts to login and was sending along a bit of digital assistance. Sure, it was a year or two after the fact, but I believe in better late than never.

But the main call to action in the activation email is:

Enter the User ID and Password you created when you opened your account online.

So evidently, the bank thinks I’m smarter than I really am and actually can remember the username/password from my two-years dormant account.

Had I not been blogging about the email, I would have deleted it. But as I re-read it more closely, I did see the small light-gray link in the corner for resetting my password. Unfortunately, Citi requires your ATM card and PIN to reset passwords (see second screenshot). This is precisely why I wasn’t able to reset the thing when I was locked out two years ago.

My take:
1. An activation to stalled online banking customers is a great idea. But in this case, Citibank did not deliver on its promise to “help” me restart online banking (note 2). As a matter of fact, I am now even more frustrated. If you are going to send a message offering help, make sure there is actual help available for the various ways customers will respond.
2. For infrequent users, consider simpler password-reset procedures based on email address or mobile phone number on file plus Social Security Number and/or shared secrets. 
3. Finally, don’t offer a dead-end password reset page. In Citibank’s case, if the user doesn’t have both their ATM card number and PIN, there is no place to turn. There’s not even a phone number listed on the page to seek live help (you have to use Contact Us in the upper right).

Citibank email (sent 3 Feb. 2010, 9:30 AM Pacific)

image

Citibank password-reset page

image

Note:
1. I have two Citi accounts with different usernames and passwords, so it always makes for an interesting memory test at login.
2. I should add that I have enough money in the non-interest account to provide Citi with a bit of profit every year. 

Trusteer Quantifies the Biggest Online Banking Security Weakness: The End User

image I’ve often wondered how many people use the same username/passwords at their bank as they do at other random websites. I figured it was a substantial number, but never expected it to be as high as the 73% Trusteer cited in a recent white paper (note 1). That’s why most financial institutions have used “multi-factor authentication” for years.

One of the most common multi-factor techniques is to ask additional questions if the bank detects a login from an unknown computer. However, it’s possible that these same people are also using the same “secret question” answers at non-secure websites, defeating this multi-factor approach.   

Luckily, it’s still relatively difficult to remove money from most U.S. consumer accounts because online interbank transfers are more tightly controlled, or simply not offered. However, if crooks are able to log in to online/mobile banking and determine the user’s account numbers (debit, credit, or checking), a number of more lucrative frauds can be engineered.

What’s a bank to do:

  • Use secret questions that are not commonly used across the Web. Or allow users to create their own, but caution them not to use ones they see at other non-banking websites.
  • Create an additional out-of-band authentication process (e.g., text message an approval code) for moving funds out of an account.
  • Do not allow online banking users to see their own account numbers online
    (note 3)
  • Educate/encourage customers to use different username/password for online banking than for other non-financial sites
  • Financial institutions using Trusteer’s Rapport service can identify which customers are sharing username/passwords at less-secure sites and ratchet up internal fraud control settings for these customers

And the most effective method, which we don’t recommend because it’s just too painful for the user experience:

  • Force users to make more challenging usernames and/or password such as those with a capital letter, number and/or special character

Silicon Valley Bank (SVB) offers Trusteer’s Rapport (link, 2 Feb. 2010)

image

Notes:
1. While 73% shared banking passwords with other sites, less than half the total, 47%, shared BOTH username and password. Two other data points:
– 65% of user-selected banking usernames were used elsewhere
– 42% of bank-selected banking usernames were used elsewhere
2. Trusteer’s data was compiled over 12 months using its plugin software running on more than 4 million computers (see previous post).
3. There’s still the issue of the easy-to-read account number on check images; it would be nice to mask it, but that’s probably not worth the expense) 
4. For more info on Trusteer and other security topics, see our previous reports such as, Online Banking Report: New Security Techniques (Sep. 2008)

Bank of America Offering 1 Year Free McAfee Internet Security at Online Banking Logout

image This is one of the most valuable freebies I’ve ever been offered simply for being a customer. Bank of America online banking customers, new or existing, are being given a one-year free subscription to McAfee, worth $70 at retail.

The fine print is relatively clear (reprinted below, after the screenshot). The main “catches:”

  • Must not have a current McAfee subscription (see Results below)
  • The subscription auto-renews at $34.98/yr, a 50% discount
  • While in progress, the BofA offer never mentions number of users covered (the normal $69.99 subscription from McAfee covers three users, see note 1); however, during checkout, after accepting BofA’s offer, the product description confirms three users are covered with the subscription

Bank of America is also publicizing the offer on its main website (here). To accept, users must log in to online banking first.

Results: I signed up for the account this morning and was surprised to find that you are not required to use Bank of America for payment. In fact, BofA is never mentioned again after leaving the original landing page (see second screenshot). The McAfee cart offered the usual choice of Visa, MasterCard, American Express, PayPal and others. 

Opportunity for financial institutions: Assuming you can swing a deal with McAfee that requires no out-of-pocket expense, offering your customers a year’s worth of anti-virus protection is a win-win. The primary downsides are a few extra calls to customer service and a few irritated existing McAfee customers who do not qualify for the freebie.

Bank of America logout screen (21 Oct 2009; 7 AM Pacific)

image

Fine print on bottom of page above:
This exclusive offer is available only to Bank of America Online Banking customers. Online Banking customers receive McAfee Internet Security for PC free for 12 months, a $69.99 value. At the end of the 12-month period, Online Banking customers are eligible to renew for another 12-month period at 50% off MSRP or $34.98. Customers with a current McAfee subscription are not eligible for this offer. Bank of America reserves the right to modify this offer and eligibility requirements at its discretion.

Landing page (link)

image

Same offer on BofA website (link)

image

Notes:
1. The service is currently offered at a discount at Intel’s software store for $32.95 for one year for three users. Intel’s offer was positioned via paid ad at the number-one position on a Google search for “McAfee Internet security.”
2. For more information on online banking security, see Online Banking Report: New Security Techniques (Sep 2008)

Fifth Third Bank Bundles Free Credit Report Monitoring & Identity Theft Protection into Checking Accounts

imageChecking account profits are being attacked on several fronts. Near-zero short-term interest rates have destroyed the profitability of the balances. Regulators and activists are putting pressure on penalty fees. And consumers are loath to pay monthly charges for what’s been positioned as a free service for so long.

So how is it that Fifth Third Bank is able to bundle a service into its checking account that typically costs consumers $12 or more per month? They are bringing back the monthly fee (see note 1), charging either $7.50 or $15 per month for a so-called package account (see options below). It’s a strategy right out of Marketing 101: figure out what customers want, then build the  product, package it right, promote it well, and price it for the value delivered.

I believe Fifth Third has taken the right tack with its checking accounts, though it should go even further (see analysis). The bank offers two non-interest checking account bundles (PDF comparison here), neither of which are free of charge no matter how high the balance (note 2). Instead of offering fee waivers, the bank has bundled full-service three-bureau credit report monitoring and identity theft services powered by Affinion (link to Fifth Third Identity Alerts). And the monitoring is available for BOTH names on a joint checking account (note 3). 

  • Secure Checking at $7.50/month, comes with free credit report
    monitoring and identity theft protection (valued at $9.95/month per person)
  • Gold Checking at $15/month, comes with the same free ID protection &
    monitoring plus free nationwide ATM access

Analysis of Secure Checking
imageNow more than ever, customers are craving security and safety in all things financial (see yesterday’s post). Bundling identity theft/credit report monitoring in checking accounts is an excellent way to address customer concerns AND differentiate your account in the marketplace. And naming it Secure Checking helps drive home the key benefit.

I like what the bank has done. It would be even better if it highlighted more of its current security features available in mobile and Internet banking (note 4):

  • Email alerts
  • Mobile text alerts
  • Secure storage of estatements
  • Transaction monitoring for fraud and error
  • Other security protections as outlined on its security page

And down the road, they could enhance the account with additional features such as (note 5): 

  • Out-of-band authentication via text message
  • Disposable credit/debit account numbers
  • Long-term (7+ years) secure transaction archives
  • Enhanced fraud protection guarantees
  • Dedicated security reps on call 24/7 to help out in the case of a suspected problem
  • Software and tools to safeguard online banking (e.g., Trusteer, Authentium, Check Point)

Fifth Third Bank non-interest checking accounts (link, 2 Sep 2009)

image

Secure Checking landing page

image

Notes:
1. Ref: Is This the End of Free Checking?, SmartMoney Magazine, 31 Aug, by Kelli B. Grant
2. The bank does offer an interest-bearing checking account with its $15 monthly fee waived with a $2,000 average balance in checking or $20,000 across all deposit and investment products. The bank also has a free non-interest checking account option.
3. I’m not sure the bank gets enough mileage out of covering BOTH account holders to justify the additional costs. To improve profits, the bank should consider a modest additional fee (approximately $5/mo) to cover joint account holders. 
4. These benefits are hidden behind a tab that most consumers, including myself on my first two passes, will likely miss (see second screenshot above).
5. For more info on how to package security benefits into your services, refer to the following Online Banking Reports: Marketing Security (June 2005) and New Techniques for Securing Online Banking (Sep 2008).

Addison Avenue Credit Union Provides Secure VIP Access Powered by VeriSign

image A few weeks ago, I was lucky enough to tour the British Museum’s exhibit on the history of money. And one thing that remains the same throughout the millennia, a concern about the security and authenticity of the various objects used to convey wealth.

It’s no surprise that security is the number-one online banking concern of today’s consumer. Had there been market research three thousand years ago, I’m sure security would have been at the top of the list of fears of the Chinese rich enough to hold a cache of cowrie shells (inset).  

imageSo, until we figure out a way to eradicate crime, financial institutions need to address security concerns head-on and provide tools for consumers to take more control (note 1).

That’s what I love about Addison Avenue FCU’s launch of VeriSign’s Identity Protection (VIP) security tokens. Addison Avenue members now have the tools to make their online banking extremely secure, should they desire to. And with set-up charges of $30 to $48 (waived for mobile) and an annual fee of $10 (waived the first year), the program is relatively self-funding (screenshots below).

As an added bonus, the “VIP Access” theme, even though it’s powered by a security vendor, provides a nice boost to member relations. It also gives the CU an iPhone (link to app) and Blackberry presence it wouldn’t otherwise have. 

Addison Avenue e2: The VeriSign program is one leg of a three-part effort dubbed E2, that the credit union launched today (press release; see third and fourth screenshots below).

The three core features:

  • VIP security: as outlined above (link)
  • E-deposit: remote check deposit via basic in-home scanner (link)
  • Mobile banking: mobile web-based (link)

Addison Avenue security key landing page (link, 21 July 2009)
A short informational video brings the service to life.

image

VIP token options shown on VeriSign’s website

image

Addison’s three-part “e2” effort is highlighted on its homepage

image

E2 landing page (from homepage)

image

Notes:
1. Granted, most customers are not willing to spend the extra effort to bulletproof their accounts.  So extreme security measures such as this should be optional and carry a nominal extra fee. 
2. For more info on addressing security concerns, see our Online Banking Report on Security Marketing (published in 2005) and our more recent Online Banking Report on New Security Techniques published nine months ago.

Why Mobile Banking/Payments will be Highly Profitable

imageMy credit card number was stolen again. It’s the third or fourth time since the Internet came along. It’s annoying, and a little disconcerting, but not a major problem, thanks to efficient card issuers who take the info, credit my account, and send me a new card. On a ten-point “hassle scale,” where 10 is having your hard drive crash, it’s only a 2 or 3.

And my previous stolen cards resulted in little financial loss to the issuer, other than the cost to process the chargeback and reissue the plastic. In those cases, either the issuer caught the fraud before anything was shipped, or the items purchased were digital (online subscriptions) and didn’t result in any lost inventory.

But this time was different. Someone used my card number to buy a PS3 gaming console and three games at a Best Buy in the Bronx. Assuming Best Buy follows proper procedures, Wells Fargo will be out more than $600 just for the merchandise. All told, with the cost of the investigation and processing, it’s probably an $800 to $900 loss to the bank and merchant.

Wells Fargo is generally very good about suspicious charges and usually calls us. I’ve had the card for almost two decades, and it’s been othe primary card for both my wife and me for much of that time. WF knows our purchasing habits better than we do.

Yes, we get to NYC at least once a year, but our charges are usually travel- and tourist-related ones in Manhattan. And we probably visit Best Buy in Seattle a couple times a year (we have teenage boys), so the gaming system charge is understandable. But it’s highly unlikely we’d buy a system while visiting NYC, and we’ve never visited the Bronx, so the authorization request likely triggered flags.

But unless there was inside theft, the bank’s authorization system evidently decided the $10 in interchange was worth the risk. Bad call this time, but probably right 99%+ of the time; otherwise, they’d be out of the card business.

What’s mobile have to do with it?
But if Wells Fargo had a real-time connection to me via mobile phone, they could have texted me for an OK (similar to the screenshot above, which is a text-based activity request to Wells Fargo). If it really had been I who stood at Best Buy’s register, it would have taken a second to reply “yes,” and the transaction would have gone through.

Of course, in this case, I would have said ‘no, I’m in San Francisco right now.’ Or even better, in the not-so-distant-future, if I’d allowed the bank to track me via GPS, they would have known, without even contacting me, that I was 3,000 miles away from that store. Either way, the bank saves nearly a grand from that single text message. Multiply that by the millions of fraud purchases every year and you have serious money, billions by most estimates.

So yes, mobile banking (really mobile payments) does have a robust and tangible business case from fraud reduction and customer service savings. The technology is in the hands of the users now, and most know how to use it. So, let’s get moving.

Note: For more information see our Online Banking Report on iPhone Mobile Banking

Out of the inbox: Great call-to-action from E*Trade, “Re-Plan your Retirement”

imageOver the years, E*Trade has been consistently innovative in both product development and marketing, two areas that provide natural synergies. The company didn’t disappoint with its latest missive to existing customers. 

An email arrived yesterday afternoon (Thurs., 11 June 2009) and immediately grabbed my attention with its clever and timely subject line:

Re-plan Your Retirement with E*TRADE and Get Up to $500

Analysis
One thing I’ve heard consistently from my friends, no matter how secure their jobs, is that they will “be working forever” now that the Great Recession has slammed their net worth with the double whammy of a bear market and home-price declines.

So this is a great time to get in front of customers with new efforts to help them re-plan retirement with new investment ideas, asset rebalancing and just a general reboot of their portfolio. And it’s also an excellent time to discuss 401(k) rollovers, as E*Trade did in this message, with an “up to $500” (see note 1) incentive to roll over a retirement account to the company (see landing page, third screenshot below). As Americans change jobs by necessity, there will be millions of retirement accounts in play. 

Security features in email
E*Trade also demonstrates another best practice to improve trust in customer emails: personalization. The company includes customer name and last four digits of their account number to help distinguish the message from fraudulent phishing attempts. E*Trade draws attention to the feature with a Security Enhanced icon on the top-right (see first screenshot below).

Clicking on the Learn More link drops readers to the bottom of the email message where product URLs provide direct-navigation alternatives to paranoid readers (see second screenshot below). I hadn’t seen that before, a nice touch.

E*Trade email promoting 401(k) rollovers (received 11 June, 3 PM Pacific)

image

Security “fine print” at bottom of above message

image

Landing page for email offer (link)

image 
Note:
1. Detail on the rebate:

  • $500 for rollovers of $250,000 or more
  • $250 for $100,000 to $250,000
  • $100 for $50,000 to $100,000
  • $50 for $25,000 to $50,000