Finovate is part of the Informa Connect Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
In yesterday’s post, I missed an important client of Trusteer’s anti-malware software. Zions Bank, a leader in showcasing its online security efforts (see 2006 post on multi-factor authentication), is the only Trusteer client to feature the program on its homepage (see below).
Zions Bank home page (10 June 2009)
Zions Bank security page (link)
Zions Bank Rapport page (link)
It’s not often I see an unfamiliar name amongst the top bidders for “online banking” at Google. But today, the sixth advertiser on the right-hand column (number nine overall), was an ad supposedly from CenturyCU.org (see ad right and search results page below).
The ad had a seemingly clear call to action, Visit Our Credit Union Today For Online Banking! However, when I clicked on the link, it lead to a .info page full of ads unrelated to the legitimate Century Credit Union (see second screenshot below).
While this doesn’t appear to be a phishing attempt since it’s not displayed on searches for “Century Credit Union” or “Centurycu.org,” it is a bit disconcerting. It’s clearly a violation of Google’s terms of service and shouldn’t have made it past Google’s filters, but they are not perfect.
But my bigger question is: How does a spammy .info site make it to the top-10 advertisers on this popular banking term? Are there really so few serious bank or credit union bidders in the area? Or is it that the Google AdWords ROI just isn’t there right now?
Other than a regional Chase ad on the top <chase.com/washington>, it wasn’t until the fifth page of results that another Northwest financial institution made an appearance, Coastal Community Bank advertising its BancVue/FirstROI-powered high-yield checking account (landing page here).
Search results page for online banking (1 June 2009, 3:20 PM from Seattle/Comcast IP address)
Landing page for the fake CenturyCU.org Google ad (1 June 2009)
Thank-you, American Express, for removing one of the little annoyances of online commerce. During login, the company warns users when they’ve typed more than the maximum eight characters allowed in the password field. The login page suddenly becomes grayed out and the error message appears on the right (see screenshot below).
It would be interesting to see what this small change saved in reduced password resets and customer service calls.
Bottom line: If you have unique password requirements, such as special characters, consider telling customers during login if their password is invalid for that reason. Sure, it makes it slightly easier for crooks to guess, but mostly you’ll just have a bunch of slightly-less-annoyed customers.
American Express log-in message when attempting to use a password that doesn’t fit the company’s requirements (15 April 2009)
Last May, Trusteer launched an optional added security measure for customers of ING Direct in the United States (note 1, see previous post). Although, it’s not perfect, users of the Rapport service are less vulnerable to viruses and malware running on the their PCs. We gave the new service an OBR Best of the Web award last fall in our Online Banking Report on Security Innovations.
Although, ING Direct is a great reference account, being endorsed by Royal Bank of Scotland, really puts Trusteer on the map. The security solution is offered for download at both Royal Bank’s RBS and NatWest sites (see screenshots below). Anyone visiting the banking sites can download the software, you don’t have to be an RBS/NatWest customer.
Trusteer also lists Huntington Bank as a customer but there is no mention of Rapport on the bank site yet. Other providers include Authentium’s SafeCentral (note 2) and Check Point’s ZoneAlarm (note 3).
Bottom line: Security is an issue for many bank customers, now more so than ever. Extra security options deserve consideration to improve customer satisfaction/trust and help reduce fraud losses.
Rapport download page at NatWest (link, 23 March 2009)
Rapport download page at RBS (link, 23 March 2009)
Notes:
1. Later ING Direct Canada and ING Direct’s Sharebuilder added Rapport support.
2. Authentium demo’d SafeCentral at FinovateStartup 2008 (video here). A new version of SafeCentral is in the works.
3. Check Point demo’d ZoneAlarm at Finovate 2008 (video here).
I love personal financial management websites. Not so much for the reality, actually I hate tracking expenses, but for the promise. The illusion of having everything under control, never overdrafting, never missing a payment, and with perfectly-shaded multi-color pie charts just a click away (inset from Mint).
But I’ve always thought that once banks and credit unions added basic PFM functions to their online banking services (see note 1), it’s game-over for most independent PFM sites. They would have to either license their platform to financial institutions, sell out, or close their doors.
Now I’m not so sure.
Mint did something recently that made me reconsider. It was really pretty simple when you think about it. Yet as far as I know, no bank, card issuer, or even credit union has ever taken this on.
The Mountain View, CA-based startup scanned their members’ credit card statements to identify bogus charges from a known scam. And the company plans to make the resulting fraud alert service a standard part of its offering.
From American Banker (23 Jan 2009):
Mint Software Inc. is planning to roll out a tool that will automatically scan its 800,000 users’ accounts for potentially bogus charges….Aaron Patzer, Mint’s founder and chief executive, said the idea for the new product came after his company heard of a scam involving Adele Services of Melville, N.Y., a bogus merchant that was making 25-cent charges to millions of consumer accounts. The news was widely reported, and Mint decided to check its users’ accounts its to see if any had been affected; it found 800 that were.
Score 1 for the upstarts.
Bottom line: If the online PFM purveyors harness technology to take better care of banking customers than the banks themselves, especially with practical, money-saving ways such as Wesabe’s Cutback Tool (below), the newcomers have a bright future indeed.
Note: For more info, see our Online Banking Report on Personal Finance Features for Online Banking.
The fourth presenter this morning is Jordy Berson, group product manager at Check Point Software Technologies.
Check Point is a new Finovate presenter and will demo its security solution for safer online banking.
Check Point is showing their ZoneAlarm ForceField, which, when installed on users’ machines, warns them if they go to a phishing site; even more important, it keeps malicious programs from being accidentally downloaded during Web surfing. It uses a virtual sandbox to protect Web sessions even if users’ machines already contain malicious software.
With bad news pouring down from all corners of the financial services world, it’s a difficult time to be a bank marketer no matter what condition your financial institution is in (see note 1).
But besides sending reassuring emails to your customers, highlighting your strong balance sheet on your website (see inset), and for the few with blogs, dropping the occasional rosy post into the RSS or Twitter feed (note 2), what’s a banker to do?
When fear is rampant, little things can make a difference. Your customers have long been nervous about banking online. Most aren’t afraid enough not to use it, but lingering doubt remains.
Now might be a great time to follow the lead of ING Direct, Firstrade, and Muriel Siebert and introduce a software solution that provides extra security for online banking. While it won’t make a Fannie Mae shareholder any happier, it’s reassuring in these times that at least there are no crooks stealing your username and password.
Online Banking Report publishes Security 4.0 (note 3)
In the latest Online Banking Report, we look at several promising software solutions that allow even malware-infested users to connect safely to their bank. Both solutions earned OBR Best of the Web designations (note 4):
We also take a closer look at Bank of America’s SafePass (previous post here), which is an easy way for customers to add an extra security layer to their login, although it won’t prevent certain malware to hijack the session. See the inset for the complete Table of Contents.
Online Banking Report subscribers may download it now here. Others may download abstract here, or purchase here. Cost is US$495.
Notes:
1. But be thankful if your financial institution is not in the headlines right now. I’m in the hometown of WaMu and the headlines this morning were not pretty.
2. Blog post from Verity CU on 16 Sept.; Twitter update from First Federal today
3. Our fourth full Online Banking Report on security/privacy; previous reports were #119, #93/94, and #48.
4. OBR Best of the Web awards are given periodically to pioneering online banking features. It is not an endorsement of the company or product, just recognition for what we believe is an important development. Trusteer and Authentium were the 71st and 72nd recipients of the designation since we began awarding them in 1997.
I heard from a new company last week that has created a service to help life insurance and bank-account holders to notify beneficiaries periodically that they are named on the account. According to FindYourPolicy.com (see screenshot below), $1 billion in insurance policies go unclaimed each year due to unknown or lost beneficiaries. Although it sounds simple, tracking down beneficiaries can be a timely and expensive process. Outsourcing some or all of that is an appealing idea.
However, as a consumer-direct service, I don’t think FindYourPolicy.com will get a lot of traction. The list price of $29.95 plus $3.95 per month is a lot for twice-yearly postcards (see note 1) to your beneficiaries. But the company is likely more interested in setting a high retail “value” on the service so they can wholesale it to financial institutions for pennies on the dollar.
Using the same concept for safe deposit boxes
While the beneficiary notification is an idea deserving of a second look, I was more intrigued with another of its features, safe deposit documentation and notification service. I just spent 30 minutes last Friday making a trip to the bank to look in my safe deposit to see if my son’s social security card was there (note 2). Of course, it wasn’t. I could have saved the trip if I’d had good records on its contents. I’m sure I wrote it down somewhere, but it would likely take much longer than 30 minutes to find it.
Ideas to help memory-challenged customers like myself:
However, as Tripp Johnson at Gonzobanker so eloquently laid out in this article, there are serious questions regarding overall demand for virtual safe-deposit services, not to mention pesky compliance issues that cannot be ignored.
FindYourPolicy.com homepage (29 May 2008; see note 3)
Note:
1. Why TWICE yearly? Once per year seems like plenty. Or how about one postcard and one email message each year? (Update 1 June: The reason for mailing 2x per year is that the U.S. Postal Service forwards mail only for six months, so with this frequency the company ensures it gets the forwarding address. (See comment #2 from Michael Hartmann of FindYourPolicy.com)
2. My bank is requiring a faxed copy of my 18-year-old son’s social security card in order to add him to my account. I’m all for good authentication (who isn’t?), but that seems extreme. More on that in a future post.
3. Sometime during the past 10 days, FindYourPolicy.com added the “member of American Bankers Association” seal. It’s a reasonable touch, but it only means they’ve paid at least $1,250 for a service membership to the ABA.
While everyone wants better online banking security, the business case for most solutions is elusive. Even the simple step of adding an password in front of sensitive transactions can cost millions in customer service, enrollment procedures, employee training, and other soft costs.
So financial institutions, especially in the U.S., have taken a pragmatic approach to security, adding behind-the-scenes monitoring and making it difficult to transfer large amounts of cash out of the bank, rather than incur the expense of more robust login security. Banks have been especially reluctant to get involved in the security of the customer’s desktop due to the potential tech support costs and liability issues.
That’s what makes ING Direct’s new solution especially novel. The large U.S. direct bank, which has pioneered several security procedures, including multi-factor login and PINpad data entry, will offer a downloadable 400k plugin that creates a “secure tunnel” from the user’s computer to the bank (more analysis from Gartner’s Avivah Litan here).
According to the software provider, Israel-based Trusteer, even if the user’s computer is infected with malware, the company’s Rapport software defeats all attempts to view, capture, or take over the transaction. It also encrypts keyboard entry without impacting the speed of the interaction with the bank. If it works as billed, it could be a boon for online banking security.
The optional plug-in is expected to be made available to the direct bank’s 14 million customers worldwide, including 6.5 million in the U.S. The software is already in use by U.S. brokerage Muriel Siebert & Co. which mentions it in the What’s New section of its homepage (see screenshot below; read more here).
Cost
The software is now available here. It is free-of-charge to communicate with ING Direct and three other websites. Users will likely have the option to purchase a premium version that communicates with a larger number of websites.
This so-called freemium business model should help minimize the cost of the software to the financial institution. But the bigger cost issue for the bank is the customer service expense. ING Direct, which has famously kept customer-service costs down by focusing on serving only profitable customers, likely will offload as much of the tech-support burden as possible to Trusteer. But there’s no such thing as zero impact. So it will be interesting to see if they can make the ROI work across 6.5 million customers, many of whom haven’t a clue about safe computing basics.
A competing system, Safe Central from Authentium, was showcased at our Finovate Startup conference in April. The full-length demo of the program will be available here within a few days.
It was online banking week in Walt Mossberg’s popular Wall Street Journal technology columns. Yesterday in The Mossberg Solution, authored by 20-something Katherine Boehret and edited by Mossberg, Mint’s personal finance service received a half-page article so complimentary I had to look twice to make sure it wasn’t an advertisement. Boehret couldn’t find a single thing wrong with the service, although she did wish for bill payment capability so she could do all her banking with Mint. I’m sure she’ll have her wish granted relatively soon.
In today’s Personal Technology column entitled, How to Avoid Cons that Can Lead to Identify Theft, Mossberg himself dropped a bomb which will impact bank-marketing efforts for years to come. His first of seven tips for safe computing:
Never, ever click on a link embedded in an email (from your) financial institution….
That’s harsh, but it’s also understandable why he’d take that stand. Mossberg strives to make technology issues understandable to non-techie readers. However, it would have been better to add, “unless your bank adds account-specific personalization to the messages so you know for sure where they originated.”
Action items
Many financial institutions, including Citibank and Bank of America, have long used personalization to distinguish legitimate messages from phishing attempts. Financial institutions with good personalized messaging should consider a public outreach program to counter the negative perception from the Mossberg column. It also might be a good time to remind front-line employees how to respond to customer concerns about phishing emails.
For more information, see our Online Banking Report on Marketing Security.
The best way to get the attention of your online banking customers is by dropping a landing page in front of them right after they login. It’s a bit annoying, but if used judiciously it can be extremely effective. PayPal has been using this technique for most of the eight years I’ve had an account there.
U.S. Bank is fairly new to this technique, using it just a few times a year for service-related messages. The latest, a 100-word message that reads like it was crafted by the legal department, was posted on Nov. 29 and warned customers about fake emails (screenshot below).
It’s a good idea to remind customers about your email policies to help them avoid scams. However, U.S. Bank only warns against low-tech fakes asking for account info or PINs. Few consumers would fall for that any more. The bank fails to address the more common, and far more effective, approach of sending users to a fake website via a disguised link. The bank should explain what a genuine U.S. Bank email looks like and how to tell it apart from the fakes.
A few other ways to make this message more effective:
Link to an area on website for more info on security
I was looking at Geezeo's new Facebook app this morning (more on that later), and I noticed one of the best credit report monitoring ads I'd ever seen.
Instead of focusing on the negative aspects of your credit history, the banner ad features "testimonials" of the significant savings available with good credit (the banner above claims a $310 savings in her house payment). The stories are provided under the header, "Credit Diagnosis." And, I was initially impressed after clicking through the ad to find a good, landing page with more of the same.
However, the mostly-anonymous company behind the banner, FreeCreditReportsInstantly.com uses a $1, 7-day trial come-on for its $29.95/mo credit report monitoring service. I have no problem with the company charging what the market will bear. And to its credit, FreeCreditReportsInstantly (FCRI) does disclose the go-to fee on the first page of the application. But I think the typical young Facebook user is not going to be happy seeing $29.95 monthly fees on the credit or debit card.
Why would anyone pay $360/yr for credit monitoring?
The Internet was supposed to make it hard for companies to charge 2x to 3x the going rate when dozens of competitors were just a few clicks away. But here we have a company doing just that and evidently bringing in enough revenue to afford a Facebook ad buy, not to mention holding down the number 3 ad slot on Google searches for "free credit reports" (note 1)?
The answer is complex. It has to do with consumer confusion over the whole business of credit scores, ID theft, and the government-mandated free reports which is what most Googlers are looking for when they type "free credit report." And consumers must share part of the blame too. In a rush to get "something for nothing" they blindly fill out "free trial" forms without reading the fine print or taking time to investigate alternatives.
Taking the high road
But the dizzying array of credit monitoring options provides an opportunity for banks and credit unions to do the public a great service, and turn a nice profit, by educating their customers and offering value-priced alternatives:
And since most banks and credit unions don't have the resources to provide full-service fraud assistance, turnkey solutions providers have stepped up to fill the need. We are lucky to feature one such company at our Finovate conference next Tuesday in NYC.
Full-service education and victim response from Identity Theft 911
Five years ago, I met the entire Identity Theft 911 team when they were in Seattle making sales calls. It was refreshing to see someone in the identity fraud space taking a genuine interest in helping the end-user out of a jam, rather than simply trying to get them on the hook for a $150+/yr monitoring service. And over the years, I've kept in touch with the company chairman, Adam Levin, as he's worked the trade shows to garner support for Identity Theft 911 and his other company, Credit.com. Adam will take the stage Tuesday morning in NYC to demonstrate the full range of his company's resources to help banks and credit unions make their customers feel MORE secure, rather than more afraid (see screenshot below of AFL-CIO Employees Federal Credit Union's Identity Theft 911-powered services, link here).
Note:
1. Search performed from Seattle IP address mid-morning on 26 Sep 2007.
2. For more information on credit monitoring, see the latest Online Banking Report here.
” width=”539″ height=”378″>