Security & Privacy

ING Direct Adds Virtual PIN Login Pad

By Jim Bruene Posted on
Categories: ING Direct, Security & Privacy

Ingdirect_usa_pinpadING Direct’s <ingdirect.com> three million U.S. customers now must enter passwords into the site with an on-screen PIN pad. Users have the choice of clicking on their numerical PIN or typing the corresponding letter into an on-screen box (see screenshot below). The letters are scrambled each time to defeat many keylogging programs.

Although, the virtual PIN pad technology has been widely deployed elsewhere in the world, it’s new in the United States.

Analysis
Until recent deployments at Bank of America (NetBanker May 26), Citibank (NetBanker May 30), E*Trade (NetBanker March 2), and a handful of others, ING Direct has been the sole U.S. bank making at least a minimal attempt to make login more secure. For the past four years, it’s required a third piece of information at login (partial social security number or year of birth). It’s not really multi-factor authentication, because the third piece isn’t too difficult to figure out, but it at least provided the perception of better security (click on screenshot below to see closeup of login page).

Ingdirect_usa_pinpad_fullThe virtual PIN pad, first used by ABSA Bank in 2003 (see Online Banking Report 96/97), isn’t foolproof, but it does make it tougher for key-loggers and phishers to successfully recreate the login process at the bank. It’s also a relatively inexpensive improvement with very little customer impact. In fact, I’d expect that the customer response is overwhelmingly positive.

If the bank combines these cosmetic security features with robust behind-the-scenes authorization controls, it should have enough to keep the crooks at bay AND satisfy regulators.

JB

Share this:

Send Post Twitter LinkedIn Facebook

Washington Mutual’s ID Theft Play

By Jim Bruene Posted on
Categories: Credit Reports & ID Theft Protection, Deposits, Checking, Savings, CDs, Security & Privacy, Washington Mutual

Wamu_idtheft_logoWashington Mutual <wamu.com>, which has been pitching free checking in Seattle for as long as we’ve lived here (mid 1980s), recently added ID Theft Services to its list of free checking account enhancements.

A mid-October direct mail we received at our home touted the following benefits, along with a $75 American Express Gift Cheque, for signing up for a new checking account (italics are theirs):

  • No direct deposit required
  • Free Telephone Banking
  • Visa Check Card
  • No per-check charge
  • Free Personal Online Banking
  • Free Personal Bill Pay service
  • Free ID Theft Services

In addition, to the above bullet points, the Free ID Theft Services had its own paragraph, one of just four total in the short sales letter:

Exclusively for Washington Mutual customers: Free ID Theft Services. If you become a victim of identity theft, we provide insurance that helps you with your legal and other identity theft expenses up to $5,000 with no deductible. This valuable service also provides professional assistance, plus access to credit reports, management tools and more.

Wamu_idtheft_shortNo other information was provided in the letter or the fine print. But looking at the bank’s website we find that the free services lead to a pitch for full three-bureau credit report monitoring from Intersections <intersections.com> (click on inset for partial screenshot or download the entire screenshot, links will not work). It’s all explained on Washington Mutual’s proprietary identity theft site, ID Theft Inspect <idtheftinspect.com>.

Analysis
With all the concerns about online safety and fraud protection, it makes perfect sense to offer identity theft protection services to customers, especially when you will be helping defrauded customers whether you make it an account benefit or not.

We like how WAMU offers certain services to all account holders, then upsells them into full credit report monitoring. However, the bank’s pitch for fee-based protection could be far more effective if it:

  • Offered online signup — Currently customers must signup in branch or call a toll-free number.
  • Disclosed the price — There is no mention of a monthly fee, either in the main body of the copy, or in the detailed disclosures. This is a sure way to lose customers.
  • Provided a more detailed view — The promotional copy does a good job of explaining the benefits; however, beyond a few blurry screenshots, there is no way to preview the level of detail to be provided with the service. The bank needs an online demo, tutorial, or FLASH presentation.

Overall, we give it a B+; disclose the price and it’s an A-.

JB

Share this:

Send Post Twitter LinkedIn Facebook

Scottrade to Use PassMark Security

By Jim Bruene Posted on
Categories: PassMark Security Inc., ScottTrade, Security & Privacy

Passmark_loginIt's been four months since Bank of America surprised the industry with its endorsement of PassMark Security <passmarksecurity.com> for multi-factor consumer login (see NB 26 May 2005). Since then, we've talked to a number of industry participants that claim to have a better mousetrap, which they may.

We are not in a position to pass judgment about the technical merits of one system compared to the next; we'll let the market sort that out. And true enough there are weaknesses in the PassMark system as we noted in our Online Banking Report article (OBR 119).

But we still believe PassMark will be one of the survivors as it builds upon its BofA relationship and adds other customers down the road. The first new win is discount broker Scottrade <scottrade.com>, which announced yesterday that it will install PassMark to improve login security for its 1.4 million consumer accounts (see inset above). The broker also becomes the first client to say that they will also add the PassMark identifying image to outbound emails so recipients know the message is legitimate.

Added to the 13+ million BofA accounts, PassMark now boasts that it will be "protecting 15 million users in 2006," a powerful marketing message for the startup. Separately, the company announced v2.0 of its two-factor authentication system.

Passmark_marketingOff-Topic
Speaking of marketing, you should take a peek at PassMark's website if only to see how it markets to financial institutions (see inset left). The company provides a 4.5-minute comprehensive audio briefing done in Macromedia Breeze along with a series of three short demos showing how the system works for: a) new users; b.) users logging in from a known computer, or; c.) users logging in from an unknown location.

The company's website is remarkably brief and to-the-point, especially for a B2B tech vendor. If you are looking for ideas on how to spruce up your online marketing to businesses, this is a good model.

JB

 

Share this:

Send Post Twitter LinkedIn Facebook

New Federal Fraud Education Website

By Jim Bruene Posted on
Categories: Security & Privacy

Onguardonline_gov_sponsors_1
If you are looking for a spam/spyware/phishing resource for your online customers, OnGuardOnline.gov is a good resource, especially for novice users.

Onguard_spywareThe site is sponsored by The Federal Trade Commission, Dept. of Homeland Security, U.S. Dept. of Commerce, and The United State Postal Inspection Service. They also had some help from the private sector, with some content provided by Microsoft and The Internet Education Foundation www.neted.org. The site also lists a number of other partners, but does not disclose their contribution. None of the listed partners are closely associated with the financial services industry.

The main content areas cover:

  • ID theft
  • Spam scams
  • Phishing
  • Spyware
  • Shopping
  • P2P file sharing
  • VoIP

Onguardonline_homeAnalysis
The information is thorough and presented in a audio-visual format that is easy to digest (click on inset to see a closeup of the homepage). The videos from Microsoft are particularly well done. And surprisingly there is no plug for the software giant, they don’t even have a logo on the site.

The interactive Flash games are a little on the hokey side, but they get their points across. The Stop-Think-Click: 7 Practices for Safer Computing is very well written and hopefully will become widely circulated in the popular press.   

Action items
Financial institutions should use the site either as a direct resource for customers or as a blueprint for the material which should be presented in a bank’s security and privacy area. The 7-point Stop-Think-Click material is especially useful to present to users.

The only slight hesitation we have about referring customers directly to OnGuardOnline.com is that it may be somewhat overly frightening. We think it’s better to cover these issues yourself so you can provide reassurances along the way as to how you are helping solve these vulnerabilities.

But for those who haven’t the resources or budget to create your own security center, this is a good reference point.

JB

Share this:

Send Post Twitter LinkedIn Facebook

Mandatory Online Banking Password Changes

By Jim Bruene Posted on
Categories: Security & Privacy

Katie Kuehner-Hebert looks at the issue of mandating consumer password changes in today’s American Banker. She cited only a single bank doing it, West Georgia National Bank <www.wgnb.com>, which recently began requiring new passwords every 45 days. None of the financial institutions we are familiar with force password changes, although NextCard did when it first launched in 1997, but later it did away with the annoying requirement.

Analysis
This is one of the least effective ways to improve security. In fact, it may have exactly the opposite effect for two reasons:

  1. Customers cannot memorize a new password every 45 days, so they will have to write it down somewhere near their PC where it can be seen by others.
  2. Once users begin to realize what a hassle it is logging in to your website, they will forgo online access altogether or use it much less frequently, therefore reducing the frequency of account monitoring which can reduce the impact of identity theft and other fraud.

And even the method did reduce fraud, it’s unlikely to be cost effective due to the increased burden on customer service and decreased customer satisfaction.

Offer choice
Mandt_password_resetSome customers do like the idea of periodic password changes, but forget about mandatory changes. We like the M&T Bank <www.mandtbank.com>. The Buffalo-based banks allows customers to choose whether to have mandatory password changes at either 30, 60, 90, 180 or 365 days. They can also choose NOT to have a mandatory password change (click on inset for a closeup).

An even simpler way to give customers the choice is to allow customers to program an alert reminding themselves to change their password. The alert should NOT have a link back to the bank, otherwise it will look like a phishing message.

JB

Share this:

Send Post Twitter LinkedIn Facebook

Citibank’s Security Pop-Up

By Jim Bruene Posted on
Categories: Citibank, Security & Privacy

Citi_popupUnder the "every little bit helps" theory, Citibank’s popup window when registering for online credit card access is a nice touch.

The popup (click on inset for closer view) reassures users that they are entering information into a secure site. The well-crafted verse goes like this:

Secure.
A little word that that means a lot–especially online.
Rest assured, this registration process is just that.

The window closes itself in about 10 seconds, if the user hasn’t done so already.

JB

To learn more about how to promote online security and peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

Share this:

Send Post Twitter LinkedIn Facebook

Online Banking Confidence Still at 60%

By Jim Bruene Posted on
Categories: Metrics & Market Research, Security & Privacy

The problem with most published information on consumer attitudes is that they don’t show the trend. It’s interesting to see that a certain portion of the population expresses concern about ecommerce security, but it’s not really actionable unless you see it in context. That way you know if the concern is growing, stable, or lessening. Or if consumers are more concerned about branch lobby security, telephone, or mail security.

Kudos to Informa Research for publishing a table showing consumer attitudes on online banking security dating back to 2000. As you might expect, consumers are significantly more confident than they were five years ago (59% vs. 49%), but there has also been a substantial drop-off since 2003 (59% vs. 70%).

Percent of consumers that Completely or Strongly Agree with the following statement:
Internet-based transactions handled by financial institutions are safe and secure

2000  49%
2001  56%
2003  70%
2005  59%
———–_
Source: Informa Research, Aug. 2005, n = 1690

Analysis
Taking a cup-is-half full approach, we are pleased to see that the majority of consumers still consider online banking to be safe. Although the drop-off from 2003 is a concern, we’ve probably hit bottom, barring any dramatic breeches in the near future. As banks institute security upgrades such as multi-factor authentication, broader security alerts, and secure messaging, consumer confidence will grow.

JB

If you’d like to learn more about the future of online banking, check out the Online Banking & Bill Pay Forecast: Current, future and historical usage: 1994 to 2016 from our sister publication, The Online Banking Report.

Share this:

Send Post Twitter LinkedIn Facebook

Phishing Awareness Less Than 30%

By Jim Bruene Posted on
Categories: Metrics & Market Research, Phishing, Security & Privacy

We’ve warned against using too many scare tactics on your website (see OBR 119, Marketing Security). Here’s data to support that argument.

The latest Pew Internet Project survey (PDF) found that more than 70% of Internet users had either never heard of the term Internet phishing (15%) or were unsure of its meaning (55%), leaving just 29% who said they had, "a pretty good idea of what the term meant." In comparison, 88% of Internet users had a pretty good idea of what Spam meant, 78% knew Firewall and also Spyware, while 68% understood Internet cookies, and even 52% knew Adware.

JB

Share this:

Send Post Twitter LinkedIn Facebook

Update: Bank of America’s SiteKey Goes Live in Tennessee

By Jim Bruene Posted on
Categories: Bank of America, Security & Privacy

Sitekey_coming_soonBank of America issued a press release saying that it went live today in Tennessee with its OBR Best-of-the-Web-winning multi-factor authentication system. However, a search of the bank's website, using Tennessee as our state, found no mention other than the "coming soon" paragraph that's been posted for the past several weeks (click on inset to read).  

">Read our previous article.

–JB

 

Share this:

Send Post Twitter LinkedIn Facebook

RF Technology for Online Banking Login?

By Jim Bruene Posted on
Categories: Credit/Debit Cards, Security & Privacy

Chase_blinkNow that Visa, MasterCard, and American Express and others are actively putting so-called contactless cards into the hands of consumers (Chase’s blink for instance), it’s not such a far-fetched thought that these radio-frequency (RF) cards could be used as the extra factor for online banking login.

PCs equipped with RF card readers could read the user’s plastic, allowing the user to log in securely with just a username/password, or conceivably just a password.

But PC makers aren’t going to add card reading technology, no matter how cheap it is, just for online banking. But if merchants began insisting on the RF readers to cut down on card fraud for online purchases, perhaps with the associations agreeing that a purchase made with a PC-based RF reader qualified as a "card present" transaction, then the technology could take off.

Using contactless cards online could be more beneficial than using them for off-line purchases. In the physical world, the contactless card merely saves a few seconds compared to swiping it through a conventional terminal. But online the savings could be more dramatic, potentially allowing the customer to skip typing their card and verification number into a web forms. 

JB

Share this:

Send Post Twitter LinkedIn Facebook

Stonebridge and American Bank Offer Secure Account Login

By Jim Bruene Posted on
Categories: Security & Privacy

Etrade_rsa_tokenToday's American Banker reports that $365 million-asset Stonebridge Bank (West Chester, PA; $365 million) and American Bank (Allentown, PA; $500 million) are following E*Trade's move to offer hardware tokens to authenticate consumer logins.

As of May 30, Stonebridge is offering the token free-of-charge to any of its 4500 consumers who request one. The token will be mandatory for its 500 business customers. In its security FAQ, the bank says it will charge $25 annually, its out-of-pocket expense for the device, after the first year. They also charge $25 to disconnect the token during the first year and $25 to replace it within 5-7 business days, or $45 total for overnight delivery.

American Bank is sending the token to 1000 customers who said they would like one in a recent survey. There is no charge for the service. The bank expects to order another 1000 from RSA Security next month. It pays approximately $20 each, which does NOT include maintenance costs to operate the system.

Analysis
We applaud these three financial institutions for moving beyond the username/password. However, except for the most demanding customers, primarily businesses, hardware-based solutions are overkill.

The Bank of America/Passmark approach is much better. Not only is it more cost effective, it also much easier to use and also helps prevent the user from logging in at a fake site. 

JB

 

 

 

Share this:

Send Post Twitter LinkedIn Facebook

Citibank Fights Fraud with Personalized Emails

By Jim Bruene Posted on
Categories: Alerts & Messaging, Best of the Web, Citibank, Email Marketing, Security & Privacy

Citi_secure_email_closeupIt’s fitting that the financial company most targeted in phishing attacks, Citibank, would be the first to introduce a new email format that goes a long way towards helping users identify legitimate email messages.

Citi_secure_email_message The personalized emails (click on inset to enlarge) include not only the name of the recipient, but also the last 4 digits of the user’s ATM card. While simple personalization with the customer name would help many users identify legitimate emails, it’s far from fool-proof.

First, there’s the relatively common practice of including first name and/or last names in email addresses. Also, some phishers are using direct marketing tactics and first running email addresses through various databases to append actual names and other info to the email record in order to develop a personalized pitch (see ZD-Net article).

Citibank’s new email format was announced to customers through a short message on the top of the online banking screen in early May. It is also now mentioned in the bank’s main FAQ page.

Analysis
This is a great first step in winning back the confidence of users. Eventually email standards will evolve so that the email client will be able to readily identify legitimate emails, but that could be years in the future.

If you are considering a similar approach, you might want to let users choose the name and identifying information that appears in the personalization box. In February, we reported on a UK security initiative that took that approach.

For more information:

JB

Editor’s Note: Citibank received an OBR Best of the Web award for this and other security features in Online Banking Report #119, "Marketing Security."

Share this:

Send Post Twitter LinkedIn Facebook