My Citibank checking account dates back to when iPods were novel and 1GB was enough to satisfy your iTunes cravings (see Jan. 2005 post). For several years, Citibank gave iPods away to anyone who'd open up a checking account online and do a few bill payments. 

I haven't accessed my Citi checking account in at least a year, because last time I tried, I locked myself out with too many password attempts (note 1). And I've been too lazy to go through the often tedious reset process (see below).

So I was pleased to receive an email this morning offering to help me get restarted (see screenshot below). I figured the bank had noted my previously futile attempts to login and was sending along a bit of digital assistance. Sure, it was a year or two after the fact, but I believe in better late than never.

But the main call to action in the activation email is:

Enter the User ID and Password you created when you opened your account online.

So evidently, the bank thinks I'm smarter than I really am and actually can remember the username/password from my two-years dormant account.

Had I not been blogging about the email, I would have deleted it. But as I re-read it more closely, I did see the small light-gray link in the corner for resetting my password. Unfortunately, Citi requires your ATM card and PIN to reset passwords (see second screenshot). This is precisely why I wasn't able to reset the thing when I was locked out two years ago.

My take:
1. An activation to stalled online banking customers is a great idea. But in this case, Citibank did not deliver on its promise to "help" me restart online banking (note 2). As a matter of fact, I am now even more frustrated. If you are going to send a message offering help, make sure there is actual help available for the various ways customers will respond.
2. For infrequent users, consider simpler password-reset procedures based on email address or mobile phone number on file plus Social Security Number and/or shared secrets. 
3. Finally, don't offer a dead-end password reset page. In Citibank's case, if the user doesn't have both their ATM card number and PIN, there is no place to turn. There's not even a phone number listed on the page to seek live help (you have to use Contact Us in the upper right).

Citibank email (sent 3 Feb. 2010, 9:30 AM Pacific)

Citibank password-reset page

Note:
1. I have two Citi accounts with different usernames and passwords, so it always makes for an interesting memory test at login.
2. I should add that I have enough money in the non-interest account to provide Citi with a bit of profit every year. 

I've often wondered how many people use the same username/passwords at their bank as they do at other random websites. I figured it was a substantial number, but never expected it to be as high as the 73% Trusteer cited in a recent white paper (note 1). That's why most financial institutions have used "multi-factor authentication" for years.

One of the most common multi-factor techniques is to ask additional questions if the bank detects a login from an unknown computer. However, it's possible that these same people are also using the same "secret question" answers at non-secure websites, defeating this multi-factor approach.   

Luckily, it's still relatively difficult to remove money from most U.S. consumer accounts because online interbank transfers are more tightly controlled, or simply not offered. However, if crooks are able to log in to online/mobile banking and determine the user's account numbers (debit, credit, or checking), a number of more lucrative frauds can be engineered.

What's a bank to do:

• Use secret questions that are not commonly used across the Web. Or allow users to create their own, but caution them not to use ones they see at other non-banking websites.
• Create an additional out-of-band authentication process (e.g., text message an approval code) for moving funds out of an account.
• Do not allow online banking users to see their own account numbers online
  (note 3)
• Educate/encourage customers to use different username/password for online banking than for other non-financial sites
• Financial institutions using Trusteer's Rapport service can identify which customers are sharing username/passwords at less-secure sites and ratchet up internal fraud control settings for these customers

And the most effective method, which we don't recommend because it's just too painful for the user experience:

• Force users to make more challenging usernames and/or password such as those with a capital letter, number and/or special character

Silicon Valley Bank (SVB) offers Trusteer's Rapport (link, 2 Feb. 2010)

Notes:
1. While 73% shared banking passwords with other sites, less than half the total, 47%, shared BOTH username and password. Two other data points:
- 65% of user-selected banking usernames were used elsewhere
- 42% of bank-selected banking usernames were used elsewhere
2. Trusteer's data was compiled over 12 months using its plugin software running on more than 4 million computers (see previous post).
3. There's still the issue of the easy-to-read account number on check images; it would be nice to mask it, but that's probably not worth the expense) 
4. For more info on Trusteer and other security topics, see our previous reports such as, Online Banking Report: New Security Techniques (Sep. 2008)

This is one of the most valuable freebies I've ever been offered simply for being a customer. Bank of America online banking customers, new or existing, are being given a one-year free subscription to McAfee, worth $70 at retail.

The fine print is relatively clear (reprinted below, after the screenshot). The main "catches:"

• Must not have a current McAfee subscription (see Results below)
• The subscription auto-renews at $34.98/yr, a 50% discount
• While in progress, the BofA offer never mentions number of users covered (the normal $69.99 subscription from McAfee covers three users, see note 1); however, during checkout, after accepting BofA's offer, the product description confirms three users are covered with the subscription

Bank of America is also publicizing the offer on its main website (here). To accept, users must log in to online banking first.

Results: I signed up for the account this morning and was surprised to find that you are not required to use Bank of America for payment. In fact, BofA is never mentioned again after leaving the original landing page (see second screenshot). The McAfee cart offered the usual choice of Visa, MasterCard, American Express, PayPal and others. 

Opportunity for financial institutions: Assuming you can swing a deal with McAfee that requires no out-of-pocket expense, offering your customers a year's worth of anti-virus protection is a win-win. The primary downsides are a few extra calls to customer service and a few irritated existing McAfee customers who do not qualify for the freebie.

Bank of America logout screen (21 Oct 2009; 7 AM Pacific)

Fine print on bottom of page above:
This exclusive offer is available only to Bank of America Online Banking customers. Online Banking customers receive McAfee Internet Security for PC free for 12 months, a $69.99 value. At the end of the 12-month period, Online Banking customers are eligible to renew for another 12-month period at 50% off MSRP or $34.98. Customers with a current McAfee subscription are not eligible for this offer. Bank of America reserves the right to modify this offer and eligibility requirements at its discretion.

Landing page (link)

Same offer on BofA website (link)

Notes:
1. The service is currently offered at a discount at Intel's software store for $32.95 for one year for three users. Intel's offer was positioned via paid ad at the number-one position on a Google search for "McAfee Internet security."
2. For more information on online banking security, see Online Banking Report: New Security Techniques (Sep 2008)

Checking account profits are being attacked on several fronts. Near-zero short-term interest rates have destroyed the profitability of the balances. Regulators and activists are putting pressure on penalty fees. And consumers are loath to pay monthly charges for what's been positioned as a free service for so long.

So how is it that Fifth Third Bank is able to bundle a service into its checking account that typically costs consumers $12 or more per month? They are bringing back the monthly fee (see note 1), charging either $7.50 or $15 per month for a so-called package account (see options below). It's a strategy right out of Marketing 101: figure out what customers want, then build the  product, package it right, promote it well, and price it for the value delivered.

I believe Fifth Third has taken the right tack with its checking accounts, though it should go even further (see analysis). The bank offers two non-interest checking account bundles (PDF comparison here), neither of which are free of charge no matter how high the balance (note 2). Instead of offering fee waivers, the bank has bundled full-service three-bureau credit report monitoring and identity theft services powered by Affinion (link to Fifth Third Identity Alerts). And the monitoring is available for BOTH names on a joint checking account (note 3). 

• Secure Checking at $7.50/month, comes with free credit report
  monitoring and identity theft protection (valued at $9.95/month per person)
• Gold Checking at $15/month, comes with the same free ID protection &
  monitoring plus free nationwide ATM access

Analysis of Secure Checking
Now more than ever, customers are craving security and safety in all things financial (see yesterday's post). Bundling identity theft/credit report monitoring in checking accounts is an excellent way to address customer concerns AND differentiate your account in the marketplace. And naming it Secure Checking helps drive home the key benefit.

I like what the bank has done. It would be even better if it highlighted more of its current security features available in mobile and Internet banking (note 4):

• Email alerts
• Mobile text alerts
• Secure storage of estatements
• Transaction monitoring for fraud and error
• Other security protections as outlined on its security page

• Out-of-band authentication via text message
• Disposable credit/debit account numbers
• Long-term (7+ years) secure transaction archives
• Enhanced fraud protection guarantees
• Dedicated security reps on call 24/7 to help out in the case of a suspected problem
• Software and tools to safeguard online banking (e.g., Trusteer, Authentium, Check Point)

Fifth Third Bank non-interest checking accounts (link, 2 Sep 2009)

Secure Checking landing page

Notes:
1. Ref: Is This the End of Free Checking?, SmartMoney Magazine, 31 Aug, by Kelli B. Grant
2. The bank does offer an interest-bearing checking account with its $15 monthly fee waived with a $2,000 average balance in checking or $20,000 across all deposit and investment products. The bank also has a free non-interest checking account option.
3. I'm not sure the bank gets enough mileage out of covering BOTH account holders to justify the additional costs. To improve profits, the bank should consider a modest additional fee (approximately $5/mo) to cover joint account holders. 
4. These benefits are hidden behind a tab that most consumers, including myself on my first two passes, will likely miss (see second screenshot above).
5. For more info on how to package security benefits into your services, refer to the following Online Banking Reports: Marketing Security (June 2005) and New Techniques for Securing Online Banking (Sep 2008).

A few weeks ago, I was lucky enough to tour the British Museum's exhibit on the history of money. And one thing that remains the same throughout the millennia, a concern about the security and authenticity of the various objects used to convey wealth.

It's no surprise that security is the number-one online banking concern of today's consumer. Had there been market research three thousand years ago, I'm sure security would have been at the top of the list of fears of the Chinese rich enough to hold a cache of cowrie shells (inset).  

So, until we figure out a way to eradicate crime, financial institutions need to address security concerns head-on and provide tools for consumers to take more control (note 1).

That's what I love about Addison Avenue FCU's launch of VeriSign's Identity Protection (VIP) security tokens. Addison Avenue members now have the tools to make their online banking extremely secure, should they desire to. And with set-up charges of $30 to $48 (waived for mobile) and an annual fee of $10 (waived the first year), the program is relatively self-funding (screenshots below).

As an added bonus, the "VIP Access" theme, even though it's powered by a security vendor, provides a nice boost to member relations. It also gives the CU an iPhone (link to app) and Blackberry presence it wouldn't otherwise have. 

Addison Avenue e2: The VeriSign program is one leg of a three-part effort dubbed E2, that the credit union launched today (press release; see third and fourth screenshots below).

The three core features:

• VIP security: as outlined above (link)
• E-deposit: remote check deposit via basic in-home scanner (link)
• Mobile banking: mobile web-based (link)

Addison Avenue security key landing page (link, 21 July 2009)
A short informational video brings the service to life.

VIP token options shown on VeriSign's website

Addison's three-part "e2" effort is highlighted on its homepage

E2 landing page (from homepage)

Notes:
1. Granted, most customers are not willing to spend the extra effort to bulletproof their accounts.  So extreme security measures such as this should be optional and carry a nominal extra fee. 
2. For more info on addressing security concerns, see our Online Banking Report on Security Marketing (published in 2005) and our more recent Online Banking Report on New Security Techniques published nine months ago.

While reviewing M&I Bank's Metavante-powered online application for our latest report (note 1), I noticed the bank's Online Security Guarantee (first screenshot below).

It's important to post reassurances prominently on banking websites, especially on product application pages. It helps users overcome their security and trust fears and move forward with opening new accounts online. 

Often the explanations of guarantees are full of legalese and exceptions in the fine print, reducing their effectiveness. But M&I does a good job with concise and easy-to-comprehend copy (see second screenshot).

Here are the four parts to the guarantee, taken directly from the website:

• Zero Liability Protection: You will not be responsible for any withdrawals which result from unauthorized online access to your personal M&I deposit accounts.
• Bill Payment Promise: If we fail to process a payment in accordance with your instructions, we will reimburse any late charges assessed by the payee.
• Security Commitment: We use data encryption to protect you when applying for accounts, conducting transactions or paying bills online.
• Privacy Protection: As further detailed in our Privacy Policy, we are committed to protecting your personal information.

M&I also includes a short section outlining the customer's responsibility to monitor their account and safeguard passwords.

We congratulate both the bank's product group, and its attorneys, for keeping legal language to a minimum . 

M&I Bank's Platinum Checking application (7 June 2009)

 M&I Bank's Online Guarantee page (link), 7 June 2099)

Note:
1. For more info, see Online Banking Report: Opening Accounts Online, published June 21, 2009.

My credit card number was stolen again. It's the third or fourth time since the Internet came along. It's annoying, and a little disconcerting, but not a major problem, thanks to efficient card issuers who take the info, credit my account, and send me a new card. On a ten-point "hassle scale," where 10 is having your hard drive crash, it's only a 2 or 3.

And my previous stolen cards resulted in little financial loss to the issuer, other than the cost to process the chargeback and reissue the plastic. In those cases, either the issuer caught the fraud before anything was shipped, or the items purchased were digital (online subscriptions) and didn't result in any lost inventory.

But this time was different. Someone used my card number to buy a PS3 gaming console and three games at a Best Buy in the Bronx. Assuming Best Buy follows proper procedures, Wells Fargo will be out more than $600 just for the merchandise. All told, with the cost of the investigation and processing, it's probably an $800 to $900 loss to the bank and merchant.

Wells Fargo is generally very good about suspicious charges and usually calls us. I've had the card for almost two decades, and it's been othe primary card for both my wife and me for much of that time. WF knows our purchasing habits better than we do.

Yes, we get to NYC at least once a year, but our charges are usually travel- and tourist-related ones in Manhattan. And we probably visit Best Buy in Seattle a couple times a year (we have teenage boys), so the gaming system charge is understandable. But it's highly unlikely we'd buy a system while visiting NYC, and we've never visited the Bronx, so the authorization request likely triggered flags.

But unless there was inside theft, the bank's authorization system evidently decided the $10 in interchange was worth the risk. Bad call this time, but probably right 99%+ of the time; otherwise, they'd be out of the card business.

What's mobile have to do with it?
But if Wells Fargo had a real-time connection to me via mobile phone, they could have texted me for an OK (similar to the screenshot above, which is a text-based activity request to Wells Fargo). If it really had been I who stood at Best Buy's register, it would have taken a second to reply "yes," and the transaction would have gone through.

Of course, in this case, I would have said 'no, I'm in San Francisco right now.' Or even better, in the not-so-distant-future, if I'd allowed the bank to track me via GPS, they would have known, without even contacting me, that I was 3,000 miles away from that store. Either way, the bank saves nearly a grand from that single text message. Multiply that by the millions of fraud purchases every year and you have serious money, billions by most estimates.

So yes, mobile banking (really mobile payments) does have a robust and tangible business case from fraud reduction and customer service savings. The technology is in the hands of the users now, and most know how to use it. So, let's get moving.

Note: For more information see our Online Banking Report on iPhone Mobile Banking. 

Over the years, E*Trade has been consistently innovative in both product development and marketing, two areas that provide natural synergies. The company didn't disappoint with its latest missive to existing customers. 

An email arrived yesterday afternoon (Thurs., 11 June 2009) and immediately grabbed my attention with its clever and timely subject line:

Re-plan Your Retirement with E*TRADE and Get Up to $500

Analysis
One thing I've heard consistently from my friends, no matter how secure their jobs, is that they will "be working forever" now that the Great Recession has slammed their net worth with the double whammy of a bear market and home-price declines.

So this is a great time to get in front of customers with new efforts to help them re-plan retirement with new investment ideas, asset rebalancing and just a general reboot of their portfolio. And it's also an excellent time to discuss 401(k) rollovers, as E*Trade did in this message, with an "up to $500" (see note 1) incentive to roll over a retirement account to the company (see landing page, third screenshot below). As Americans change jobs by necessity, there will be millions of retirement accounts in play. 

Security features in email
E*Trade also demonstrates another best practice to improve trust in customer emails: personalization. The company includes customer name and last four digits of their account number to help distinguish the message from fraudulent phishing attempts. E*Trade draws attention to the feature with a Security Enhanced icon on the top-right (see first screenshot below).

Clicking on the Learn More link drops readers to the bottom of the email message where product URLs provide direct-navigation alternatives to paranoid readers (see second screenshot below). I hadn't seen that before, a nice touch.

E*Trade email promoting 401(k) rollovers (received 11 June, 3 PM Pacific)

Security "fine print" at bottom of above message

Landing page for email offer (link)

 
Note:
1. Detail on the rebate:

• $500 for rollovers of $250,000 or more
• $250 for $100,000 to $250,000
• $100 for $50,000 to $100,000
• $50 for $25,000 to $50,000

In yesterday's post, I missed an important client of Trusteer's anti-malware software. Zions Bank, a leader in showcasing its online security efforts (see 2006 post on multi-factor authentication), is the only Trusteer client to feature the program on its homepage (see below).

Zions Bank home page (10 June 2009)

Zions Bank security page (link)

 Zions Bank Rapport page (link)

It's not often I see an unfamiliar name amongst the top bidders for "online banking" at Google. But today, the sixth advertiser on the right-hand column (number nine overall), was an ad supposedly from CenturyCU.org (see ad right and  search results page below).

The ad had a seemingly clear call to action, Visit Our Credit Union Today For Online Banking! However, when I clicked on the link, it lead to a .info page full of ads unrelated to the legitimate Century Credit Union (see second screenshot below).

While this doesn't appear to be a phishing attempt since it's not displayed on searches for "Century Credit Union" or "Centurycu.org," it is a bit disconcerting. It's clearly a violation of Google's terms of service and shouldn't have made it past Google's filters, but they are not perfect.

But my bigger question is: How does a spammy .info site make it to the top-10 advertisers on this popular banking term? Are there really so few serious bank or credit union bidders in the area? Or is it that the Google AdWords ROI just isn't there right now? 

Other than a regional Chase ad on the top <chase.com/washington>, it wasn't until the fifth page of results that another Northwest financial institution made an appearance, Coastal Community Bank advertising its BancVue/FirstROI-powered high-yield checking account (landing page here).  

Search results page for online banking (1 June 2009, 3:20 PM from Seattle/Comcast IP address)

Landing page for the fake CenturyCU.org Google ad (1 June 2009)

Thank-you, American Express, for removing one of the little annoyances of online commerce. During login, the company warns users when they've typed more than the maximum eight characters allowed in the password field. The login page suddenly becomes grayed out and the error message appears on the right (see screenshot below).

It would be interesting to see what this small change saved in reduced password resets and customer service calls.

Bottom line: If you have unique password requirements, such as special characters, consider telling customers during login if their password is invalid for that reason. Sure, it makes it slightly easier for crooks to guess, but mostly you'll just have a bunch of slightly-less-annoyed customers.

American Express log-in message when attempting to use a password that doesn't fit the company's requirements (15 April 2009)

Last May, Trusteer launched an optional added security measure for customers of ING Direct in the United States (note 1, see previous post). Although, it's not perfect, users of the Rapport service are less vulnerable to viruses and malware running on the their PCs. We gave the new service an OBR Best of the Web award last fall in our Online Banking Report on Security Innovations.

Although, ING Direct is a great reference account, being endorsed by Royal Bank of Scotland, really puts Trusteer on the map. The security solution is offered for download at both Royal Bank's RBS and NatWest sites (see screenshots below). Anyone visiting the banking sites can download the software, you don't have to be an RBS/NatWest customer. 

Trusteer also lists Huntington Bank as a customer but there is no mention of Rapport on the bank site yet. Other providers include Authentium's SafeCentral (note 2) and Check Point's ZoneAlarm (note 3). 

Bottom line: Security is an issue for many bank customers, now more so than ever. Extra security options deserve consideration to improve customer satisfaction/trust and help reduce fraud losses. 

Rapport download page at NatWest (link, 23 March 2009)

Rapport download page at RBS (link, 23 March 2009)

Notes:
1. Later ING Direct Canada and ING Direct's Sharebuilder added Rapport support.
2. Authentium demo'd SafeCentral at FinovateStartup 2008 (video here). A new version of SafeCentral is in the works. 
3. Check Point demo'd ZoneAlarm at Finovate 2008 (video here).

I love personal financial management websites. Not so much for the reality, actually I hate tracking expenses, but for the promise. The illusion of having everything under control, never overdrafting, never missing a payment, and with perfectly-shaded multi-color pie charts just a click away (inset from Mint). 

But I've always thought that once banks and credit unions added basic PFM functions to their online banking services (see note 1), it's game-over for most independent PFM sites. They would have to either license their platform to financial institutions, sell out, or close their doors.

Now I'm not so sure.

Mint did something recently that made me reconsider. It was really pretty simple when you think about it. Yet as far as I know, no bank, card issuer, or even credit union has ever taken this on. 

The Mountain View, CA-based startup scanned their members' credit card statements to identify bogus charges from a known scam. And the company plans to make the resulting fraud alert service a standard part of its offering.  

From American Banker (23 Jan 2009):

Mint Software Inc. is planning to roll out a tool that will automatically scan its 800,000 users' accounts for potentially bogus charges....Aaron Patzer, Mint's founder and chief executive, said the idea for the new product came after his company heard of a scam involving Adele Services of Melville, N.Y., a bogus merchant that was making 25-cent charges to millions of consumer accounts. The news was widely reported, and Mint decided to check its users' accounts its to see if any had been affected; it found 800 that were.

Score 1 for the upstarts.

Bottom line: If the online PFM purveyors harness technology to take better care of banking customers than the banks themselves, especially with practical, money-saving ways such as Wesabe's Cutback Tool (below), the newcomers have a bright future indeed.

Note: For more info, see our Online Banking Report on Personal Finance Features for Online Banking.

The fourth presenter this morning is Jordy Berson, group product manager at Check Point Software Technologies.

Check Point is a new Finovate presenter and will demo its security solution for safer online banking.

Check Point is showing their ZoneAlarm ForceField, which, when installed on users' machines, warns them if they go to a phishing site; even more important, it keeps malicious programs from being accidentally downloaded during Web surfing. It uses a virtual sandbox to protect Web sessions even if users' machines already contain malicious software.

With bad news pouring down from all corners of the financial services world, it's a difficult time to be a bank marketer no matter what condition your financial institution is in (see note 1).

But besides sending reassuring emails to your customers, highlighting your strong balance sheet on your website (see inset), and for the few with blogs, dropping the occasional rosy post into the RSS or Twitter feed (note 2), what's a banker to do?

When fear is rampant, little things can make a difference. Your customers have long been nervous about banking online. Most aren't afraid enough not to use it, but lingering doubt remains.

Now might be a great time to follow the lead of ING Direct, Firstrade, and Muriel Siebert and introduce a software solution that provides extra security for online banking. While it won't make a Fannie Mae shareholder any happier, it's reassuring in these times that at least there are no crooks stealing your username and password.

Online Banking Report publishes Security 4.0 (note 3)
In the latest Online Banking Report, we look at several promising software solutions that allow even malware-infested users to connect safely to their bank. Both solutions earned OBR Best of the Web designations (note 4): 

• Rapport from Trusteer, now being distributed by ING Direct in the United States and Canada (previous post here)
• SafeCentral from Authentium, being distributed by Firstrade and in testing at several major banks (Finovate Startup demo video here)

We also take a closer look at Bank of America's SafePass (previous post here), which is an easy way for customers to add an extra security layer to their login, although it won't prevent certain malware to hijack the session. See the inset for the complete Table of Contents.

Online Banking Report subscribers may download it now here. Others may download abstract here, or purchase here. Cost is US$495. 

Notes:
1. But be thankful if your financial institution is not in the headlines right now. I'm in the hometown of WaMu and the headlines this morning were not pretty.
2. Blog post from Verity CU on 16 Sept.; Twitter update from First Federal today   
3. Our fourth full Online Banking Report on security/privacy; previous reports were #119, #93/94, and #48. 
4. OBR Best of the Web awards are given periodically to pioneering online banking features. It is not an endorsement of the company or product, just recognition for what we believe is an important development. Trusteer and Authentium were the 71st and 72nd recipients of the designation since we began awarding them in 1997.

I heard from a new company last week that has created a service to help life insurance and bank-account holders to notify beneficiaries periodically that they are named on the account. According to FindYourPolicy.com (see screenshot below), $1 billion in insurance policies go unclaimed each year due to unknown or lost beneficiaries. Although it sounds simple, tracking down beneficiaries can be a timely and expensive process. Outsourcing some or all of that is an appealing idea.

However, as a consumer-direct service, I don't think FindYourPolicy.com will get a lot of traction. The list price of $29.95 plus $3.95 per month is a lot for twice-yearly postcards (see note 1) to your beneficiaries. But the company is likely more interested in setting a high retail "value" on the service so they can wholesale it to financial institutions for pennies on the dollar.

Using the same concept for safe deposit boxes
While the beneficiary notification is an idea deserving of a second look, I was more intrigued with another of its features, safe deposit documentation and notification service. I just spent 30 minutes last Friday making a trip to the bank to look in my safe deposit to see if my son's social security card was there (note 2). Of course, it wasn't. I could have saved the trip if I'd had good records on its contents. I'm sure I wrote it down somewhere, but it would likely take much longer than 30 minutes to find it.

Ideas to help memory-challenged customers like myself:

• Simplest: It would be great if my bank had a simple email-like software app available near the safe-deposit area where I could list the contents of the box and then email the info to myself AND store a record of that communication within online banking so I could access it years from now when the email is long lost.
• Harder: In addition to manually entering info, have a scanner available so that I can scan copies of the documents in the safe deposit box for a digital record.
• Hardest: Extend the service to the home/office and allow me either to store items virtually, using my home/office scanner, or by uploading/emailing documents into the virtual safe-deposit box. This is the core idea behind vSafe from Wells Fargo.

However, as Tripp Johnson at Gonzobanker so eloquently laid out in this article, there are  serious questions regarding overall demand for virtual safe-deposit services, not to mention pesky compliance issues that cannot be ignored.  

FindYourPolicy.com homepage (29 May 2008; see note 3)

Note:

1. Why TWICE yearly? Once per year seems like plenty. Or how about one postcard and one email message each year? (Update 1 June: The reason for mailing 2x per year is that the U.S. Postal Service forwards mail only for six months, so with this frequency the company ensures it gets the forwarding address. (See comment #2 from Michael Hartmann of FindYourPolicy.com) 

2. My bank is requiring a faxed copy of my 18-year-old son's social security card in order to add him to my account. I'm all for good authentication (who isn't?), but that seems extreme. More on that in a future post. 

3. Sometime during the past 10 days, FindYourPolicy.com added the "member of American Bankers Association" seal. It's a reasonable touch, but it only means they've paid at least $1,250 for a service membership to the ABA.

While everyone wants better online banking security, the business case for most solutions is elusive. Even the simple step of adding an password in front of sensitive transactions can cost millions in customer service, enrollment procedures, employee training, and other soft costs.

So financial institutions, especially in the U.S., have taken a pragmatic approach to security, adding behind-the-scenes monitoring and making it difficult to transfer large amounts of cash out of the bank, rather than incur the expense of more robust login security. Banks have been especially reluctant to get involved in the security of the customer's desktop due to the potential tech support costs and liability issues.

That's what makes ING Direct's new solution especially novel. The large U.S. direct bank, which has pioneered several security procedures, including multi-factor login and PINpad data entry, will offer a downloadable 400k plugin that creates a "secure tunnel" from the user's computer to the bank (more analysis from Gartner's Avivah Litan here). 

According to the software provider, Israel-based Trusteer, even if the user's computer is infected with malware, the company's Rapport software defeats all attempts to view, capture, or take over the transaction. It also encrypts keyboard entry without impacting the speed of the interaction with the bank. If it works as billed, it could be a boon for online banking security. 

The optional plug-in is expected to be made available to the direct bank's 14 million customers worldwide, including 6.5 million in the U.S. The software is already in use by U.S. brokerage Muriel Siebert & Co. which mentions it in the What's New section of its homepage (see screenshot below; read more here).

" width="539" height="378">

Cost
The software is now available here. It is free-of-charge to communicate with ING Direct and three other websites. Users will likely have the option to purchase a premium version that communicates with a larger number of websites. 

This so-called freemium business model should help minimize the cost of the software to the financial institution. But the bigger cost issue for the bank is the customer service expense. ING Direct, which has famously kept customer-service costs down by focusing on serving only profitable customers, likely will offload as much of the tech-support burden as possible to Trusteer. But there's no such thing as zero impact. So it will be interesting to see if they can make the ROI work across 6.5 million customers, many of whom haven't a clue about safe computing basics.

A competing system, Safe Central from Authentium, was showcased at our Finovate Startup conference in April. The full-length demo of the program will be available here within a few days.

It was online banking week in Walt Mossberg's popular Wall Street Journal technology columns. Yesterday in The Mossberg Solution, authored by 20-something Katherine Boehret and edited by Mossberg, Mint's personal finance service received a half-page article so complimentary I had to look twice to make sure it wasn't an advertisement. Boehret couldn't find a single thing wrong with the service, although she did wish for bill payment capability so she could do all her banking with Mint. I'm sure she'll have her wish granted relatively soon.

In today's Personal Technology column entitled, How to Avoid Cons that Can Lead to Identify Theft, Mossberg himself dropped a bomb which will impact bank-marketing efforts for years to come. His first of seven tips for safe computing:

Never, ever click on a link embedded in an email (from your) financial institution....

That's harsh, but it's also understandable why he'd take that stand. Mossberg strives to make technology issues understandable to non-techie readers. However, it would have been better to add, "unless your bank adds account-specific personalization to the messages so you know for sure where they originated." 

Action items
Many financial institutions, including Citibank and Bank of America, have long used personalization to distinguish legitimate messages from phishing attempts. Financial institutions with good personalized messaging should consider a public outreach program to counter the negative perception from the Mossberg column. It also might be a good time to remind front-line employees how to respond to customer concerns about phishing emails.

For more information, see our Online Banking Report on Marketing Security. 

The best way to get the attention of your online banking customers is by dropping a landing page in front of them right after they login. It's a bit annoying, but if used judiciously it can be extremely effective. PayPal has been using this technique for most of the eight years I've had an account there.

U.S. Bank is fairly new to this technique, using it just a few times a year for service-related messages. The latest, a 100-word message that reads like it was crafted by the legal department, was posted on Nov. 29 and warned customers about fake emails (screenshot below). 

It's a good idea to remind customers about your email policies to help them avoid scams. However, U.S. Bank only warns against low-tech fakes asking for account info or PINs. Few consumers would fall for that any more. The bank fails to address the more common, and far more effective, approach of sending users to a fake website via a disguised link. The bank should explain what a genuine U.S. Bank email looks like and how to tell it apart from the fakes. 

A few other ways to make this message more effective:

• Link to an area on website for more info on security
• Provide an email address and/or phone number to call if there is a question about the validity of a bank message
• Use a professional copywriter to craft a clearer and more concise message
• Use a larger font
• Use a heading or subheading that introduces the specific subject 
• Add a graphic to make the topic standout, for example the security image from U.S. Bank's homepage (inset above)

I was looking at Geezeo's new Facebook app this morning (more on that later), and I noticed one of the best credit report monitoring ads I'd ever seen. 

Instead of focusing on the negative aspects of your credit history, the banner ad features "testimonials" of the significant savings available with good credit (the banner above claims a $310 savings in her house payment). The stories are provided under the header, "Credit Diagnosis." And, I was initially impressed after clicking through the ad to find a good, landing page with more of the same.

However, the mostly-anonymous company behind the banner, FreeCreditReportsInstantly.com uses a $1, 7-day trial come-on for its $29.95/mo credit report monitoring service. I have no problem with the company charging what the market will bear. And to its credit, FreeCreditReportsInstantly (FCRI) does disclose the go-to fee on the first page of the application. But I think the typical young Facebook user is not going to be happy seeing $29.95 monthly fees on the credit or debit card.   

Why would anyone pay $360/yr for credit monitoring?
The Internet was supposed to make it hard for companies to charge 2x to 3x the going rate when dozens of competitors were just a few clicks away. But here we have a company doing just that and evidently bringing in enough revenue to afford a Facebook ad buy, not to mention holding down the number 3 ad slot on Google searches for "free credit reports" (note 1)?

The answer is complex. It has to do with consumer confusion over the whole business of credit scores, ID theft, and the government-mandated free reports which is what most Googlers are looking for when they type "free credit report." And consumers must share part of the blame too. In a rush to get "something for nothing" they blindly fill out "free trial" forms without reading the fine print or taking time to investigate alternatives.

Taking the high road
But the dizzying array of credit monitoring options provides an opportunity for banks and credit unions to do the public a great service, and turn a nice profit, by educating their customers and offering value-priced alternatives: 

1. Credit scores/monitoring: Instead of pushing credit monitoring services that are too confusing and too expensive for the mass market, provide customers with their credit score each month, and if it takes a dive, alert the customer and provide the tools to access their credit report to investigate any potential problems (see our post yesterday and note 2).
2. Identity fraud support: Citibank's Identity Theft Solutions advertising blitz was a nice humorous break from most bank advertising. However, I think it did a disservice by making full-blown identity fraud seem more commonplace than it really is. Consumers needn't be frightened, they need to be careful, they need to understand what to look for, and they need to know where to turn in the event of suspected fraud.

And since most banks and credit unions don't have the resources to provide full-service fraud assistance, turnkey solutions providers have stepped up to fill the need. We are lucky to feature one such company at our Finovate conference next Tuesday in NYC.

Full-service education and victim response from Identity Theft 911
Five years ago, I met the entire Identity Theft 911 team when they were in Seattle making sales calls. It was refreshing to see someone in the identity fraud space taking a genuine interest in helping the end-user out of a jam, rather than simply trying to get them on the hook for a $150+/yr monitoring service. And over the years, I've kept in touch with the company chairman, Adam Levin, as he's worked the trade shows to garner support for Identity Theft 911 and his other company, Credit.com. Adam will take the stage Tuesday morning in NYC to demonstrate the full range of his company's resources to help banks and credit unions make their customers feel MORE secure, rather than more afraid (see screenshot below of AFL-CIO Employees Federal Credit Union's Identity Theft 911-powered services, link here).  

Note:
1. Search performed from Seattle IP address mid-morning on 26 Sep 2007.   

2. For more information on credit monitoring, see the latest Online Banking Report here.

In terms of website design, I find most Citibank pages to be somewhat busy. But overall, the pages usually work well due to the eye-catching graphics, appropriate use of colors, and good copywriting.  

I've had a Citibank Business AAdvantage credit card for at least a decade. Even though I don't visit the site often, maybe once every few months, I find that it's generally easy to find what I'm looking for. 

As you can see in the business card example below, the bank uses purple and green "buttons" to catch your eye, then inserts important key words within them to drive action:

1. The purple, "Fraud is not your fault" reinforces that customers are not liable for unauthorized transactions, something most people are still concerned about, even though their liability is minimal. The button leads to a page that discusses advanced fraud fighting tools such as virtual account numbers and a picture card.
2. The navy, "How much have I spent lately?" allows users to quickly drill down into a key area of concern for most card users. Although not as powerful as Wells Fargo's My Spending Report (previous coverage here), it's still a good starting point for many users.
3. Finally, the bright green, "Help prevent an identity crisis" pitches the bank's credit monitoring solutions (note 1).
   

Citibank Business Credit Card main account overview page (22 Sep 2007)

Note:

1. For more information on bank and credit union opportunities selling credit report monitoring see our most recent Online Banking Report.

If you were in the office yesterday, you probably heard about Bank of America's announcement of SafePass, an optional out-of-band authorization technique for high-risk online banking transactions. It was all over the news, including the trades, blogs, and a few mainstream press articles. Here's the press release.

The system, common in many countries, but available only at Citibank in the United States (previous coverage here), sends users a 6-digit code via text message. The code is then entered at BofA's website to authorize larger transfers, new bill-pay merchants, new accounts for funds transfer, or to login from a new computer, not previously "registered" for online banking. VeriSign developed the technology.

The service will roll out across the BofA empire this year, with many customers having it as soon as next week. Next year, a wallet-card token "SafePass card" will be offered for customers who don't have text-messaging capabilities on their phones.

Analysis
SafePass is a solid enhancement to security, at least perceived security, since it probably won't do much to cut down on actual fraud losses. It's already pretty difficult to get through BofA's security gates and pull money out of someone's online account. The bank did the right thing in making it optional. Only the paranoiacs, road warriors, or those with unusually high transaction amounts will want to undergo the extra steps.   

So while it may be ho-hum in terms of fraud reductions, SafePass is brilliant marketing (note 1). It's a tangible and easily understood copy-point as to why one should choose BofA over the other 15,000 U.S. financial institutions. Think of the bragging rights they now have (all firsts are U.S. only):

• First to integrate mobile messaging into the authentication process
• First to offer optional extra security
• First to safeguard the process of adding a new bill payment payee
• Potentially first to offer choice of token or mobile text message for out-of-channel authorization
• Only bank able to put "SafePass" on their website—a very good name
• Able to say, "no one has more security options than us"
• Able to say they are a "pioneer in security enhancements"
• Able to they "put the customer in charge of their own extra security"
• And so on ...

Congratulations to Bank of America for once again raising the bar in online security.

Rant
While I like what the bank has done, once again I find it astonishing that even 48 hours after releasing the news in a press release here, THERE IS NOTHING ON THE BofA WEBSITE ABOUT IT. A site search for "SafePass" pretending to be from North Carolina, New York, or California results yields just a single obscure business insurance product. Bank of America's search doesn't even return the press release announcing the service!

SafePass is also not mentioned in the bank's security, online banking, or mobile banking sections. I've worked in a Fortune 50 company, so I understand all too well how hard it is to sync advertising, PR, sales, and so on at a huge company. But with 22 million active online banking users, you'd think BofA would be a leader in syncing its website to its marketing plan. 

Am I being overly critical?  It's certainly worth writing about. 

Note:

1. For more information on the synergy between security and marketing efforts, see our full report on the subject at Online Banking Report.

Today, I was home for lunch and my son was watching a recorded episode of Myth Busters, a great show as anyone with a pre-teen child knows. As he was fast-forwarding through the commercials, I happened to see a glimpse of a LifeLock spot (see inset).

My son knows I like the commercials better than the shows, so he graciously replayed the entire thing for me. It seemed to go on forever, he said, "like a sponsored program of its own." Which from him is actually a compliment, I think. I checked out the replay online and saw that it was a 2-minute spot (note 1).

It features street scenes of New York (I think). It plays like news coverage as the big "billboard trucks" drive through town plastered with CEO Todd Davis's social security number in red, 3-foot high numbers. Interspersed are man-on-the-street soundbites from astonished pedestrians and a great testimonial from a LifeLock customer who credit the company from saving him from having someone buy an $83,000 RV in his name. It also has Mr. Davis pitching the product through a bullhorn on a crowded Manhattan street.  

It's a real in-your-face commercial, but I really liked it. It does a great job of grabbing attention, reinforcing the benefits, and providing a can't-miss call-to-action. It's a good compliment to the over-the-top print ads featuring the CEO's social-security-number (see previous coverage here and note 2).

LifeLock uses two different URLs in the commercial, the normal <lifelock.com> and <lifelocktv.com>. Both point to the same page now, but the company must be considering a distinct landing page for the TV URL.

The video is available in the lower-left corner of the company's homepage (below). For more information on the market for credit report and identity theft services, see our most recent Online Banking Report here.

Note:

1. The commercial doesn't appear to be on YouTube yet, so I was unable to post the actual spot here.

2. A half-page version of LifeLock's social-security-number ad was in a recent WSJ.

I received an email from American Express late last night after resetting my password earlier in the day (see screenshot below). I can never remember my AmEx password, because I can't use my usual one due to the company's surprisingly short field of just 8 characters that also doesn't support special characters. I have it written down somewhere, but I can never find that either.

I went online late Friday afternoon to pay my overdue bill at AmericanExpress.com. I was pretty sure it was one of three possibilities, but after two unsuccessful attempts, and with the website warning me the third attempt would cause a lockout (note 1), I decided to go through the online reset process instead. 

That was easy. I just needed the card number, the code on the front of the card, and the answer to a security question. At that point, AmEx displayed my username and let me reset the password. It's one of the easier reset processes I've tested. That's a benefit to customers and helps cut customer service costs for AmEx. 

But the thing I liked most was the email message sent later that night informing me of the password reset (screenshot below). But I don't understand why it was sent more than six hours later. Why not send it right away? That would be way more impressive to customers, and would help reduce any potential fraud or privacy violations. Better yet, send a text message right to the customer's mobile, so they have real-time knowledge of the account changes.

Email Critique
Personalization: The company uses two pieces of personalization, cardmember name and the last five digits of the account number, to differentiate this message from the average phish. Excellent.  

Subject line: Your American Express Forgotten User ID is good and right to the point

From: "American Express" using an American Express email address. Good.  

Headline: Verify Your Account Transaction is a little confusing. All I did was reset my password. I'm not sure that average person views that as a "transaction."

Copy: The copy is short and to the point, but it could use a little editing for clarity. The third sentence, "If you did contact us...." seems unnecessary. And "If you did not complete the retrieval...." is not very user friendly language.

Design & Layout: Excellent.

Overall Grade: A- for the message, B- for timeliness

Note:

1. We recommend allowing more than three attempts before lockout. It's pretty easy to forget a digit or make a typing mistake. See our Online Banking Report on Security (#119) for more information.  

Want a shock? Open today's Wall Street Journal to p. D3 (West Coast edition).

You'll see a full-page, black-and-white ad featuring LifeLock CEO Todd Davis's social security number in a massive reverse-type, page-dominating format. There is also a 1/4 scale photo of a smiling Davis holding his social security card out to the camera. The ad offers a 30-day free trial using the WALL10 promo code, before reverting to the normal $10/mo price.

The WSJ spread will be less of a surprise if you've seen LifeLock's television spots or website recently, where the same technique has been used for some time (see screenshot below).

Although the ad may partly be for PR in the investment community, the relatively large spend demonstrates just how lucrative, and appealing, financial security services can be. We'll look at LifeLock and the whole identity theft/credit monitoring space in our upcoming Online Banking Report, due out in about 10 days.

A commenter yesterday asked if anyone had heard of BudgetPulse, an online personal finance site that opened its public beta site two weeks ago.

Well, we hadn't heard of it, but in this increasingly crowded space, that's no surprise. We are now tracking more than 20 online personal finance sites (previous coverage here). With low-cost server space, easier programming tools, APIs, and cheap viral marketing through blogs and social networks, the barriers to entry are a fraction of what they were just a few years ago. A good programmer could put together a simple financial tracker in their spare time.

While this will spur creativity and innovation, ultimately benefiting end-users, there is a downside. Security and privacy.

As we looked at BudgetPulse, which at first glance looks like several other Web 2.0-inspired finance sites, we couldn't help but wonder who was behind the site. There are no names, personal or company. Even the who is info for the domain is masked (domain registered in April). The only email address is disguised in spam-defeating format: "info (at) budgetpulse.com". Right now, the public portion is a two-page website with a few popup forms. The FAQs are empty. The forum is coming soon. There is a blog, but it only has three short posts. And there are misspellings in the website and blog copy. The websites entire security discussion is a single sentence:

We protect your account and data with advanced security methods.

More than likely this is simply the work of one individual who concentrated on coding the functionality first, and whose day job prevents him/her from spellchecking their HTML. But what if it's a scam? Convince a few people to use it to track their finances, then hit them with requests for their credit card numbers "to enhance the experience" or to their checking account number for payments, e.g., "Join our beta test and earn $500/mo as you test it."  

I admit that could be far-fetched, and I have absolutely zero knowledge of that happening at BudgetPulse or any other site. But it does bring up the bigger issue of consumer trust at independent, non-regulated personal finance sites (i.e., non-financial institutions). Even the well-funded personal finance sites such as Wesabe and Mint must deal with the mistrust and skepticism consumers have for new companies wanting to get involved in their lives, especially their finances. 

The solution: Financial institutions, with their trusted brands, partnering with or acquiring online personal finance sites to bring new functions and features to their customers.       

Intersections, with 4.7 million subscribers (as of March 30, 2007), is a leader in the U.S. credit monitoring business. Its private-label programs are offered by Bank of America, Capital One, Discover, Citibank and many more leading financial institutions. I have personally used the Intersections service for nearly a decade through its distribution agreement with American Express, a partnership which ended last year.

Last year, Intersections redesigned its core consumer-direct website, Identity Guard, to feature four levels of protection (see screenshot below):

1. Good Start (single-bureau monitoring only): Free for six months, then $4.99/mo
2. Watchful Eye (above plus Internet fraud database scanning and quarterly credit report and score): $7.99/mo or $69/yr
3. Extra Caution (same as above, but expanded to all three credit bureaus plus $20,000 id theft insurance): $12.99/mo or $119/yr
4. Total Protection (above plus constant scanning of public record databases): $17.99/mo or $159/yr

Analysis
The free six-months of service is a great way to get customers accustomed to using a daily monitoring service. However, the company does themselves a disservice by completely ignoring the obvious customer question: What happens after six months? As far as I could tell there is no way to get an answer to that question without calling or emailing prior to starting the application (see note 1). That's unacceptable for any eCommerce application, but especially in credit monitoring, which has had its share of questionable marketing practices.

We'll look at the Identity Guard application process and products in detail in our upcoming new report, Online Banking Report: The Market for Fraud Protection, Identity Theft, and Credit Monitoring Services (available at the end of July here).

Identity Guard homepage showing four product choices

Note:

1. My first email about the potential fee has not been answered or confirmed 48 hours later. But my call to customer service this morning was answered promptly, I was speaking with someone in about 50 seconds from dialing. He was a little unsure of the fee, saying "I believe it's $5.95/mo" and he "thought" that yes, you would be charged automatically to a card entered at signup. But overall, he did a decent job answering my question and surprisingly did not try to get me to signup even though I was obviously hesitant.  

If you live in the U.S. hurricane zone, the memories of the summer of 2005 are still all too fresh. That's why it's great to see Gulfport, Mississippi-based Hancock Bank take a proactive approach to storm season with its "storm readiness" plan released in a June 1 press release (here).* 

While normally, your disaster planning efforts rate no more than a deep link on your website, Gulf Coast residents need more prominent reassurances. Hancock does a great job reassuring customers in its press release covering these four areas of storm preparation: 

• Designated certain branches "lighthouse branches -- beacons to safety." These branches stay open as long as possible and re-open as soon as possible. Emergency procedures for employee communications, food, shelter, back-up power, and fuel are detailed.
• Offsite backup for its website and online banking so there will be "virtually no downtime." 
• Data center precautions, including safeguards at its main center, dubbed "the fortress," plus plans for emergency off-site backup.
• ATM system procedures and priorities in the event of a prolonged emergency.

Analysis
Overall, this is a good press release and sound plan, especially the concept of "lighthouse branches" which play off the company's logo and branding. It should receive good play in the local media.

However, I couldn't find this info anywhere on the bank's website, other than the press release buried in Investor Relations. This time of year there should be a prominent link to the bank's plan on the homepage or at least in the personal banking section. If you were looking for a new bank in the Gulf area, this would help your decision.

And financial institutions should do even more by making online banking and electronic communications prominent in the disaster plan. Here are eight additional ideas. While, some would require product development, they are relatively minor projects. Financial institution benefits are in italics.  

1. Create a "customer communication plan" that send emails or text messages to customers to keep them informed of developments with branch, ATM, and online banking outages. 
       Helps bump up online banking and email registrations. 
   
2. Remind customers how important it is to have up-to-date email addresses and cell phone numbers on file. 
       Helps improve your delivery rate on marketing and
       service messages.
   
3. Since customers may not have power, they may need to rely on mobile phones for information. And since waiting on hold uses up precious phone charge time, create a call-back plan for emergencies. Customers would call or text the bank requesting a call back on their mobile.  
        Helps differentiate you from the competition.
   
4. Create an "open branch & ATM" query. Customers could send a text message requesting a list (with address, phone number) of all open branches and ATMs.  
        Again, differentiates you from the competition.
        And if ever needed, will help create lifetime customers.
   
5. Let customers use designated branches to charge phones or laptops in the event of widespread power outage.
        More differentiation and customer advocacy.
   
6. Develop a blog that can be used to keep customers apprised of any changes to banking services. Several employees should be prepared to update the blog through mobile phones if power was out. And at least one person should have access to a satellite phone so they can remotely post updates to the blog (perhaps working with someone outside the disaster zone, who can do the actual typing/posting).
        Another great relationship builder.
   
7. The Web-based branch finder should include a search for "lighthouse branches." 
        Expose your impressive disaster preparations to
        prospective new customers.
   
8. Refer customers to disaster preparation website resources for so they can put together household stockpiles and family communication plans.
        More customer advocacy, not to mention the "right" thing to do. 

*Full disclosure: We have done some website evaluation work in the past for Hancock Bank.   

When I saw the blog postings this week that Freakonomics authors, Steven D. Leavit and Stephen J. Dubner, had penned an article on identity theft, I anxiously clicked into the Sunday NY Times Magazine to read the article (11 March 2007, link here). I had hoped that the popular statistical wizards had taken on the subject of why ID theft loss estimates vary by as much as 20-fold, from a couple billion to more than $50 billion (note 1).

Unfortunately, the article, Identity Crisis, shed no light on any of the statistical anomalies nor did it offer any help with definitions, even after using this lead sentence:

There are as many varieties of identity theft today as there are varieties of, say, mushrooms.

The lightly researched article relied on the usual Javelin and FTC numbers and reached the unsurprising conclusion that merchants are the ones that most care about credit card fraud. But the authors glossed over the fact that it's the online merchants who are burned most by card fraud, due to card-not-present chargeback rules (note 2). Real-world card swiping merchants are often made whole for fraud situations provided they followed the card association rules for checking the signature scrawled on the receipt against the 1/8 inch script scribbled on the back of the card (as if that stops much fraud).

The authors also failed to realize, or at least note, that the oft-cited Javelin finding that more than half of ID theft is from people you know, includes only the situations where the victim has knowledge of who perpetrated the fraud. In round numbers, here's what the pie looks like:

• 50% of ID theft victims don't know who stole from them
• 25% know who stole from them, but have no relationship with the crook
• 25% know who stole from them, and the crook was family, friend or co-worker

I believe that it's a bit of stretch to say that half of all identity theft is from related parties when it could be a little as 25% or as much as 75%.  

Blog Comments on ID Theft
Unlike the old days when the only way to interact with an article was a letter to the editor, Leavit and Dubner maintain a blog (here) where readers can sound off on the issues. The blog entry, Who Cares About Identity Theft?, went up on March 9, two days before the full article appeared in the Sunday Times. I was surprised today (March 17) to find only 29 comments on the identity theft piece, especially since the blog has more than 55,000 readers and both the print and online NY Time's columns directed readers to the Freakonomics blog.

And no one seemed to care that the authors did little to further the debate on identity theft, chargebacks, or law enforcement priorities (note 3). In fact, it appeared that only a half-dozen of the commenters had even read the full article. So we have at least a partial answer to the "who cares" question, not the blog readers (note 4).

Notes:

1. During the past month, I've had conversations with extremely frustrated reporters from the Wall Street Journal and Wired Magazine, who were trying to figure out what the true costs of financial fraud in the U.S. really are. 

2. I have to admit being biased here. As an online-only merchant, I pay large credit card fees, around 3% that cover the supposed "high-risk" nature of online commerce, even though I have zero recourse if the charge is later disputed as fraudulent.

3. The article had conflicting anecdotal evidence on law enforcement efforts to stem financial fraud, saying the FBI usually needed at least $100,000 in losses to get involved. The article implied, but did not explicitly say, that lesser amounts are not pursued aggressively by local police departments. Although it cited an officer from the Los Angeles County Sheriff Department's ID Theft Task Force, which at least sounds like significant enforcement action.

4. It's not so much consumer don't "care," but that they are no longer so interested in discussing it and/or they are less concerned now that many understand that they are well protected against financial loss.

There is no doubt consumers love debit cards. Despite cloudier fraud protections, no free float, and the confusion of "signature vs. PIN," growth continues at a 20% annual clip, with total U.S. transactions surpassing credit 15 to 18 months ago (see numbers here).

But continued negative press coverage could slow the growth. For instance, today's lead article in the Wall Street Journal's Personal Journal section, How to Protect Your Plastic, focused on recent debit card skimming incidents. 

What can a financial institution do to counteract the negative press?

1. Educate customers on their limited liability

2. Provide clear and understandable zero-liability fraud protection guarantees

3. Provide tools for monitoring checking accounts, such as transaction and security alerts

But once you have those "best practices" in place, you can still boost usage, and differentiate your debit card and checking accounts by integrating actionable text-message alerts (see ClairMail example above). 

While the industry-standard email alerts are helpful, the phishing epidemic, spam filling up the in-box, and  the time lag for reading and responding to bank emails, make them less and less effective for time-sensitive communications such as fraud alerts.

Enter the mobile phone. Most banking customers now keep a mobile device with "three rings" of their person much of the day, and almost always when out of the house. Therefore, a real-time text message each and every time a debit cards is used, will go a long way towards making users comfortable that their card has not been comprised. And in the event their is a fraudulent transaction, a quick text message back to the issuer can lock the debit card down, avoiding any additional unauthorized transactions.

This is about as win-win as you can get in banking. The user is happier with his debit card leading to increased loyalty and more debit transactions, boosting both short- and long-term revenues for the bank, credit union, or card issuer.

For more information see our latest Online Banking Report, Mobile Banking & Payments 2.0 (OBR 138/139).

Once again (previous post here), Chase used a three-quarter page color ad in the front section of the New York Times (p. 17, National Edition) to showcase its alert services (see partial screenshot right). The ad shows a man relaxing in the stands at some type of sporting event, Yankee Stadium perhaps.

The camera looks over his shoulder, focusing in on the image displayed on his Treo smartphone, which says "SECURITY ALERT" in large white letters on a light-blue background.

You had to feel for this poor guy, jarred from his leisure time with an urgent missive from the bank. Within a few seconds, three things likely crossed his mind: 

1. What the (expletive deleted)? Pretty poor timing to be interrupted at a baseball game with a security alert from the bank (which, these days is 99.9% likely to be a false positive, or a phishing attempt, see number 2).

2. Is this even from Chase? How do I know it's not a new kind of mobile phishing attach (mishing?). Should I ignore it? Does my liability go up if I don't respond immediately?

3. Now what? Can I click the message and find out if this was just a notification that I'd used my debit card to buy beer at a Yankees game, something I'd never done before, or has someone just transferred my 401k to a numbered account in the Jersey Islands? Or will I have to excuse myself and make a voice call, spending the 6th and even part of the 7th inning, talking to a Chase CSR, who may not even have enough info to explain why I got the alert? 

Analysis 
The ad demonstrates the pitfalls of using a very negative attribute, security breaches, in marketing your brand. But despite the uncomfortable thoughts that come to mind, we think it's an effective ad because it grabs attention and positions Chase as caring for the financial security of its customers. However, given that Chase's actual alerts look nothing like this, it's a bit of a stretch. I suppose they're allowed a bit of creative license; it's advertising after all. 

We'll give it an A-

Looking for the ultimate in frustration? Try this sometime. Go to all of your bank, brokerage and credit card accounts and enter the correct username, then make up passwords and hit enter until you are locked out of your account. 

For research on a previous report in our Online Banking Report (here), I locked myself out of more than a dozen accounts. That was almost four years ago, and I have no plans to do that again, ever. However, yesterday, through a bit of miscommunication with my wife (note 1), we found ourselves locked out of our account at US Bank.

Due to this inadvertent bit of research, I found out that US Bank has added a "lock-out alert" (one step forward) to its messaging services, but fails to tell users what is going on and how to resolve it (two steps backwards). Here's what the alert looks like (see notes 2 & 3):

Recommendations:

• The alert (above) needs to tell users EXACTLY what to do next. US Bank correctly tells the 1% of users what to do if the failed login was not imitated by them (call the bank), but the bank fails to explain to the other 99%, who simply forgot their password, what they should do.
• The screen displayed after lockout (see below) also must tell users EXACTLY what to do. US Bank's message to frustrated users: "Internet Banking is unable to verify the information you've entered. Please confirm your Personal ID and password." At the very least the bank should empathize with the user and explain the possible causes of the problem and link them to the password reset screen.  
• Don't lock out users after only three or four attempts: US Bank locked my wife out after 3 or 4 trys, more stringent that the six allowed in our test four years ago. That is just too few. Most users who make a mistake (attempt 1), will retype the exact same info (attempt 2), then try once more paying very close attention to their typing (attempt 3), before trying a different password (attempt 4). So at minimum you must allow four tries. Even better is 5 or 6 or up to ten. The cost in customer service for locking out at 3 or 4 attempts is far more than any fraud that will be prevented with such strict measures.
• Help users remember they created a new password: In our case, if the on-screen error message had said, "You recently changed your password, are you using the new one?", the whole episode could have been avoided. Instead, US Bank gives no information to its customers (see screenshot below). It doesn't even explicitly tell them they entered the wrong username/password. It just drops them onto this blank page that has a vague message about logging in.
• Warn users before lockout: Tell users they are about to be locked out, with a warning, "One more incorrect attempt will lock you out of your account. If you've forgotten your username or password, click here." 
• Let users back in after lockout: The last time we tested, US Bank allowed users to log back in 24 hours after lockout if they remember their username and password (note 4). That's a good policy, but why 24 hours? Why not 12 hours, or 3 hours, or 1. If you have the correct username and password, why should you not be allowed back into your account after a relatively short period of time? 

Enough with the rant. I know these policies are in place to discourage unauthorized entry. But you also shouldn't run up your customer service costs, not to mention irritating customers, with arbitrary lockout parameters.

Notes:

1. Anyone with a joint checking account can probably recognize that "a bit of a miscommunication," is a euphemism for, "I forgot to tell her I changed the password."

2. An alert is generated for each failed attempt. We receive three identical messages. The email address has been erased from the screenshot.

3. Note the email is generated from the URL, cs.usbank-email.com, which cannot be verified through direct navigation (it results in an error message). That's phishy looking. Emails should carry the normal, user-recognizable URL, in this case, usbank.com. If that's not practical, at least post a page at the email URL verifying that the URL is genuine.

4. It's been about 16 hours since lockout, and we still cannot get back into the account.

I hate phishing. Not only has it cost the world's financial institutions tens of millions in fraud losses, it's just about killed the email channel in terms of getting your customer's attention in a timely fashion, and it's diverted management's attention from much-needed online marketing improvements. That's much worse than the actual fraud losses. 

Like most people with widely published email addresses, I get a half-dozen phishing messages every day (note 1). I rarely give them a second look unless they purport to be from my bank. Almost all of them are placed in the junk folder by Outlook, one of the nicer services of Microsoft Office.

Phishers have to be much more creative these days. The time has past when a few paragraphs of broken English and the bank's logo could net the fraudsters a few extra coins. Now I get fake emails asking me to verify my security settings, authorize account changes, or claim a sweepstakes prize.

For example, today I received a fake credit card authorization request from Wells Fargo (see inset). I'm not sure why it prompted a blog entry. Maybe because I use a Wells card or maybe because I've been talking to mobile banking execs about this very subject. But the fake was good enough to force me to take a closer look. The biggest clue is the wrong format for the USD charge, using a "comma" instead of a decimal point between the dollars and sense. But otherwise it's pretty good, and may even net a few card numbers before its taken down.

Analysis
I am optimistic that email can still be effective if financial institutions clearly personalize their messages (see samples here and here). However, gaining customer trust back, especially for security-related messages, is a long-term project. That's why we are telling financial institutions to invest in RSS/XML feeds (Online Banking Report #135/136) and/or mobile banking (Online Banking Report #138/139) in order to reach their customers in a way that is less prone to fraud, at least for now.

Notes:

1. A great online repository of phishing examples is housed at MillerSmiles.co.uk

2. There's a whole book on phishing, click on cover above to go to Amazon's description of the title.

In an American Banker article today (here), Wachovia says it is developing security controls that will put users in charge of some of their own security settings such as the size of a funds transfer allowed. According to John Watkins, Wachovia's Director of Online Services, the new capabilities will be available "sometime this year."

This is not a new concept. The first full-service online-only bank in the world, Security First Network Bank, offered user-set bill payment limits more than ten years ago. Other international banks, such as ABSA Bank in South Africa, have long allowed users some control over security matters.

However, in the United States user-controlled security has been slow to catch on, other than via triggered email alerts, which remain the first line of defense. For several months, Bank of America has been reminding online banking users that alerts can help them prevent fraud in their accounts. 

While it's too early to speculate on what Wachovia will or won't do, the concept is a good one, and will eventually be used to some extent by all financial institutions. It's a win-win, providing users a better sense of control while reducing actual fraud losses within the bank.  

For more information:

See Online Banking Report #119, "Marketing Security" for more ideas on how to turn security concerns into a marketing advantage.

Texans Credit Union <texanscu.org> has added complimentary ID theft insurance and help services to their checking accounts. The new service is promoted through a somewhat confusing "Upgrade Now" call-to-action near the bottom and a large graphic (which rotates with two other spots) in the middle section of its gorgeous homepage (see screenshot below; notice how they use drop shadows to highlight the page).

Analysis
It's an OK perk, but doesn't do anything to help members prevent ID theft. To do that, members need credit report monitoring, which is available for $70 to $140 per year from the credit union's co-branded program with Identity Fraud Inc. (see screenshot below; read the full terms and conditions here).

However, it's not clear on subsequent pages whether members must take action to get the free service and which options they should choose to upgrade to credit report monitoring. We'd like it better if the credit union were more upfront about what is and is not included, and what the member must do.   

Update (Nov. 12, 10 AM PST): Twenty-two hours later, the Verity website has been taken offline, but the blog is still running. However, there are no new posts since the original, although Verity's Shari Storm has responded to several member comments. From information in the comments, it sounds like Verity's log-in page was redirected for up to four hours on Saturday morning beginning about 6:00 AM. At least one member said they answered "screening questions" including mother's maiden name.

Seattle-based Verity Credit Union is in the midst of a major website spoof that began earlier today. The credit union is reporting that the log-in function to online banking, located on its homepage (upper-right below), has been redirected by a hacker.

Apparently, only the log-in function was hijacked. The credit union has control of its homepage and plastered a large warning over the front. The link after the warning, "more information," linked to the Verity blog for updates (see below).

It appears the log-in process is back under the credit union's control, although the warning is still there. When attempting to log in at 3:15 PM with a test name (I do not have a Verity account), I was redirected to an error message at <https://secure-veritycu.com/Common/SignOn/SignOnError.asp>, which appears to be a legitimate Verity secure page. There was no follow-up question asking for my credit card number as mentioned in the blog post (see below).

The incident was first posted to their blog at 12:02 PM today (see post below).

The silver lining
As bad as this is, Verity should be applauded for the rapid response, using both its website and blog to get the word out. Presumably, they also emailed customers, but those messages may or may not be believed in this day of rampant phishing.

You can follow the ongoing drama at the Verity blog, where customers have been redirected for the latest news. We'll keep you posted.

Despite calls for banks to stop marketing via email (see here) to help reduce fraud, PayPal, probably the most phished brand in the world, shows that the technique can still be effective. 

It requires a professional layout, good personalization, and behind-the-scenes fraud monitoring to nip phishing attempts in the bud.

Here's the latest from PayPal. Note the 30-second credit card button (bottom left) and personalized greeting at the top of the message.

Classification

Type: Marketing email with educational focus

Product: Payments with credit card cross-sell

Customer Type: Active customer

Personalization: Hello <yourname> at top of message

Header

Date received: Wed 11/1/2006 9:38 AM
From: PayPal [paypal@email.paypal.com]
To: Jim Bruene
Subject: Simple Steps to Protect Against Fraud and ID Theft

There seems to be a new announcement every day about a bank or credit union intent on stalling this or that security solution to comply with the FFIEC's year-end guidelines (see previous coverage here).

However, if you drill-down through the press releases, usually initiated by vendors, details are sketchy. In fact, according to the Glenbrook Partners in-house security wizard, Linda Elliot, only 26 U.S. financial institutions have disclosed specific security solutions from a total of 13 vendors. Her most recent scorecard, as published in the consulting company's Payments News, is here.

We added another three credit unions to bring the total to 29:

Banks (22)

• American Bank (RSA)
• AMSouth Bank (vendor not disclosed)
• Associated Bancorp (Corillian)
• Bank of America (RSA/Passmark) our post
• Barclay’s (RSA)
• Citibank (Consumer: Entrust; Business: VASCO DigiPass)
• E*Trade (RSA SecurID)
• Farmer's and Merchant's Bank of Long Beach (RSA/Passmark)
• Frost Bank (RSA/Passmark)
• ING Direct (RSA)
• M&T Bank (Corillian, Cydelity)
• Nevada State Bank (RSA/Passmark)
• North Fork Bank / All Points Capital (Arcot)
• Northern Trust (Verisign)
• Silicon Valley Bank (Bharosa)
• Stonebridge Bank (RSA)
• The Bankers Bank (Digital Persona)
• United Bankers' Bank (Digital Persona)
• U.S. Bank (Entrust)
• Washington Mutual (RSA)
• Wells Fargo (Bharosa, Quova, Actimize, RSA SecureID,
  Symantec)
• Zions Bank (RSA/Passmark) our post

Credit Unions (7)

• Automotive Federal Credit Union (BioPassword)
• North Island Credit Union (RSA/Passmark) our post
• Schools Financial Credit Union (RSA/Passmark)

our post

• Desert Schools FCU (Bharosa)
• FORUM Credit Union (BioPassword)
• Parda Federal Credit Union (BioPassword)
• Stanford Federal Credit Union (RSA/Passmark) our post

Today, the Federal Financial Institutions Examination Council (FFIEC) issued a 7-page list of questions and answers about its October 12, 2005, bestseller, Authentication in an Internet Banking Environment.

The main thing you need to know about the new document is what it does NOT say, that the year-end deadline has been extended (see Timing, Q1, p. 4, reprinted below). However, the answer does appear to provide a bit of wiggle room, saying that banks must "implement risk mitigation activities by year-end 2006." I'm sure many creative interpretations of the precise meaning of that phrase will surface. 

Q-1- What do the Agencies expect institutions to have accomplished by year-end 2006?
A-1- The Agencies expect that institutions will complete the risk assessment and will implement risk-mitigation activities by year-end 2006. The Agencies are not considering any general extension of the timing associated with this guidance.

Good luck to all.

--JB

A number of banks, including ING Direct <ingdirect.com> and ABSA <absa.co.za> have added virtual keypads to defeat keyloggers, but the U.S. Treasury Department's Treasury Direct <treasurydirect.org> website is the first time we've seen an entire virtual keyboard. The layout is scrambled after each login, an extremely non-user-friendly feature.

The Treasury may have added a bit more security than is necessary, especially in light of Aite Group's <aitegroup.com> latest research that online banking fraud in the United States was a scant $4 million last year (correct, that is no typo, it's MILLION as in 4 cents per U.S. household). The virtual keyboard itself would defeat most hacks; there's no need to scramble it every time.

Thanks to MyMoneyBlog for the tip. Interestingly, most of the 16 comments on the new security feature were negative because of the extra hassle.

Today's Wall Street Journal ran a run-down of identity theft startups. Companies mentioned:

• LifeLock: Founded by Todd Davis, the Chandler, AZ-based firm has been offering its $10/mo service since April 2005. The company also protects children living in the same household for an additional $10 per year. Its plain-language guarantee featured prominently in the upper-right corner of its home page should serve as an example for financial institutions (see inset).
• TrustedID: A Redwood City, CA-based company co-founded in January by former Fair Isaac executive Scott Mitic offers protection services for $7.95/mo.
• CardCops: The Malibu, CA-based firm scans the Internet for stolen information and for $24.95/mo alerts its customers if their data has been compromised.
• Cyveillance: The Arlington, VA firm also sifts through the online world looking for stolen data. The company resells its service as Identity Guard through Intersections Inc.

Financial institutions should be partnering with credit bureaus and/or identity theft providers to provide education and protection services to banking customers. Refer to previous articles here.

-- JB

Zions Bank <zionsbank.com> is one of the early entrants in the parade of banks and credit unions rolling out multi-factor authentication this year. The Utah-based bank is using the PassMark/RSA <passmarksecurity.com> system pioneered by Bank of America last year (NB May 26, 2005).

Although there are compliance and security reasons enhancing security, the biggest benefit is marketing and PR. Just today, highly influential Wall Street Journal columnist Walt Mossberg urged readers to ignore financial institution emails saying, "...never, ever consider any email from a financial institution as legitimate." Ouch.

SecurEntry positioning
While we like the SecurEntry name, its page-dominating position on the Zions homepage (see above) is a bit over the top. Granted, they are in education mode as they race to enroll every customer within the next two months. But there's a reason why bank branches in high-crime areas use Plexiglas enclosures instead of steel bars; you don't want to make your customers afraid. The best security measures are subtle and discourage criminals without overly impacting the 99.9% of your customers who would never try to make off with the contents of the cash drawer.

It would work better to place the SecurEntry logo near the log-in area in the upper-right. That way, customers concerned about security could click-through to learn more, and customers that weren't already paranoid could go about their banking business without feeling new insecurities.

How it works
SecurEntry is a multi-factor authentication scheme identical to that used by 20 million customers of Bank of America, Stanford Credit Union, and others (see NB April 12). The new system, launched July 11, is optional for the first two months and becomes mandatory on Sept. 8. The bank estimates it will take five minutes to enable. Zions posted a Flash and HTML demo explaining the system, a one-page Quick Reference Guide (PDF), seven-page illustrated tutorial (PDF), and 11-question FAQ. 

Off-topic: brief homepage critique
Zions' new homepage design is hard to judge. Taken individually, the modern graphics and succinct copy are excellent. However, the overall effect is way too busy, with too many elements screaming for the user's attention. The bank needs to better prioritize what they want to communicate on the homepage. The main points can be emphasized with strong graphical treatment while less-important areas are reachable through more subtle navigation, such as sub-menus.

--JB

To learn more about how to promote online security and peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

Although they've been around for years, with relatively little success, the time may be right for disposable card numbers. However, this time, the emphasis should be on debit, the payment of choice for many younger consumers.

A compelling case can be made for disposable debit which:

• is the favored payment vehicle for the under-30 crowd, and often the ONLY payment option for high school and college students
• differentiates your checking account from 16,000 other U.S. providers
• encourages more debit card usage
• cements account relationships
• adds value to online banking archives
• provides excellent PR (customer advocacy) and branding benefits

But while great strides have been made in educating consumers about credit card fraud protection, the issue is murkier on the debit side.

Consumer appeal
We were reminded of the appeal of disposable card numbers when reviewing Cambrian House <cambrianhouse.com>, a Web-based venture attempting to "open-source" the business-startup process. While we don't see that taking off, the company does maintain an interesting database of user-submitted business ideas. Of the 433 ideas listed, the most popular according to site visitors is:

Self-destructing credit cards submitted by Rohan Pinto

Essentially what Mr. Pinto is proposing is the one-time-use credit card number offered since the late 1990s by Citibank, American Express, and, more recently, Discover Card (see inset). The main difference is the name, which actually is pretty good, if it hasn't been trademarked yet (we couldn't find any business using the term in a quick Google).

--JB

by Pieter de Villiers, CEO of Clickatell

In the fight against financial fraud, it's a simple technology that is proving one of the most effective deterrents, as well as being a cost-cutting tool that builds customer loyalty.  Thanks to the incredible reach of SMS, its simplicity, and the fact that it is the most accessible messaging technology in the world, banks are introducing text messaging as an added layer of security for their customers to tackle the problem of identity theft.

Case studies
In South Africa, for example, First National Bank (FNB) <fnb.co.za> claims that its SMS service, called inContact, has not only reduced fraud by 43%, but also has brought about increases in Internet-banking security. Client retention has increased by 15%, and call center costs have been reduced. With 22 million messages sent every month to more than 1.1 million subscribers, FNB is the largest single sender of text messages in the country, responsible for 26% of all messages.

With the widespread adoption of mobile communications, it’s a fair assumption that most people with a bank account, credit and debit cards will have a mobile phone. “Contactability” is rarely an issue. With very few exceptions, a text message will reach its intended destination, and it will be read. It is a peculiarity of mobile communications that while many people will ignore a call, they will always look at a text message. It is also a private communication.

Like FNB, a growing number of banks are realizing the power of the text message, and SMS is being introduced as an added layer of security for their customers. By simply receiving a text every time a transaction takes place, money is transferred, or an account is accessed, customers have immediate visibility of their account and can alert their bank about any suspicious activity.

The “soft” benefits are enormous as well. Banks can’t operate without a high level of credibility. Customers have to trust banks to trust them with their cash, their money management and their credit. FNB’s efforts have gone a long way to building and maintaining this level of credibility and trust. In addition, SMS brings the bank closer to its customer: It shows that the bank is innovative and at the forefront of best banking practices, and it raises brand awareness. SMS is not just a technology for FNB; it’s another channel to the customer just like its branches, ATMs, the Internet and telephone banking.

This is not just a South African trend. Spanish bank Bankinter <bankinter.com> has launched an SMS-based service to inform people each time their bankcard is used. A system warns the user via SMS of each banking operation made with the card. If the customer has not initiated the transactions, the card can be canceled immediately.

An article in Australia’s Herald Sun Business Daily cites an internal report from the National Australia Bank (NAB) <national.com.au>. The bank is concerned that it is losing AUS$1 million (US$760,000) due to Internet banking fraud. As one of its initiatives to reverse this, the bank has launched an SMS system to provide PIN-protected access to Internet banking services. According to the report, executives at the bank predict that online fraud will be reduced by 90% once 90% of customers have signed up for the scheme.

SMS and consumer behavior
It is the very nature of SMS and mobile phone use that contributes to these success rates. People have their mobile phones with them, wherever they are, and typically welcome the SMS security initiative as it means that both the customer and the banks are responsible for account security. The proactive alert makes life far more difficult for the criminal. If the losses through fraud of the financial industry can be reduced, then ultimately the customer could benefit from lower charges.

Never intended to be a commercial product, SMS has taken the world by storm. Mass implementation by mobile operators happened in the early 1990s, and the spread of inter-network roaming agreements provided the momentum to drive SMS take-up and make it a true mass market messaging service. According to Portio Research, 761 billion SMSs were sent in 2004 – that’s more than 100 messages for every man, woman and child on the planet.  Portio estimates that worldwide SMS traffic volumes will grow to 2,379 billion in 2010.

With the benefit of hindsight, the success of SMS is not surprising. It is simply an ideal form of peer-to-peer communication: cost-effective, with exceptionally high reach. As a marketing tool it demonstrates a very high response rate of up to 82% for branded campaigns and an average of 16% for other campaigns. It is immediate, reliable and personal. Messages can be customized to appeal to individual groups. Communicators can automate message sending and receive detailed reporting on activities. It is the accidental cash cow of the cellular industry, and the strength of its very simplicity is being leveraged by increasing numbers of businesses worldwide.

***

Pieter de Villiers is the CEO of Clickatell <clickatell.com>, a mobile messaging provider that allows businesses to connect people anywhere, with any message, across any device. Clickatell is headquartered in Redwood Shores, Calif., with offices in South Africa and the United Kingdom.

The recent revelation that the Veteran’s Administration lost the data files of more than 26 million veterans when an employee’s laptop was stolen in a burglary is just another reason for payments providers to tighten internal security standards. It’s also another reason to stop complaining that disclosure, not the loss of the files, is the real problem.

In the VA case, it took three weeks for the loss to come to the attention of the agency head. Even then, he stumbled across it. Apparently, nobody had thought the event important enough to tell him. Naturally, he was vilified before Congress. But the real problem was in cyberspace, where the number of Social Security numbers available for sale more than doubled in the weeks following the burglary.

The liabilities created by this theft—and the hundreds of others we’ve read about in the past 18 months—are not merely theoretical. The victims will be dealing with the effects for years, and financial institutions have a duty to make them whole.

--AR

As we predicted almost a year ago (OBR 119), PassMark Security's two-factor authentication system is proving popular. We've heard the usability arguments, we've read the security blogs pointing out the weaknesses, and we even had doubts ourselves after using the system on our Bank of America account.

But the overriding fact of the matter is, if it's good enough for Bank of America and its 15 million users, it's good enough for anyone. While no other major U.S. bank has signed on, the announcement today that Fiserv would make the system available to its 5,000 clients, coming on the heels of the Feb. 28 endorsement from S1 Corporation with 1,000 clients, means the system may win the small and midsize markets.

As further evidence, the company recently announced several new clients including North Island Credit Union <myisland.com> (125,000 members) and Schools Financial Credit Union <schools.org> (100,000 members), who touted their pioneer status with this PR-quote-of-the-year candidate:

"...Schools Financial Credit Union will be one of the first financial institutions in the country to act on Federal Financial Institutions Examination Council guidance that strongly recommends banks and credit unions implement multi-factor authentication by the end of 2006."

Finally, the company made a splash on the other side of the Atlantic by aligning with Alliance & Leicester <alliance-leicester.co.uk>, a major financial institution in the United Kingdom with five million customers. It's a company we've previously singled out for its flashy website and marketing prowess (NetBanker Feb. 23, 2005).

With the launch of the Alliance program last month (see screenshot right), Passmark is now in front of 20 million users worldwide, demonstrating a spectacular first year for the Silicon Valley startup.

--JB

Previous articles:
Online Banking Report: June 30, 2005, Marketing Security
NetBanker Oct. 12, 2005: Scottrade to use Passmark
NetBanker May 26, 2005: Bank of America unveils multi-factor security for consumer accounts

Despite the old saying that there's no such thing as bad publicity, online banking credibility took a hit today courtesy of The New York Times, page one. In the second-most-emailed article of the day, the story chronicles the threat from keyloggers around the globe. In the fourth paragraph, the article tells of a Brazilian scheme, dismantled two weeks ago, that netted $4.7 million from 200 accounts at six banks. A separate keylogging incident in France is also said to have netted $1.1 million.

Action items
While there isn't a whole lot you can do about keylogging, you should take these steps to help keep the problem in perspective:

1. Remind customer service staff that customer accounts are protected by numerous technology safeguards, policies limiting consumer liability, and internal controls that make withdrawing money online quite difficult.
2. Encourage customers to use triggered alerts so they know within minutes when a large withdrawal occurs.
3. Educate customers on the benefits of safe computing, including links to resources, downloads, and so forth.
4. Mitigate customer concern with plain-language guarantees that eliminate any customer liability for fraud perpetrated against their accounts. For a great example, see E*Trade's Compete Protection Guarantee (NB Jan 18).

For more information, read recent security articles from NetBanker or Online Banking Report (# 96/97).

--JB

The same week that Pay By Touch settled outstanding government claims against CardSystems, news of a new computer breach that could be at least as damaging emerged from California, while keylogging made the front page of the New York Times.

Continue reading "News from the Online Fraud Cyberwar" »

ModaSolutions <modasolutions.com> and several merchant clients including Big Al's <bigalsonline.com> online aquarium supply store and CompSource <c-source.com>, an electronics retailer, are making waves in online bill payment circles. In one of the more counterintuitive developments we've ever seen, Big Al's is seeing 6 percent of its customers opt for a convoluted two-step bill payment process at checkout. To increase buyer comfort levels, the connection to online banking is reinforced through banners and copy (see the logo from Big Al's above and the banner at CompSource below).

How it works
Rather than simply entering a credit card number or inputting checking account info to authorize a funds transfer, the SECURE-ebill system allows a customer to complete the checkout process without entering any personal payment info. The system then kicks an email to the customer summarizing the amount owed and the merchant's contact info. Customers are then instructed to log in to their bank's bill pay system, set up Big Al's as a payee, and then pay the amount owed. Payments are routed through MasterCard's RPPS for electronic settlement within 48 hours.

To summarize:

1. Customer shops at merchant online
2. Customer selects SECURE-ebill option during checkout (see screenshot #1 below)
3. Email is sent to customer restating the amount due and deadline to pay (see screenshot #2 below)
4. Customer logs in to online banking at their bank
5. Customer sets up the merchant as a payee
6. Customer pays the bill using online bill pay
7. Payment is settled electronically through MasterCard RPPS
8. Merchant ships the goods

Results
Approximately 6 percent of all Big Al orders now choose the SECURE-eBill option. Of those, nearly 40 percent are new customers. In addition, the cost to process the checks is 60 percent less than the discount rate the company would have paid had the customer paid with a credit or debit card.

At CompSource, customers are rewarded with a 5 percent savings ($25 maximum discount) at checkout when selecting the ebilling option. The company has not released results, but it must really like the system. Its website has numerous references to the 5 percent savings, including a link by each price reminding users that they could save "up to 5%."

Analysis
If you consider the time it takes to log in to your bank account, set up a new merchant, then pay the bill, it will take three to five times as long as using a credit card at checkout. However, it is slightly faster to check out using the ebill option because you avoid entering a credit card number, expiration date, and security code.

As irrational as it seems to regular online shoppers, this system evidently has considerable appeal. How else can you explain 6 percent penetration at Big Al's with no merchandise discount? Evidently, it appeals to customers who are either concerned about entering payment info on a merchant's website, or who somehow like the extra control they get by entering the payment into their bill pay system where they can keep closer tabs on the payment. It's a good lesson in payment system design: Not all customers trust the most efficient system.

Merchants like it because it increases sales. And transactions cost less than credit card interchange, although the interchange savings are likely eaten up by extra customer service and reconciliation costs at the merchant.

--JB

Continue reading "E-billing at the Point of Sale for eCommerce" »

Judging by media reports, almost everyone in the civilized world has lost their identity to cyber-criminals. But while there has been an unending torrent of news about data breaches and related identity thefts, the damage has been much less drastic than that, says a study from Javelin Strategy & Research.

“The impression in the general public is that identity fraud is spiraling out of control, but what we came away with is the contrary; the growth [in the phenomenon] has been contained,” says Rubina Johannes, the Javelin research analyst who wrote the report.

Continue reading "The Truth about ID Theft from Javelin Strategy" »

A consortium of six major banks and the country’s largest accounting firms said Wednesday that they were setting uniform computer-security standards, designed to ensure that the third-party computer providers they do business with are adequately protecting both their computer systems and the information those financial firms send them.

“This is good news,” says Avivah Litan, vice president and research director of Gartner Inc. “I don’t think it goes far enough, but it’s smart for them [the institutions] to do it in steps, if that’s what they’re doing. But they need to do it beyond the service providers. They need to do it themselves”

Continue reading "Data Security Standards Set by Major Financial Institutions" »

ING Direct <ingdirect.com> is the latest bank to move to greater personalization in order to distinguish its messages from phony phishing attempts. The bank has added the customer's first name and masked all but the last three digits of the customer's number (click on inset for a closer look).

The message at left was sent to customers to market ING's latest deposit promotion: 4.75 percent APR for new money.

The same technique is also used for routine account alerts (see inset right).

Note: The high-impact sales pitch for its 4.75 percent deposit promotion.

Analysis
While it doesn't prevent phishers from attempting to recreate the same look (see footnote), it's an effective first line of defense. Besides, the personalized greeting is a friendler way to communicate with customers. Citibank has been using a similar approach for more than a year (NetBanker, May 30, 2005).

Footnote: Yesterday, we received a fake email that recreated the Citibank personalized area in the upper-right corner. The crooks just left blank the Email Security Zone in the upper-right corner, figuring many users won't look that closely at the box (click on inset for a closer look).

--JB

Wow. It's not often a press release rates an article in BOTH The Wall Street Journal and The New York Times. But that's exactly what happened today when E*Trade made the relatively innocuous announcement that it wouldn't hold its brokerage customers responsible when their accounts were defrauded.

Consistent with previous innovations, the online brokerage and banking powerhouse wrapped its new message with impressive graphics and copy (see inset above-left for graphic displayed on its homepage today). Clicking on Learn More leads to an impressive security area where E*Trade touts four main protective measures (click on inset above-right for a closeup)*:

1. Security tokens
2. Electronic statements with paper turnoff
3. Email alerts
4. Antiviral and firewall software, which can be purchased through a link to Norton (60-day free trial offer); users can also run a real-time scan to check for vulnerabilities

Analysis
It just goes to show you how skittish the public has become about online security. I'd wager that most brokerage customers are sophisticated enough to realize they will eventually get their money back if it's stolen from their account. So this is a non-event from a financial standpoint. E*Trade even admits that online fraud cost it only $2 million last year, less than the cost of one of their famous Super Bowl ads. The brokerage also said there were "fewer than 50 incidents," implying a fraud loss of approximately $40,000 per incident.

Evidently E*Trade's marketing department prevailed over its legal counsel and actually put the company's fraud-protection policies in writing. It's amazing that makes headlines in 2006 and may say more about the growing need to cover your behind to fend off the class-action bar even if it means scaring off customers.

We hope this prompts other financial institutions to take similar action. One of the main functions of financial institutions is safeguarding assets. Customers, online or otherwise, shouldn't have to guess whether certain types of fraud are covered. As any good lawyer would say, "Put it in writing."

--JB

*The screenshot displayed here is only the top portion of the security area, to download a screenshot of the entire page, click here.

Remember the old saying (usually attributed to Mark Twain), "Never pick a fight with someone who buys his ink by the barrel." An unnamed "national bank" has created an enemy of LA Times reporter Steve Lopez, who so far, has not publicly identified the bank that refused to reimburse him for the $2000 drained out of his account after an ATM-card-skimming incident. But given his location, and the hints in the article, it's probably Wells Fargo, BofA, or WAMU. Given our personal experience with the relatively strict Wells Fargo credit card authorization guidelines, combined with the relatively small WAMU checking account base, our money is on BofA as the culprit.

In this particular case, the bank did the right thing initially, crediting the reporter's account for the $2000. However, it reversed the amount four weeks later, sending a form letter with no explanation. In a followup call, the bank service rep told Mr. Lopez that he had not returned phone messages from bank investigators, so they concluded the disputed ATM withdrawals were "authorized and posted correctly."

Action Items
This type of bad publicity is entirely avoidable:

1. Prevention: Your ATM system should not allow four $500 withdrawals in three days, unless the customer has a history of large cash withdrawals.
2. Notification: All large ATM withdrawals should trigger alerts, first by email, then by phone if the withdrawals continue.
3. Communications: Make sure you communicate the results of your ongoing investigation clearly to the customer. Customers should receive a stream of emails, letters, and phone calls keeping them apprised. If possible, all emails should be posted to the customer's online banking account to create a paper trail.
   
   

   Most of the above steps are relatively expensive to implement if not supported by your current systems. So you might want to consider a fourth item:

4. Flag reporter accounts: Treat reporters like VIPs, making sure their accounts are flagged, and that you bend over backwards to give them the benefit of the doubt when disputes arise.

--JB

If you are a smaller bank or credit union and are phished for the first time, you might consider the approach Everbank took in response to a phishing incident today.

The bank took the unusual step of sending an email to its customers warning them about the fraudulent email (click on the screenshot below for a closeup). They even included a copy of the phishing message at the bottom of the warning. The bank also posted a small red-outlined box on its homepage (see inset) with a link to the same email message.

Analysis
Although it may seem futile to send an email warning about a fake email, we think it's a good idea if the phishing episodes are infrequent. The big targets such as Citibank or PayPal can't do this, not with dozens of attacks every month; however, smaller companies should consider proactive email communications, but no more than a few times per year, otherwise customers won't pay any attention.

Most users will realize the Everbank response is genuine, because it doesn't ask for any customer information, especially when they compare it to the fake message at the bottom of the screen.

Yes, some customers will be even more confused. But hopefully their calls to customer service will provide you with a chance to put them at ease. There are costs associated with these anti-fraud efforts, but that's part of the trust involved in being in the banking business.

--JB

Bank of America launched a co-branded version of Earthlink's toolbar designed to prevent users from surfing to fraudulent websites. Of note is its official name, Bank of America Toolbar Powered by Earthlink. It's highly unusual for a bank, especially the largest consumer bank in the country, to give a partner such high billing. Our guess, although unconfirmed, is that Earthlink is paying the bank for the product placement.

In a similar manner to eBay's toolbar released in 2002, the BofA/Earthlink version uses red, green, and yellow lights to indicate whether a website is known to be safe (green), known to be fraudulent (red), or unknown (yellow). A popup blocker is also included. The toolbar is free and can be downloaded by any Internet Explorer for Windows user, you do not have to be a customer of the bank or Earthlink. According to Earthlink, a Mac version will be available soon. The toolbar does not work in other browsers.

The toolbar was announced in a press release today, and is accessible from a small link on the right of the homepage (click on inset for a closeup).

Analysis
Bank of America's toolbar is the first of what we expect to be a major source of differentiation during the next five years: the branded desktop presence (see OBR 85, for more information). The Scamblocker toolbar is a relatively low-tech entry into the space. More sophisticated offerings, such as Southwest Airlines Ding (NetBanker, 5 Dec), are on the way later this year, if not at BofA, then at its U.S. competitors.

--JB

ING Direct's <ingdirect.com> three million U.S. customers now must enter passwords into the site with an on-screen PIN pad. Users have the choice of clicking on their numerical PIN or typing the corresponding letter into an on-screen box (see screenshot below). The letters are scrambled each time to defeat many keylogging programs.

Although, the virtual PIN pad technology has been widely deployed elsewhere in the world, it's new in the United States.

Analysis
Until recent deployments at Bank of America (NetBanker May 26), Citibank (NetBanker May 30), E*Trade (NetBanker March 2), and a handful of others, ING Direct has been the sole U.S. bank making at least a minimal attempt to make login more secure. For the past four years, it's required a third piece of information at login (partial social security number or year of birth). It's not really multi-factor authentication, because the third piece isn't too difficult to figure out, but it at least provided the perception of better security (click on screenshot below to see closeup of login page).

The virtual PIN pad, first used by ABSA Bank in 2003 (see Online Banking Report 96/97), isn't foolproof, but it does make it tougher for key-loggers and phishers to successfully recreate the login process at the bank. It's also a relatively inexpensive improvement with very little customer impact. In fact, I'd expect that the customer response is overwhelmingly positive.

If the bank combines these cosmetic security features with robust behind-the-scenes authorization controls, it should have enough to keep the crooks at bay AND satisfy regulators.

--JB

Washington Mutual <wamu.com>, which has been pitching free checking in Seattle for as long as we've lived here (mid 1980s), recently added ID Theft Services to its list of free checking account enhancements.

A mid-October direct mail we received at our home touted the following benefits, along with a $75 American Express Gift Cheque, for signing up for a new checking account (italics are theirs):

• No direct deposit required
• Free Telephone Banking
• Visa Check Card
• No per-check charge
• Free Personal Online Banking
• Free Personal Bill Pay service
• Free ID Theft Services

In addition, to the above bullet points, the Free ID Theft Services had its own paragraph, one of just four total in the short sales letter:

Exclusively for Washington Mutual customers: Free ID Theft Services. If you become a victim of identity theft, we provide insurance that helps you with your legal and other identity theft expenses up to $5,000 with no deductible. This valuable service also provides professional assistance, plus access to credit reports, management tools and more.

No other information was provided in the letter or the fine print. But looking at the bank's website we find that the free services lead to a pitch for full three-bureau credit report monitoring from Intersections <intersections.com> (click on inset for partial screenshot or download the entire screenshot, links will not work). It's all explained on Washington Mutual's proprietary identity theft site, ID Theft Inspect <idtheftinspect.com>.

Analysis
With all the concerns about online safety and fraud protection, it makes perfect sense to offer identity theft protection services to customers, especially when you will be helping defrauded customers whether you make it an account benefit or not.

We like how WAMU offers certain services to all account holders, then upsells them into full credit report monitoring. However, the bank's pitch for fee-based protection could be far more effective if it:

• Offered online signup -- Currently customers must signup in branch or call a toll-free number.
• Disclosed the price -- There is no mention of a monthly fee, either in the main body of the copy, or in the detailed disclosures. This is a sure way to lose customers.
• Provided a more detailed view -- The promotional copy does a good job of explaining the benefits; however, beyond a few blurry screenshots, there is no way to preview the level of detail to be provided with the service. The bank needs an online demo, tutorial, or FLASH presentation.

Overall, we give it a B+; disclose the price and it's an A-.

--JB

It's been four months since Bank of America surprised the industry with its endorsement of PassMark Security <passmarksecurity.com> for multi-factor consumer login (see NB 26 May 2005). Since then, we've talked to a number of industry participants that claim to have a better mousetrap, which they may.

We are not in a position to pass judgment about the technical merits of one system compared to the next; we'll let the market sort that out. And true enough there are weaknesses in the PassMark system as we noted in our Online Banking Report article (OBR 119).

But we still believe PassMark will be one of the survivors as it builds upon its BofA relationship and adds other customers down the road. The first new win is discount broker Scottrade <scottrade.com>, which announced yesterday that it will install PassMark to improve login security for its 1.4 million consumer accounts (see inset above). The broker also becomes the first client to say that they will also add the PassMark identifying image to outbound emails so recipients know the message is legitimate.

Added to the 13+ million BofA accounts, PassMark now boasts that it will be "protecting 15 million users in 2006," a powerful marketing message for the startup. Separately, the company announced v2.0 of its two-factor authentication system.

Off-Topic
Speaking of marketing, you should take a peek at PassMark's website if only to see how it markets to financial institutions (see inset left). The company provides a 4.5-minute comprehensive audio briefing done in Macromedia Breeze along with a series of three short demos showing how the system works for: a) new users; b.) users logging in from a known computer, or; c.) users logging in from an unknown location.

The company's website is remarkably brief and to-the-point, especially for a B2B tech vendor. If you are looking for ideas on how to spruce up your online marketing to businesses, this is a good model.

--JB

If you are looking for a spam/spyware/phishing resource for your online customers, OnGuardOnline.gov is a good resource, especially for novice users.

The site is sponsored by The Federal Trade Commission, Dept. of Homeland Security, U.S. Dept. of Commerce, and The United State Postal Inspection Service. They also had some help from the private sector, with some content provided by Microsoft and The Internet Education Foundation www.neted.org. The site also lists a number of other partners, but does not disclose their contribution. None of the listed partners are closely associated with the financial services industry.

The main content areas cover:

• ID theft
• Spam scams
• Phishing
• Spyware
• Shopping
• P2P file sharing
• VoIP

Analysis
The information is thorough and presented in a audio-visual format that is easy to digest (click on inset to see a closeup of the homepage). The videos from Microsoft are particularly well done. And surprisingly there is no plug for the software giant, they don't even have a logo on the site.

The interactive Flash games are a little on the hokey side, but they get their points across. The Stop-Think-Click: 7 Practices for Safer Computing is very well written and hopefully will become widely circulated in the popular press.   

Action items
Financial institutions should use the site either as a direct resource for customers or as a blueprint for the material which should be presented in a bank's security and privacy area. The 7-point Stop-Think-Click material is especially useful to present to users.

The only slight hesitation we have about referring customers directly to OnGuardOnline.com is that it may be somewhat overly frightening. We think it's better to cover these issues yourself so you can provide reassurances along the way as to how you are helping solve these vulnerabilities.

But for those who haven't the resources or budget to create your own security center, this is a good reference point.

-JB

Katie Kuehner-Hebert looks at the issue of mandating consumer password changes in today's American Banker. She cited only a single bank doing it, West Georgia National Bank <www.wgnb.com>, which recently began requiring new passwords every 45 days. None of the financial institutions we are familiar with force password changes, although NextCard did when it first launched in 1997, but later it did away with the annoying requirement.

Analysis
This is one of the least effective ways to improve security. In fact, it may have exactly the opposite effect for two reasons:

1. Customers cannot memorize a new password every 45 days, so they will have to write it down somewhere near their PC where it can be seen by others.
2. Once users begin to realize what a hassle it is logging in to your website, they will forgo online access altogether or use it much less frequently, therefore reducing the frequency of account monitoring which can reduce the impact of identity theft and other fraud.

And even the method did reduce fraud, it's unlikely to be cost effective due to the increased burden on customer service and decreased customer satisfaction.

Offer choice
Some customers do like the idea of periodic password changes, but forget about mandatory changes. We like the M&T Bank <www.mandtbank.com>. The Buffalo-based banks allows customers to choose whether to have mandatory password changes at either 30, 60, 90, 180 or 365 days. They can also choose NOT to have a mandatory password change (click on inset for a closeup).

An even simpler way to give customers the choice is to allow customers to program an alert reminding themselves to change their password. The alert should NOT have a link back to the bank, otherwise it will look like a phishing message.

--JB

Under the "every little bit helps" theory, Citibank's popup window when registering for online credit card access is a nice touch.

The popup (click on inset for closer view) reassures users that they are entering information into a secure site. The well-crafted verse goes like this:

Secure.
A little word that that means a lot--especially online.
Rest assured, this registration process is just that.

The window closes itself in about 10 seconds, if the user hasn't done so already.

--JB

To learn more about how to promote online security and peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

The problem with most published information on consumer attitudes is that they don't show the trend. It's interesting to see that a certain portion of the population expresses concern about ecommerce security, but it's not really actionable unless you see it in context. That way you know if the concern is growing, stable, or lessening. Or if consumers are more concerned about branch lobby security, telephone, or mail security.

Kudos to Informa Research for publishing a table showing consumer attitudes on online banking security dating back to 2000. As you might expect, consumers are significantly more confident than they were five years ago (59% vs. 49%), but there has also been a substantial drop-off since 2003 (59% vs. 70%).

Percent of consumers that Completely or Strongly Agree with the following statement:
Internet-based transactions handled by financial institutions are safe and secure

2000  49%
2001  56%
2003  70%
2005  59%
-----------_
Source: Informa Research, Aug. 2005, n = 1690

Analysis
Taking a cup-is-half full approach, we are pleased to see that the majority of consumers still consider online banking to be safe. Although the drop-off from 2003 is a concern, we've probably hit bottom, barring any dramatic breeches in the near future. As banks institute security upgrades such as multi-factor authentication, broader security alerts, and secure messaging, consumer confidence will grow.

--JB

If you'd like to learn more about the future of online banking, check out the Online Banking & Bill Pay Forecast: Current, future and historical usage: 1994 to 2016 from our sister publication, The Online Banking Report.

We've warned against using too many scare tactics on your website (see OBR 119, Marketing Security). Here's data to support that argument.

The latest Pew Internet Project survey (PDF) found that more than 70% of Internet users had either never heard of the term Internet phishing (15%) or were unsure of its meaning (55%), leaving just 29% who said they had, "a pretty good idea of what the term meant." In comparison, 88% of Internet users had a pretty good idea of what Spam meant, 78% knew Firewall and also Spyware, while 68% understood Internet cookies, and even 52% knew Adware.

--JB

Bank of America issued a press release saying that it went live today in Tennessee with its OBR Best-of-the-Web-winning multi-factor authentication system. However, a search of the bank's website, using Tennessee as our state, found no mention other than the "coming soon" paragraph that's been posted for the past several weeks (click on inset to read).  

">Read our previous article.

--JB

Now that Visa, MasterCard, and American Express and others are actively putting so-called contactless cards into the hands of consumers (Chase's blink for instance), it's not such a far-fetched thought that these radio-frequency (RF) cards could be used as the extra factor for online banking login.

PCs equipped with RF card readers could read the user's plastic, allowing the user to log in securely with just a username/password, or conceivably just a password.

But PC makers aren't going to add card reading technology, no matter how cheap it is, just for online banking. But if merchants began insisting on the RF readers to cut down on card fraud for online purchases, perhaps with the associations agreeing that a purchase made with a PC-based RF reader qualified as a "card present" transaction, then the technology could take off.

Using contactless cards online could be more beneficial than using them for off-line purchases. In the physical world, the contactless card merely saves a few seconds compared to swiping it through a conventional terminal. But online the savings could be more dramatic, potentially allowing the customer to skip typing their card and verification number into a web forms. 

--JB

Today's American Banker reports that $365 million-asset Stonebridge Bank (West Chester, PA; $365 million) and American Bank (Allentown, PA; $500 million) are following E*Trade's move to offer hardware tokens to authenticate consumer logins.

As of May 30, Stonebridge is offering the token free-of-charge to any of its 4500 consumers who request one. The token will be mandatory for its 500 business customers. In its security FAQ, the bank says it will charge $25 annually, its out-of-pocket expense for the device, after the first year. They also charge $25 to disconnect the token during the first year and $25 to replace it within 5-7 business days, or $45 total for overnight delivery.

American Bank is sending the token to 1000 customers who said they would like one in a recent survey. There is no charge for the service. The bank expects to order another 1000 from RSA Security next month. It pays approximately $20 each, which does NOT include maintenance costs to operate the system.

Analysis
We applaud these three financial institutions for moving beyond the username/password. However, except for the most demanding customers, primarily businesses, hardware-based solutions are overkill.

The Bank of America/Passmark approach is much better. Not only is it more cost effective, it also much easier to use and also helps prevent the user from logging in at a fake site. 

--JB

It's fitting that the financial company most targeted in phishing attacks, Citibank, would be the first to introduce a new email format that goes a long way towards helping users identify legitimate email messages.

The personalized emails (click on inset to enlarge) include not only the name of the recipient, but also the last 4 digits of the user's ATM card. While simple personalization with the customer name would help many users identify legitimate emails, it's far from fool-proof.

First, there's the relatively common practice of including first name and/or last names in email addresses. Also, some phishers are using direct marketing tactics and first running email addresses through various databases to append actual names and other info to the email record in order to develop a personalized pitch (see ZD-Net article).

Citibank's new email format was announced to customers through a short message on the top of the online banking screen in early May. It is also now mentioned in the bank's main FAQ page.

Analysis
This is a great first step in winning back the confidence of users. Eventually email standards will evolve so that the email client will be able to readily identify legitimate emails, but that could be years in the future.

If you are considering a similar approach, you might want to let users choose the name and identifying information that appears in the personalization box. In February, we reported on a UK security initiative that took that approach.

For more information:

• Previous NetBanker post on eBay's personalized email strategy
• Security & Privacy from Online Banking Report (#93/94)

-- JB

Editor's Note: Citibank received an OBR Best of the Web award for this and other security features in Online Banking Report #119, "Marketing Security."

Bank of America wins the race to be the first with a viable plan to secure consumer online banking accounts. In an announcement today, it becomes the first major U.S. bank to endorse multi-factor authentication for consumers at login.*

The system, already in use at Stanford Federal Credit Union, is called SiteKey. The clever approach from Bill Harris's PassMark Security provides several layers of security to defeat phishing and keylogging attacks. The company calls it two-way two-factor authentication because not only does the end-user authenticate themselves to the bank, the bank authenticates itself to the user to defeat phishing schemes.

Here's how it works (click on inset below for BofA page):

1. User provides username
2. BofA verifies that the login request is coming from the user's previously registered computer; if NOT, user must successfully answer a challenge question based on previously registered shared secrets
3. After passing steps 1 and 2, the user is shown their previously selected image, so they know they are logging into the true BofA server
4. User enters their password

The service launches in mid-June in Tennessee with full roll-out by the end of the year.

Analysis
Even though it's long overdue, we applaud Bank of America for moving the industry forward. While the program won't be available system-wide until year-end, we're giving it an Online Banking Report "Best of the Web" now because it's the biggest development in U.S. online banking for several years.

The BofA/Passmark system is ingenious for several reasons:

• Unless a user logs in from a new computer, there is little extra work involved; just a two-step login with username, followed by the password
• Requires no hardware or out-of-channel coordination by the end-user; shouldn't cause a major increase in customer service expense
• Defeats phishing by displaying a personal image prior to asking for password
• Defeats keylogging with the rotating challenge question

If you are at one of the other 15,000 financial institutions in the United States, the clock is now ticking. As your customers find out they are not among the 13+ million consumers (BofA's current online base) receiving extra protection, they will be demanding the same from you. And if you thought BofA was aggressive in its free bill pay promotion, wait until you see the marketing blitz on this one. Extra authentication simply MUST BE in your 2006 plans.

-- JB

*For several years, ING Direct has asked for a third bit of info at login, but the necessary info is relatively easy to obtain (for example, zip code). Also, earlier this year, E*Trade launched security tokens for its high-rollers. But BofA is the first with a broad, secure, and non-hardware-based approach.

During the past year, NBC Nightly News, more than any other national show, has publicized fraud concerns in the online channel. They played a large role in publicizing the $90,000 apparent key-logging loss by a Bank of America small business customer in Florida. They also covered, rather sloppily, last summer's flawed Gartner study about multi-billion dollar losses in identity theft.

The most recent story, which appeared on television last night, covered demand draft fraud initiated at Qchex.com among other locations. The NBC Nightly News story appears to have been based primarily on a May 24 article by MSNBC's Bob Sullivan in his closely watched online column on ecommerce. Sullivan was also the primary source for the Gartner story.

Analysis
When NBC goes on the air pointing fingers at the banking industry's security practices, you better be ready with a response. Your branches and customer support personnel should be briefed on the subject and be prepared to answer customer concerns. You should also prepare a response in your online service HELP/FAQ area that addresses the issue.

In the future, you might want to pay attention to Bob Sullivan's columns. If he's writing about it, and if it's a new twist on an Internet scam, there's a good chance the Nightly News will pick it up. Had you been reading his column yesterday morning at 8:15 am, you'd have had a day to prepare damage control.

As far as solving the demand draft problem, that's something we'll leave to the regulators. But requiring Internet originators like Qchex.com to verify account ownership before processing a debit, would be a good first start.

--JB

Although the cyberthieves have made in-roads this year, there are a number of clever low-cost authentication methods being tested. The thing they have in common, simplicity with no new hardware.

Here is a quick recap of the available techniques. Generally, these techniques would be used in addition to a username and password:

To thwart keylogging (but not phishing):

• virtual keypad (or string of numbers from 1 to 10): user selects numbers from the keypad/list instead of typing (for added security the numbers should be positioned differently each time)

To thwart keylogging AND phishing:

• picture/graphic selection: instead of a numerical ID, users identify the correct graphical image or picture from a everchanging pool of choices
• bingo card: user enters the requested coordinates (which change each login) from a preprinted "bingo" card (">refer to previous NB article)
• one-time PINs: user enters a number from a list of one-time-use PIN numbers previously mailed, emailed, text-messaged to a mobile phone, or voice messaged to any phone
• shared secrets: the bank and the user establish a serious of shared secrets, one of which must be answered correctly to complete login
• random partial passwords: similar to the shared secret approach, the bank asks for a different portion of the PIN number at each login

For more information, refer to our previous security NetBanker security articles and Online Banking Report (#93/94).

--JB

Password management is a pain and only promises to get worse as banks and other ecommerce providers tighten up access controls due to sophisticated fraud attacks.

However there is one area where some banks are still "penny-wise and pound foolish." Specifically, the old-fashioned notion of locking an account after three unsuccessful password attempts.

It's just too easy for to miss three times. Here's what just happened to me at Bank One's credit card site:

1. Correct username, incorrect password
2. Correct username, retype same (incorrect) password in case I made an inadvertent typo the first time (since the password is masked and I can't see what I typed the first time)
3. Correct username, another shot at the password which turned out to be incorrect (probably because I changed it last time I was locked out)

RESULT: Locked out and in need of an account reset, which luckily you can do online if you have the card number, expiration date, 3-digit code, and primary social security number.

Analysis
The last time we took an in-depth survey, in our April 2003 report on Security & Privacy (OBR 93/94), 4 of the 14 major financial institutions we tested locked users out after just three attempts, while 6 of 14 fell within the recommended range of 5 to 10 attempts.

We recommend that you allow at least five unsuccessful logins, and preferably closer to 10, prior to freezing the account. The amount of fraud deterred between locking out at three attempts vs. locking out at six is so small as to be virtually unmeasurable. However, there is a real cost in customer service and consumer dissatisfaction for constantly requiring password resets.

OK, I feel better now. Thanks for listening.

-- JB

Ebay has been on the forefront of fighting online fraud, introducing Account Guard on its toolbar in Feb. 2004 (see Online Banking Report, #105/106 and #85), as well as a number of safeguards into its service delivery over the years.

The auction giant recently elevated the personalization in its emails, incorporating name and eBay username, in an effort to help users recognize genuine messages.

View closeup of personalization

--JB 

If you'd like to learn more about the future of financial email messaging, check out Email Marketing in Financial Services: Leveraging the Inbox from our sister publication, the Online Banking Report.

Security freeze is the latest buzzword in the world of privacy and online security. It was used today in the title of an article in The Wall Street Journal's Personal Journal section, Freezing Out Identity Theft.

Here's how it used in the first sentence of the article:

In an effort to combat the rapidly escalating outbreak of identity-theft crimes, a handful of states including California and Texas have passed legislation that allows consumers to put a "security freeze" on their credit history.

Action Item
Use this phrase in your marketing to reassure wary customers. For example,

• "Once you report any fraud, phishing, or identity theft, we will put a security freeze on your bank accounts against any unauthorized withdrawals."
• "If someone tries to guess your password, we'll freeze your account against any more attempts."

And eventually as you develop more advanced security preferences, customers will have the ability to put their own selected security freezes or locks on their accounts. For example, users that always access from one computer, could lock-out any access attempts from other IP addresses (see Quova for tools in this area). Or the customer could lock their account against point-of-sale transactions in other states and countries.

To learn more about how to promote online security and customer peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

With the ubiquity of personal computers in the United States, the text messaging market has been slower to develop here than abroad. And since most banking interactions can wait until you are comfortably situated in front of your home/work PC, mobile banking applications have not been a high priority.

However, there is a new application that may jump-start mobile phone banking initiatives. Security.

With public confidence in the security of online banking waning, telephones, especially cell phones equipped with text messaging, offer an excellent option for secure two-factor authentication.

Here's how it works:
1. Log in to the bank the old-fashioned way with username and password
2. A few seconds later, a four-digit number is text-messaged to your cell phone, or voicemailed to your land-line phone
3. Enter the four digits and start transacting

Text messaging can also be used for alerts, reminders, and other services.

But are U.S. users ready for advanced mobile phone features? It turns out the answer is a resounding YES. Would you believe 100 million U.S. users tapped into advanced features during the past three months. That's a 58% penetration of all 174 million mobile phone subscribers. And two-thirds of the 58% sent or received text messages (37% of all subscribers) .

This fresh market data is courtesy of M:Metrics, a new Seattle-based telecom researcher who based these estimates from usage data complied across 35,000 U.S. mobile phone subscribers.

Not surprisingly, younger users embraced text-messaging the strongest. The penetration rate was above 50% in both the 18-24 year-old (68%) and 25-34 (52%) groups. The lowest penetration was 14% in the over-65 group.

Here's more details on the advanced usage and percent penetration across all 174 million mobile phone subscribers:

Used at least one service          100 mil  58%
  Sent or received text message     65 mil  37%
  Used mobile email                      24 mil  14%
  Accessed news/info via browser   22 mil  13%
  Downloaded ringtone                 22 mil  13%
  Received text-message alert        15 mil  8%
  Used instant messaging                15 mil  8%
  Sent photo message                     12 mil  7%
  Downloaded display graphic          11 mil  6%
  Downloaded mobile game              6 mil  3%

Source: M:Metrics, March 2005, n=35,381 for quarter ending 31 Jan 2005

Read the full release.

--JB

Fraud-fighting vendors, Quova and Cyota hosted a webinar today featuring Avivah Litan, from Gartner.

A couple interesting Gartner stats that you can use in trying to