In general, we are not impressed with how banks have approached passwords. With so much on the line, both with consumer perceptions and actual monetary losses, financial institution should be taking an active role, both at their own Webs and at other ecommerce sites where password cracking is likely to lead to compromised credit card numbers.

We advise you to take an active role in educating the marketplace on effective password strategies. And your responsibility doesn’t end with your Web site. If users are using the same username/password combo at eSkateboarding.com as they do at the bank, you’ve got a security problem.

Making User-Selected Passwords More Secure*

•  require at least 8 characters, 1 of which is a number
•  require the use of a special character such as # or !
•  it cannot be the same as your ATM card PIN
•  it cannot match anything in your name, account numbers, date of birth, email address, etc.
•  it cannot match any dictionary word
•  don’t use “remember my password” functions
•  it cannot be used at any other Web site
•  force users to change it every 3, 6, or 12 months

Source: Online Banking Report, 4/99

*or you could simply not allow users to choose their own

But there is only so much you can do to protect users from themselves. Passwords will be lost, stolen, and abused. Ultimately to protect yourself, and make users feel more comfortable, you’ll need a more robust, multi-level approach to passwords. The goal is to protect high-value transactions such as bill payments in a different way than you safeguard routine balance inquiry transactions.

One way to defeat fraudulent bill payment attempts is to use an authorization algorithm in much the same way credit card transactions are authorized through the use of sophisticated algorithms developed by mathematicians and commercialized by Fair, Isaac and others. Here is a simple two-dimensional matrix to illustrate the concept:

Bill Pay Transaction Authorization
Password requirements vs. activity

Source: Online Banking Report, 4/99

Even when already in the password-protected Web banking function, CompuBank users must enter a “Fed Wire PIN” to access interbank transfers.

CompuBank (Houston, TX; $5.6 million is assets, $587,000 in deposits 12/31/98) was the first bank we’d seen take this approach with an additional PIN in front of outbound monetary transfers including ACH, wire, and bill payment (OBR 10/98) (screenshot above).

Multi-Level Password Techniques

•  have customers fill out a series of challenge questions to authenticate significant monetary transactions, e.g., birthplace, date of birth, pet, etc.
•  require an extra password or email/VRU confirmation sequence when changing account details, e.g., change of address
•  require an extra password or email/VRU confirmation when transferring money outside the bank (including bill payments)
•  require an extra password or email/VRU confirmation when accessing accounts from a different computer
•  require an extra password or email/VRU confirmation to add new merchants

Source: Online Banking Report, 4/99

The problem with more robust password schemes is that they have the potential for making your Web banking program harder to use, especially at first. A problem we discussed in depth last month (OBR 3/99). There is a distinct trade-off between easy-to-remember and secure. There is also a financial consideration: do you want to spend money in customer service doing large numbers of password resets on hard-to-remember passwords, or would you prefer to quietly accept a few fraud losses each year, and hope they don’t make it into the press.

Password Scorecard

Source: Online Banking Report, 4/99

Ultimately you must share the responsibility of fraud protection with the user. Using email communications and user-set, fraud-control parameters, you can let users decide exactly what level of risk they are willing to accept (within reason). You could reward users that go the extra mile in protecting their account from fraud with lower prices or extra features, for example:

Incenting Users to Fight Fraud

•  let users decide when to be challenged with a question/additional password
•  provide discounts if users accept more rigorous account protection schemes (similar to a homeowner’s insurance discount for installing an alarm system)
•  provide better fraud-loss protection and guarantees if users accept more rigorous account protection
•  provide special VIP treatment for fraud-fighters such as 24-hour premium customer service, customer service chat rooms, and other benefits

Source: Online Banking Report, 4/99

You also have a responsibility to the 80% to 90% of your customers not using online banking. Ironically, they may be even more vulnerable to online fraud than your online user base. Identity thieves can sign on in their name and pull money from their accounts through bill payment. You should be very concerned about this type of attack, because it would be a PR nightmare, causing your conservative, high-deposit-balance customers to question the safety and soundness of your entire operation.

Shore Up Your Internal Operations

•  third-party technology/security audits of vendors
•  create good internal controls for authenticating new users and requests for password resets
•  educate staff on the perils of identity theft
•  prepare a damage-control plan in advance of your first publicized online fraud occurrence (it WILL happen)
•  authorize bill pay requests as you would credit card charges, based on size of trans, time of day, pop location, size of trans, type of trans, type of merchant address (P.O. box or PMB number), recent changes in merchant address, recent change in consumer address, past trans from user, profile of payees, and so on
•  contact customers regarding unusual activity
•  verify new payees receiving large payments
•  watch for unusual activity from new online accts, and/or those with recent address changes

Source: Online Banking Report, 4/99