Most of this discussion so far is at odds with what we discussed last month in terms of getting new users off to a good, quick start with your online banking service. But good security and ease of use don’t have to be mutually exclusive. Following is a hybrid concept originally developed while in the employ of a major regional bank about five years ago. It was never fully deployed, but we think it is still a valid approach.

The primary goal is to get new users started immediately with read-only account access. However, full authentication through in-person or snail mail procedures would be required before money could be removed from the account through outbound ACH or bill payment.

First-Time User Quick-Start Program

1. Existing ATM customers can look at their data online (read-only) immediately by logging in with account number and ATM PIN (personal identification number).

2. Bank sends a snail mail confirmation with a bank-generated password to access transactional functions, such as bill pay and funds transfer.

3. Upon receipt, users could log in with account number, PIN and bank-generated password.

4. Users would select their own username and password. For additional security, the bank could allow only read-only access to data with user-selected names and continue to require the bank-generated password to move money out of the account.

5. If users subsequently forget their user-selected codes, they could always revert back to read-only access with account number and PIN; however, if they forgot the bank-supplied code, they would need to have a new one sent via snail mail.

6. Call center reps would not have access to PIN numbers or bank-generated passwords. Special highly trusted reps could handle passwords by calling customers with new passwords, or they could be mailed out through secure mailing methods.

Source: Online Banking Report, 4/99

NextCard forces periodic password changes.

One avenue open to financial institutions is to take the role of the designated cyberspace security guard in your chosen market by building an “ecommerce portal.” The definitions of both ecommerce and portal are fuzzy enough that this could mean just about anything. What we had in mind is a place where users can begin their ecommerce activities in an environment where they trust that their information, especially financial related, will remain safe, secure and private. And a service that authenticates users so that merchants know they are dealing with legitimate customers. Credit for this concept must be given to long-time OBR editorial board member, Brian Donaldson who recently became CEO of Authentic8, a start-up involved in digital security and smart card technology www.authentic8.com (425) 451-1015.

Source: Online Banking Report and Authentic8, www.authentic8.com  4/99