As promised in its teaser print buy, American Express delivered my Plum Card invitation in the wee hours Monday morning (2:06 AM Pacific time, see screenshot below). The message, with my first and last name in the salutation, was short and sweet and directed me back to the main website to apply at <plumcard.com>.

It's all first class work, but the generic call-to-action surprised me a bit since I'd put my name on the "wait list" last week (see post here). I expected a more personalized invitation and link. The website doesn't appear to recognize me either (see screenshot below).

Email Invitation (1 Nov 2007)

Plum Card homepage (5 Nov. 2007)

As a financial services junkie, I've long been a fan of American Express (see note 1). During the past 20 years, as credit cards increasingly became a commodity with no annual fees, loss-leader teaser rates, and look-alike marketing, AmEx has done a superb job maintaining a premium image and pricing. I keep my Gold Card in my travel bag and use it once every year or so when I don't want to expose the numbers of my business MasterCard. But I would never cancel it, despite the $75 annual fee, or I'd lose my "member since 1989" status. That, my friends, is what brand loyalty is all about.

The latest product designed for small businesses, those with "6- or 7-figure revenues," is the Plum Card. I learned about it in a 2/3-page full-color burgundy ad in yesterday's Wall Street Journal (Oct. 31, p. A11). An identical ad appears today (Nov. 1, p. A10). Its standard teaser fare tells readers that the "application releases in 5 days" (today, 4). The bottom of the ad contains a special URL, <PlumCard.com> where prospective customers can get more info. The card was originally announced at an INC 5000 event Sep. 7 (see coverage here).

After seeing the print ads, I and another 100,000 people headed to Google to see what was going on. Wisely, the company purchased not only the top spot on Google for "plum card," but also supported the print buy with an additional twist, "Who's getting a Plum Card? Initial release of 10,000 cards." The novelty of a new financial services product with limited availability, a technique AmEx has used for years with Platinum/Black, should attract click-throughs.   

The landing page (here) continues the theme of anticipation and exclusivity, with get this, a WAIT LIST, to be one of the first 10,000 to receive the card. A countdown timer in the upper right lets me know exactly how much time I have to wait, in this case 3 days, 11 hours and 6 minutes. If I'm not mistaken, that's Sunday night at midnight Eastern time.  

I'm on the wait list, so I'll let you know what I learn on Monday when I receive my application.

Plum Card pricing
There's no argument the marketing is first class, but what about the card itself? Is there anything that AmEx or anyone can do to distinguish themselves in the crowded field of business charge cards?

Time will tell, but it has a unique cash flow and discount plan that could be very appealing to business customers. Users that pay their bill within 10 days receive the industry standard "net less 2%" discount (see note 1). Alternatively, users can pay just 10% of the total due and defer the balance for two months interest free. At that time, the balance is due in full. There is no information in the terms and conditions about an annual fee, but I'd expect one.    

Notes:

1. If my wife would have been willing to move to NYC, I'd have tried very hard to get a job there after completing my obligatory MBA. 
2. The 2% discount applies on spending of $5,000 or more; otherwise, the net-10 discount is 1%.

I received an email from American Express late last night after resetting my password earlier in the day (see screenshot below). I can never remember my AmEx password, because I can't use my usual one due to the company's surprisingly short field of just 8 characters that also doesn't support special characters. I have it written down somewhere, but I can never find that either.

I went online late Friday afternoon to pay my overdue bill at AmericanExpress.com. I was pretty sure it was one of three possibilities, but after two unsuccessful attempts, and with the website warning me the third attempt would cause a lockout (note 1), I decided to go through the online reset process instead. 

That was easy. I just needed the card number, the code on the front of the card, and the answer to a security question. At that point, AmEx displayed my username and let me reset the password. It's one of the easier reset processes I've tested. That's a benefit to customers and helps cut customer service costs for AmEx. 

But the thing I liked most was the email message sent later that night informing me of the password reset (screenshot below). But I don't understand why it was sent more than six hours later. Why not send it right away? That would be way more impressive to customers, and would help reduce any potential fraud or privacy violations. Better yet, send a text message right to the customer's mobile, so they have real-time knowledge of the account changes.

Email Critique
Personalization: The company uses two pieces of personalization, cardmember name and the last five digits of the account number, to differentiate this message from the average phish. Excellent.  

Subject line: Your American Express Forgotten User ID is good and right to the point

From: "American Express" using an American Express email address. Good.  

Headline: Verify Your Account Transaction is a little confusing. All I did was reset my password. I'm not sure that average person views that as a "transaction."

Copy: The copy is short and to the point, but it could use a little editing for clarity. The third sentence, "If you did contact us...." seems unnecessary. And "If you did not complete the retrieval...." is not very user friendly language.

Design & Layout: Excellent.

Overall Grade: A- for the message, B- for timeliness

Note:

1. We recommend allowing more than three attempts before lockout. It's pretty easy to forget a digit or make a typing mistake. See our Online Banking Report on Security (#119) for more information.  

Advertising-monitoring firm, Mintel Comperemedia reported last week that nearly 9 out of 10 credit card solicitations in 2006 directed recipients to the Web, up sharply from 56% in 2003 (see note 1, 2). Several big mailers, namely American Express, still seem reluctant to use website response as an option, at least in the mailers we see at our house.

American Express tests must show a drop in response by offering too many choices. But if you don't have the budget of American Express, which can afford to drop a mail piece in every credit-worthy household every two or three weeks, you should add website options to your direct mail creative. That way, you can at least capture a lead at your website, even if they don't ultimately accept your credit offer. 

Total mailing volume for 2006 was 9.2 billion pieces (see note 1), or about 3 per week per credit-worthy household. Two of those were from the five largest mailers listed below which accounted for more than 60% of the volume, according to Comperemedia. JPMorgan Chase accounted for 18% on its own. 

In another data slice from Comperemedia, cited by Capital One in a Feb. 2006 investor presentation (PDF here), response rates have fallen from 1.4% in 1995 to 0.3% in 2004 (see note 3).

Here's a breakdown of the billion-piece club, and their percent change compared to 2005:  

1. Chase >>> 1.7 billion (down 4%)

2. Capital One >>> 1.2 billion (up 13%)

3. American Express >>> 1 billion

4. Citibank >>> 980 million (down 2%)

5. Bank of America/MBNA >>> 920 million (down 17%)

Other top-10 mailers: HSBC (up 25%); Discover (up 29%); Barclays Bank (190 million, up 70%)

Note:

1. Comperemedia tracks mailing volume for more than 150 large financial institutions. So the figures here do not include mailings from thousands of smaller banks and credit unions. In total, those probably account for less than 5% of the total from the top-150. 

2. Comperemedia press release is here. Interview of Comperemedia director Jenny Roock by MediaPost is here.

3. Credit card response rate slide from Capital One's investor presentation (PDF) at the Debt & Equity Conference, Feb. 2006; data from Comperemedia.

If you watched any U.S. Open tennis over the holiday weekend, you couldn't miss the American Express tie-ins. My favorite commercial showed Andy Roddick exchanging ground strokes with a white bar designed to look like the early video game, Pong. It has nostalgic appeal to younger baby boomers who played the orginal Atari game in the late 1970s, and it was funny enough to get the attention of younger consumers.

The commercial ended with a tie-in to a special website, <stoppong.com>, where the game can be played online. It's much like the original, not surprising given the site was built by Atari Interactive. With the mouse, the user operates Roddick who bats the ball back to the white bar. Like the original, the game speeds up the longer the ball stays in play. In a modern twist, you can choose either 3-D or 2-D version. The top 100 scores are listed to help stoke the competitive spirit.

Analysis
Overall, it's a good campaign with engaging broadcast advertising driving customers to a good website with viral hooks. We do have a few suggestions:

1. Add Google support: The first step for the majority of Internet users will be to enter "stop pong" or something similar into Google. Luckily, the Stop Pong microsite is in first position in the organic results, so it's relatively easy to find. However, numerous first-page blog-listings could snag the traffic before they ever get to the genuine site. American Express should support the expensive campaign with a relatively inexpensive Google AdWords buy on the relevant terms, "American Express Roddick," "American Express pong," "stop pong" and so on.  On a 10-point scale, the company is docked half a point for this.
2. Personalize it: There should be some way for users to add their name to be shown on the screen during play. Even more important, it should track each user's high score during the session.
3. Grab leads: In addition to personalization, users should have the option of saving their high score(s) by registering with a username, password, and valid email address. Give registrants the ability to opt-in for future marketing messages.
4. Make it viral: Offering the HTML code in the lower left is a good viral marketing move. An even better one, because anyone can do it, is to provide an email-your-friend option. Even better: allow friends to email their scores to others as a challenge.
5. Offer player rewards: Another way to increase word-of-mouth is to offer prizes, not for scoring high, which might run afoul of gaming regulations, but at random simply for playing the game. 
6. Allow the sound to be turned off (on screen): Obviously the designers have never worked in a "real office" where the sound of a pong game coming out of your cubicle is not exactly what the boss had in mind when he/she asked you to "serve up some ideas for the next project meeting." Whenever you add audio to your website, make sure you have a visible on-screen mute button.
7. Support the campaign on landing pages: Neither of the landing pages accessible through the microsite are customized for the Pong campaign. However, the main "My Life. My Card" page <mylifemycard.com>  (see screenshot by clicking "continue" below), reached by clicking on the banner in the upper left, includes "play pong" superimposed on a small picture of Roddick. But the main clickthrough spot, the banner in the lower right, leads to the regular "My Life. My Card" selector tool with no mention of Pong, tennis, or the U.S. Open.

Overall Grade
Even though we think American Express could do a better job capturing leads, it's probably better to err on the side of a too-soft sell instead of too-hard, especially if the goal is to have the online game grow virally thorough blog and other media mentions.   

We'll give it an A for creative and B+ for execution.

--JB

Appendix
Here's the main "My Life. My Card" site reached by clicking on the logo in the upper left of the Stop Pong site:

Here's the card selector reached from the banner in the lower right of the Stop Pong page:

UBS Wealth Management US last week launched a new payments-card package for its brokerage customers that among other things cleverly turns an ordinary American Express card into what amounts to a debit card. The program was created for UBS by Barclay’s PLC’s Juniper Bank unit.

The whole idea is to bind its customers to the U.S. brokerage unit of Zurich-based UBS by giving them a payments-card package that the firm hopes will be their primary spending vehicle, says Peter Stanton, executive director of the UBS unit’s Banking Strategy Group. It’s not an effort to enter the very tight U.S. credit card business

“It’s definitely not our intention to be another credit card provider,” he says. “This is a consolidation strategy; it’s all connected to our role as their primary wealth-management advisor, and ties them closer to us because of the services we provide.”

On the surface, the package is an ordinary Visa credit card and an ordinary American Express charge card, bundled with a very extravagant rewards program that offers cardholders enticements like jet fighter rides or a sleepover at FAO Schwartz. Rewards run from one point to 1.5 points per dollar spent, depending on whether the customer chooses the basic “Select” Visa card or one of the more elite Visa cards that carry annual membership fees of up to $1,500. UBS says it has about 15,000 such accounts.

By offering its brokerage customers such payment packages, UBS joins a widening club of brokerage companies trying to retain customers whose loyalty is mercurial at best. “With acquisition costs so high, and turnover very high also, the emphasis has been to keep the customers they already paid for, happy,” says Ariana-Michele Moore, a senior analyst with Celent Communications.

The Amex card allowed UBS and Juniper to create a vehicle that functions like a debit card from the user’s perspective—UBS calls the card a “delayed debit card,” though Amex insists that the cards are ordinary Amex cards—while earning the issuer the much higher American Express interchange fees.

It does this by an interesting sleight of hand that seems to be built around the fact that none of the parties to the deal care what the card is called, as long as they get what they want from it. Cardholders use the Amex card like an ordinary debit card, including being able to use it to withdraw surcharge-free cash at ATMs that accept Amex cards. At the end of the month, their central brokerage account, or RMA (resource management account), is automatically debited, and no bill is sent to the customer. Purchases are limited to the funds available.

This way, UBS gets what amounts to a debit card for its customers, while Amex and Juniper get full price for an Amex card. And as an added bonus, Juniper gets a piece of the debit card market, which is quickly overtaking credit cards as the payment vehicle of choice in the United States.

How the parties came up with this deal is unknown. UBS’ Stanton says his shop approached Juniper around August of 2004 as part of a typical RFP process, and went to contract last April. Juniper refused any comment on the matter, referring all questions to UBS.

“It has in-between functionality,” says Stanton. “It functions as a debit in the sense that it accesses your available funds; it functions as a charge card because the charges accrue, and instead of having to make some sort of payment, the payment is automatic.” The idea, he adds, was to allow purchases to be made without interfering with a client’s trading accounts.

All in all, it’s a smart deal, says Celent's Moore—among other things, because people with brokerage accounts are typically wealthier, and travel overseas, so that the package gives UBS clients a secure spending vehicle.

“It’s all about providing flexibility to their brokerage customers, but it could also be enticement for people considering opening a UBS account—it could be the thing that tips the scale,” she says. (Contact: UBS Wealth Management US, 212-882-5698; Celent Communications, Ariana-Michele Moore, 503-617-6112)

Do you ever wonder why American Express, with fewer merchant outlets and higher prices, continues to command a 17% share of all U.S. debit and credit card volume (see note 1)?

Sure, the company's powerful brand supported by vast and memorable advertising is a factor, but it's also the product it delivers, optimized for business users and other big spenders. And the company never rests on its laurels. Even though I'm a light user, in 11 years of card ownership, I've received on average one card, letter, or email message every week, for a total of more than 500. The company does not let you forget about them.

American Express also continually improves their product. For example, the latest innovation, announced in an email today (click on inset left), is a minor new twist in online delivery. Cardmembers can go online and easily print receipts, one page per transaction, to be used to match up with other paper records, invoices, expense-reimbursement requests, and the like.

Simple instructions in the email message explain how to use the new option, one of three choices in the Print Options box (see inset upper left) located in the upper-right corner of the main Summary of Accounts page, the default shown after login (click on screenshot below for a closeup of the Summary page).

Will handy, printable receipts win American Express any awards? Hardly. It barely rates a bullet point in a brochure. But these little things all add up when cardmembers make the decision as to which piece of plastic to pull out of their wallet or purse. 

--JB

Note:
1. Market share of all purchase volume on MasterCard, Visa, Discover and American Express credit and debit cards during first half of 2005 (Source: The Nilson Report, Aug. 2005, #840)

Right around the corner is a world with neither cash nor payment cards. Contactless payments mechanisms—built into cell phones or even jewelry—are helping create this world, and the result will help change banking, thinks Theodore Iacobuzio, managing director of Tower Group’s executive research office.

The reality is that companies that once fed the banks’  payment networks—merchants, for instance—will be future competitors. But banks shouldn’t panic about this, any more than when, not so long ago, the Internet was supposed to be extinguishing banks. And banks won’t be disappearing now, either, thinks Iacobuzio: the anxiety over banking’s future, so prevalent in boardrooms around the country, is overdone.

Continue reading "Cash and Cards Are Both Endangered Species" »

The potential of cellphone-based mobile payments to eventually squeeze banks out of their central role in payments can already be seen in East Asia, says Andrei Hagiu, a principal at Market Platform Dynamics, and by ignoring it, American banks have nothing to lose but their business.

Hong Kong’s Octopus prepaid debit card (see inset) is one example: Issued by Hong Kong’s subway system and several other transportation companies—with no bank involved—Octopus cards drive about $2.2 billion in annual payments volume.

Continue reading "Mobile Payments: Japan Leads the Pack" »

Despite intense competition from MasterCard and Visa issuers, American Express has been able to maintain a substantial share of the high-end market for credit/charge cards. For the twenty years we've followed the company, its marketing has consistently conveyed an upscale image.

Case in point: The email we received today asking us to upgrade from our existing Gold Card to an American Express Platinum (click on inset for a closeup look).

The subject line said it all:

     Upgrade to a card with premium service

The benefits cited included:
* Complimentary airline ticket on any of the 18 participating airline partners
* Airport club access (Continental, Delta, Northwest Airlines)
* Hotels & resort special privileges
* Free Membership Rewards program
* By Invitation Only (privileged access and tickets to events that, in many cases, can't be purchased through any other source)

Analysis
The American Express solicitation is heavily oriented towards travel and entertainment benefits which plays to the company's strengths. A bank could do the same by concentrating more on the "premium service" aspect. For example:

• Front-of-the-line service: Your service request, whether by email or phone, always goes to the front of the queue
• Branch manager access: If you ever need to go direct to the top for any reason, just call (212) 555-1212 or email branchmanager@yourbank.com
• Preferred access to product specialists: If you ever have an unusual problem, whether it be accessing your online banking account from your laptop, or how to fund your Roth IRA, we will connect you with a specialist with state-of-the-art knowledge in that area
• Ft. Knox security: You need not worry about the safety and security of your bank accounts with our upgraded security and authentication algorithms

For more ideas, see "E-Service 2.0" (OBR 105/106).

David Spade's "no guy" has helped make Capital One's No Hassle credit card customer service parody one of the most-recognized consumer advertising campaigns of the year. According to the company, the commercials have helped lift the Capital One's name recognition to 98% (see note 1).

Along the same lines,
American Express is test marketing a no-fee automatic-rewards card called Clear. The card, which is available through its website (click on inset for closeup), features no fees (late, overlimit, annual) and an automatic rewards fulfillment, a $25 cash card every time you spend $2500 on the card. Cardmembers also receive a free credit report and credit score each year.

Finally, Citibank is about to jump on the back-to-basics movement with its no-late-fee Simplicity card expected to debut this week at an event in New York City (note 2). The card will come in three flavors: plain, cash-back, and rewards. The bank's website does not contain information on the card yet, but there is a separate customer service number listed that features a "press 0" option to be immediately connected to a live service rep.

Analysis
Although many consumers put up with penalty fees, there is always a point where they just won't take it anymore, especially if lower-cost options are readily available. That's why Blockbuster, faced with increasing competition from NetFlix, eBay, and WalMart, took a significant revenue hit when it eliminated late fees in its core movie rental business.

Citibank and the others are looking to win back consumers that have migrated to debit cards and/or credit unions to avoid penalty fees and interest charges. The cards also appeal to those with a strong aversion to fees either because they've had problems in the past or because they simply cannot stomach bank fees of any type.

--JB

Notes:
1. USA Today, 13 March 2005
2. Citi Simplicty was launched 14 October 2005
    - read the press release
    - see the website, www.citisimplicity.com

Financial institutions have done amazing things with their websites since Bank of America launched the first major commercial banking site 11 years ago (Sept. 1994). However, other than single-market credit unions and community banks, there hasn't been much attention paid to localizing the content to appeal to more narrow geographic segments, for example the customers in a single city or neighborhood.

Beginning a year ago, American Express began a campaign to bring specialized city-based cards to major metro areas. The cards are intended for the 25-to-35 year-old hip urbanites. The card design, marketing, and rewards all cater to the dining out, clubbing, and museum-going single scene.

The first card, IN:NYC <innyc.com> launched a year ago (30 Sep 2004) and was discussed in a front-page WSJ article today. The company won't disclose any results, but did say that 90% of its customers have not previously owned an American Express card, an important statistic for a company worried about cannibalizing its other products.

The IN:NYC card has its own look, website, and rewards program focusing on unique beyond-the-velvet-rope experiences in local clubs and eateries. In an interesting viral marketing strategy, friends are able to pool points in order to qualify for bigger rewards, such as a VIP table in a hot club.

The key cardmember benefits include:

• 0% Introductory APR for 6 months on purchases and balance transfers
• No annual fee
• Option to carry a balance
• One INSIDE Rewards point for every dollar spent
• INSIDE Double points on City Essentials

The second city card was launched this month (19 Sep 2005) in Chicago. The IN:Chicago website is still a static billboard (see inset). Another card is in the works for Los Angeles, IN:LA, which is expected to launch later this year, although the company has yet to secure the rights to the website, inla.com.

Action Items
Many large banks alter their website content by state. However, the customization generally does not extend beyond minor pricing differences.   

To better compete with local institutions, banks should use their websites to deliver highly-customized geographic content. Event calendars, discounts, and other local event marketing could create better brand recognition and more word-of-mouth advertising opportunities. It would also give local branch staff more ownership of "their" website. Banks could use an easily remembered URL such as <ny.wamu.com> to house their local versions.

--JB

Using our live test accounts, we changed passwords then subsequently “forgot” the new one to test how major financial institutions handle the situation. Overall, most received good marks, although everyone has room for improvement.  

Table 1

Password Scorecard

Source: Online Banking Report, 4/03
*We believe users should have at least 5 login attempts, with clear instructions before and after lockout

Testing process

1. Login with existing username and password

2. Change password or username

3. Logout

4. Use online password reset if available

5. Attempt to log back in 10 times with an incorrect password

American Express

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) Browser AutoComplete function not disabled
(2) No email confirmation of password change
(3) Account lockout too quickly, after third login try

Password structure: User defined, 6 to 8 characters with at least 1 letter and 1 number

Username structure: 5 to 20 characters with
at least 1 letter

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Email confirmation of password change/reset: No

Online password reset: Yes, with card number, 4-digit card ID (on face of card), work phone number, last 4 digits of soc, and 5-digit zip code

Account lockout with excessive login attempts: Yes, after third attempt; red warning issued after attempt two

Online username retrieval: Depends, certain accounts can retrieve their username online, others must call; we were in the latter group so could not test this feature

AutoComplete is not disabled on the login screen.

User friendly: American Express warns users after their second unsuccessful login that they will be locked out after one more attempt.

Password reset, step 1: Enter userid, card number, and 4-digit code from back.

Password reset, step 2:
Enter personal info for authentication.

Bank of America Credit Card

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 9 to 20 numbers

Password structure: 4 to 7 characters; cannot repeat 4 or more in same sequence as username; cannot be same character repeated

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 4 attempts; help section carries clear warning

Online username retrieval: No

BofA provides a helpful popup screen with each unsuccessful password attempt.

Centura Bank

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) No warning of account lockout
(3) No customer service link or HELP available from login screen

Username structure: Social security number (with dashes)

Password structure: 6 to 15 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Password change: Online with old password; but neglected to provide an on-screen confirmation that the change occurred, an annoying usability flaw

Online password reset: No, must call; password sent via postal mail

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after sixth unsuccessful attempt; no prior warning

Online username retrieval: Unnecessary (SSN)

Centura had the best login screen “security look and feel.” It also provides a link to disclosures, but not a single mention of customer service or online help, even after making an unsuccessful login attempt. Evidently the bank’s lawyers have been through the site, but where’s customer service?

Charter One Bank

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change
(3) No warning prior to account lockout
(4) No message after account lockout

(5) A bit too easy to gain read-only account access for new users; requires account number and social security number. However there is a crucial safeguard for bill payment which requires mother’s maiden name, date of birth, home phone number, and a 2-day waiting period.

Username structure: Social security number

Password structure: Must be at least 6 characters

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, not sure when it happens, sometime before the tenth attempt; the bank does not provide a warning of impending lockout, nor does it let you know after you’ve been locked out, you only receive a cryptic
error message.

Online username retrieval: Unnecessary (SSN)

AutoComplete has not been disabled
at account login.

New users enroll with social security number and account number. Note the excellent use of security graphics during enrollment.

Chase Bank

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) No warning of upcoming account lockout
(3) No message after account lockout

Username structure: User defined, must include one number

Password structure: 6 to 10 characters, 1 of which must be a number

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with name, account type, account number, social security number, and two user selected challenge questions

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, sometime during the first 10 attempts; no warning message and no indication when account is lockout out, a “try again” message just keeps repeating

Online username retrieval: Yes, displayed online after entering name, account type, account number, social security number

Chase is one of the few banks offering online retrieval of forgotten usernames. After correctly entering name, account number, and social security number, the username is displayed. At that point you can login if you know your password. If not, you can retrieve your password online by answering two previously selected challenge questions. This is great from a usability standpoint, but the bank should send a confirmation via email and/or snail mail.

To reset the password, users answer two
previously established challenge questions. 

DeepGreen Bank

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change

(3) No minimum password length, can be a single letter or the same as the username
(4) No warning before account lockout
(5) No message after account locked out

Username structure: User defined, can be all alpha

Password structure: 1 to 14 characters, can be the same as the username or a single character

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password and mother’s maiden name

Online password reset: Yes, with social security number and mother’s maiden name

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, but not sure when because the lockout is not disclosed until the user attempts to login with correct username/password.

Online username retrieval: No, must call, then wait
7 to 10 days to receive in the mail

A common security vulnerability: Failure to disable IE 6’s AutoComplete function.

Everbank

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) AutoComplete not disabled
(2) No email confirmation of password reset, even though it can be reset with info available to an identity thief, SSN and mother’s maiden name
(3) No email or on-screen confirmation of p/w change
(4) No warning before account lockout
(5) No help on login screen for the memory challenged

Username structure: Initially set as social security # (with dashes); can be changed online one time; 8 to 24 characters, not similar to current username, not same as password, not offensive, at least 2 numbers and 2 alphas

Password structure: 8 to 16 characters with at least one number and one letter, not similar to username, not similar to prior password, not the same reading backward and forward

Second password/challenge: No

IE 6 AutoComplete disabled: No

Password change: Online with old password; no confirmation of the change provided on-screen

Email confirmation of password change/reset: No

Online password reset: No, must call; new temp password given over the phone after providing SSN, name, address, date of birth, and mother’s maiden name

Account lockout with excessive login attempts:
Yes, after fifth attempt, must call to reactivate; no warning prior to lockout

Online username retrieval: No, must call

Everbank provides no help at login for users that forget username or password, just a lengthy warning written by the lawyers.

First USA Credit Card (Bank One)

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password/username change or reset; especially important given relative ease of resetting username/password
(2) No warning before account lockout

Username structure: User defined, 7 to 16 characters, case sensitive

Password structure: 7 to 32 characters, case sensitive,  must have at least 1 number, may not use the same letters consecutively, cannot match username or social security number.

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online username change: Yes, with old password

Online password reset: Yes, with credit card #, social security #, signature panel code, and expiration date

Online username reset: Yes, with credit card number, social security number, signature panel code, and expiration date

Email confirmation of password or username change/reset: No

Account lockout with excessive login attempts: Yes, locked out after four attempts, no warning given

First USA is the only financial institution tested which allowed usernames to be reset online; nice for usability but a confirmation of the reset should be emailed and/or mailed to the cardholder.

Harris Direct (brokerage)

Password Scorecard

Grade: Good

Weakness:
(1) No email confirmation of password change (thought there is for password reset)
(2) Only 3 login attempts allowed before lockout (but can reset online relatively painlessly)

Username structure: User defined, 6 to 15 characters

Password structure: 6 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, a new disguised password is emailed after entering username and birth date; the new password is a created from the account holder’s mother maiden name and social security number but is not disclosed in the email, e.g. the first 2 letter of mother’s maiden name plus last 4 digits of social security number.

Email confirmation of password change: No

Email confirmation of password reset: Yes, confirmation also sent via snail mail

Account lockout with excessive login attempts:
Yes, after third attempt, but can be reset online; no warning before lockout

Online username retrieval: No, must call

HarrisDirect allows online reset after your account has been locked out for excessive login attempts. It was the only company which emails a disguised new password when resetting. For good measure, they also mail an identical confirmation.                    

ING Direct

Password Scorecard

Grade: Excellent

Username structure: Account number

Password structure: 4-digit number (called PIN)

Second password/challenge: Yes, one of 5 user-specified questions asked at login (see below)

IE 6 password remember disabled: Yes

Online password change: Yes, with old password

Email confirmation of password change: Yes; confirmation also sent via postal mail

Online password reset: No, must call

Account lockout with excessive login attempts:
No (not in the first 10 attempts)

Online username retrieval: Unnecessary (acct #)

ING Direct is the only bank we know of using a challenge question at login. In addition to account number and password, one of these five rotating questions must be answered correctly:

•  first 4 digits of social security number

•  zip code of mailing address (first 5 digits)

•  birth year (4 digit)

•  last 3 digits of social security number

•  last 4 digits of social security number

We like the concept, but the implementation is weak. By simply refreshing the browser screen, the would-be thief can select which question to answer, one of which is zip code, which is trivial to ascertain. 

PayPal

Password Scorecard

Grade: Fair

Weakness:
(1) AutoComplete not disabled on the password reset screen (it is disabled on login page)
(2) Username (email address) known to others

Username structure: Email address

Password structure: 8 to 24 characters case sensitive; recommended, but not required that it include upper and lowercase and at least one number or special character

Second password/challenge: No

IE 6 AutoComplete disabled: Varies; yes, on main login screen, no on password reset screen

Online password change: Yes, with old password

Online password reset: Yes, via email; must answer secret question via email link; if unable to access original email account the new password is sent via snail mail

Email confirmation of password change/reset: Yes

Account lockout with excessive login attempts:
Yes, after 10 unsuccessful attempts; a lockout warning appears after the seventh attempt

Online username retrieval: Not necessary since username is equal to email address

PayPal is one of the few financial companies using cookies to automatically insert usernames at login. The company has used this approach since inception, so they must feel that the improved usability more than compensates for the decrease in security.

PayPal’s online password reset process requires the user to have access to the email account registered with the service. If not, users answer one of four authentication questions (top screen) and the password is mailed to a one of the previously confirmed snail mail address (bottom screen).

PayPal explains after the seventh incorrect password attempt that you have 3 more tries before lockout. This is a far more reasonable approach than many banks’ three-strikes-and-you-are-out policy.

Schwab

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too quickly, after 3 login attempts, but can be reset relatively easily online

Username structure: Account number or social security number

Password structure: 6 to 8 characters including at least one number BETWEEN the first and last characters; cannot match or be a subset of username

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, in one of two ways;
(a) If logging in with account number, you must provide social security number, date of birth, home phone number, and correctly pick a security in your account from a list of 10 choices including “none of the above”
(b) If logging in with a social security number, you must only provide the answer to the secret question.

Can also reset via automated phone system.

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 3 attempts; no warning prior to lockout

Online username retrieval: Not necessary (acct. # or soc. #)

Schwab’s unique password reset process requires the usual social security #, birth date, and telephone, plus users must correctly choose one of ten securities in the portfolio (including “none of the above”).          

US Bank

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 8 to 24 characters

Password structure: 8 to 24 characters

Second password/challenge: No

IE AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with ATM card number and ATM PIN; new password displayed online

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 6 attempts; can reset online or wait 24 hours; no prior warning

Online username retrieval: No, must call

Password change screen. Note the prominent placement of what happens next.

Forgotten password can be reset online with
ATM card number and PIN.

Wells Fargo

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too soon, after 3rd login try

Username structure: Social security number

Password structure: 5 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with statement account number and ATM PIN; those without an ATM PIN are directed to call customer service.

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 3 attempts; user redirected to online password reset page; no prior warning

Online username retrieval: Unnecessary (SSN)

Wells offers six options for where to go
immediately after login.

After three unsuccessful login attempts users are directed to reset their password, which can be done online with account number and PIN.