The virtual-ink had barely dried on our substantially lowered forecast for SMS banking adoption in the U.S. (here; check out the comments as well), than the ever-aware Brandon McGee had the scoop that Chase, the third-largest U.S. bank, had quietly made SMS banking available to its customers.

We still don't know if it's a market test, or a full-blown launch, but we do know that this puts SMS back on the table again in the United States. Here's the bank's clever tagline:

Text Your Account. It Texts You Back.

Although Chase hasn't yet linked its SMS banking to the home page, it's not too hard to find at <chase.com/mobile>.

Note: For more on SMS and other types of mobile banking, see our full Online Banking Report on the subject here.

Bank of America and Chase, two of the three largest U.S. banks, are putting an online spin on free checking offers using online banking, security, and other benefits to encourage applications. On the surface, Bank of America's approach appears much more effective. And with no direct-deposit requirement, it surely generates more new accounts. However, without knowing how the free accounts convert to profitable relationships, it's impossible for an outsider to recommend one approach over another.    

Bank of America
Bank of America's free checking offer (see note 1) is difficult to overlook (screenshot below).  The top-of-the-page banner has animations that showcase the major benefits:

• online banking
• bill payment
• "Keep the Change" debit card savings program
• SiteKey security

The teaser "We're redefining Free Checking" creates interest while the bright blue "open an account" and "special online-only offer" further entice prospect to click through the banner.

The landing page (screenshot below) reiterates the online benefits and features a large laptop to reinforce the high-tech nature of the account. Two additional benefits are added to the list:

• Free debit card with security protections
• Free ATM access at 17,000 BofA machines 

Notes:

1. The free checking banner appeared in a visit to the homepage from a Seattle IP address at 10 AM Pacific time today. It did not appear on afternoon searches from several computers.

2. The bank uses a live chat popup after lingering on the application for a short time (click on image right for closeup).

Chase Bank
Chase's homepage banner uses the "kitchen sink" approach with an image of an ATM machine, debit card, paper checkbook, laptop, and PDA along the top. The mobile phone is a good addition, but the ATM machine and laptop are so small, they aren't easily recognizable in a quick scan (see screenshot below).

Another problem: the paper checkbook, which is centered and slightly larger than the others, seems to get an inordinate amount of attention. I'm not sure that the checkbook or the debit card add much value. U.S. consumers pretty much realize those are included in a checking account.

Chase's landing page leaves a lot to be desired. The benefits are listed in small, gray type that is relatively hard to read. And the only call to action, if you can describe it as one, is the last line in small blue type, with an underlined "apply online." No buttons + no color + no large font + no offer = no interest.  

The folks at Chase Bank were on the ball today. Less than an hour after I wrote about Whitney Bank joining the long-term statement archive club (here), I received an email from a subscriber* at Chase letting me know they offer six years of online statements for credit cards. 

Below is the bank's announcement to cardholders. It's nicely designed with a green touch. And it reminds cardholders they will receive an email both when the statement is ready and when payment is due. And note the call to action: "TRY" paperless. That lets customers know they can always go back. Now that's the way to get fired up about saving trees, and the bank's cash. The only thing missing: a simple guarantee.

Grade: We score it an "A" 

Chase has been working hard to move customers out of paper. So far this year, the bank has run a $35,000 sweeps to go paperless (see post here) and they currently have a popup on the credit card homepage pitching estatements (see screenshot below).

January 2007 email to Chase credit card customers

Popup at credit card site

*He earns a Starbucks card for his responsiveness. Anyone else have five or more years of statements online? Add your comments or email me.

Once again (previous post here), Chase used a three-quarter page color ad in the front section of the New York Times (p. 17, National Edition) to showcase its alert services (see partial screenshot right). The ad shows a man relaxing in the stands at some type of sporting event, Yankee Stadium perhaps.

The camera looks over his shoulder, focusing in on the image displayed on his Treo smartphone, which says "SECURITY ALERT" in large white letters on a light-blue background.

You had to feel for this poor guy, jarred from his leisure time with an urgent missive from the bank. Within a few seconds, three things likely crossed his mind: 

1. What the (expletive deleted)? Pretty poor timing to be interrupted at a baseball game with a security alert from the bank (which, these days is 99.9% likely to be a false positive, or a phishing attempt, see number 2).

2. Is this even from Chase? How do I know it's not a new kind of mobile phishing attach (mishing?). Should I ignore it? Does my liability go up if I don't respond immediately?

3. Now what? Can I click the message and find out if this was just a notification that I'd used my debit card to buy beer at a Yankees game, something I'd never done before, or has someone just transferred my 401k to a numbered account in the Jersey Islands? Or will I have to excuse myself and make a voice call, spending the 6th and even part of the 7th inning, talking to a Chase CSR, who may not even have enough info to explain why I got the alert? 

Analysis 
The ad demonstrates the pitfalls of using a very negative attribute, security breaches, in marketing your brand. But despite the uncomfortable thoughts that come to mind, we think it's an effective ad because it grabs attention and positions Chase as caring for the financial security of its customers. However, given that Chase's actual alerts look nothing like this, it's a bit of a stretch. I suppose they're allowed a bit of creative license; it's advertising after all. 

We'll give it an A-

Advertising-monitoring firm, Mintel Comperemedia reported last week that nearly 9 out of 10 credit card solicitations in 2006 directed recipients to the Web, up sharply from 56% in 2003 (see note 1, 2). Several big mailers, namely American Express, still seem reluctant to use website response as an option, at least in the mailers we see at our house.

American Express tests must show a drop in response by offering too many choices. But if you don't have the budget of American Express, which can afford to drop a mail piece in every credit-worthy household every two or three weeks, you should add website options to your direct mail creative. That way, you can at least capture a lead at your website, even if they don't ultimately accept your credit offer. 

Total mailing volume for 2006 was 9.2 billion pieces (see note 1), or about 3 per week per credit-worthy household. Two of those were from the five largest mailers listed below which accounted for more than 60% of the volume, according to Comperemedia. JPMorgan Chase accounted for 18% on its own. 

In another data slice from Comperemedia, cited by Capital One in a Feb. 2006 investor presentation (PDF here), response rates have fallen from 1.4% in 1995 to 0.3% in 2004 (see note 3).

Here's a breakdown of the billion-piece club, and their percent change compared to 2005:  

1. Chase >>> 1.7 billion (down 4%)

2. Capital One >>> 1.2 billion (up 13%)

3. American Express >>> 1 billion

4. Citibank >>> 980 million (down 2%)

5. Bank of America/MBNA >>> 920 million (down 17%)

Other top-10 mailers: HSBC (up 25%); Discover (up 29%); Barclays Bank (190 million, up 70%)

Note:

1. Comperemedia tracks mailing volume for more than 150 large financial institutions. So the figures here do not include mailings from thousands of smaller banks and credit unions. In total, those probably account for less than 5% of the total from the top-150. 

2. Comperemedia press release is here. Interview of Comperemedia director Jenny Roock by MediaPost is here.

3. Credit card response rate slide from Capital One's investor presentation (PDF) at the Debt & Equity Conference, Feb. 2006; data from Comperemedia.

Habits are hard to break. After 5, 10, 20 or more years of receiving paper statements, most mainstream banking and credit card users are reluctant to give them up.

Long-term online statement and transaction archives are key to creating paperless customers. But you'll still need an incentive to get most customers to move their mouse over to the "go paperless" button.

Chase Bank devotes prime homepage real estate, and $35,000 in prize money, to the effort today in a sweepstakes aimed at convincing customers to shut off their paper statements (see screenshot below). Every customer enrolled in electronic statements receives one entry per month through April in the contest which pays a $25,000 grand prize plus ten $1,000 runner-up prizes. 

Analysis
It's a good effort, but with $100 million or more in annual savings at stake, why stop the sweepstakes after just three months. A $1,000 prize should be awarded each month, or each week, for many years as the banking giant weans its customer base off paper.

Also, Chase should be more specific on the amount of statement storage available online. The landing page is vague, saying one can "gain access to several years of statements." What does "gain access" mean? Do you have to request old statements for future delivery or are they right there so that on April 14th, you can find that final piece of your tax return puzzle. Even checking the online banking area of the website won't answer that question. It merely says you can print 90 days' worth of transactions. This isn't enough reassurance to those reluctant to give up the paper trail.

Chase homepage (14 Feb 2006):

Sweepstakes landing page (14 Feb. 2006):

Over the years, Chase Bank has made impressive design improvements on its homepage (see note 1). One thing they do better than most is attract the attention of their non-online banking customers.

A large blue square surrounding an orange button beckons users to "Get a User ID" (see inset). It's well positioned in the prime upper-left corner, and it has the ubiquitous "Web 2.0" orange working for it.

Unfortunately, after clicking the button you are transported back in time to a page virtually devoid of color and design (see screenshot below). In addition, the form immediately asks for info that many users may not want to reveal (SSN) or may not have access to at the moment (account number). 

Recommendations

1. Redesign the page to make it more appealing.
2. Add prominent links to customer service for help.
3. Ask only easy questions on the first page: name and email address is enough to 
   engage the applicant and provide enough info for followup if the
   application is abandoned. 

Notes:

1. Here's the homepage today (left) vs. the busy look four years ago (20 Nov. 2002) 

More than 70% of business-email users view most or all of their email messages in the preview pane.* Depending on screen size, resolution, and window sizing, the real estate available in the preview pane can be relatively small.

When designing messages, be sure to put the most important information in the upper-left corner to maximize visibility in the preview pane.

Here is a poorly designed email Chase sent to confirm posting of a credit card payment. It requires users to scroll right to view Chase's logo and log-in button. Here's how it looks on my 12-inch laptop screen running at 1024 x 768:

What not to do from Chase:

Better design from Bank of America graphics flush left:

(Note: BofA shows the last four digits of your account number; we changed them to xxxx in the screenshot above.)

Action Items
Even though it's just a routing email message, the poor layout makes it look like a phishing message. Chase could clean this up with just a few minutes of programming work. While they are at it, they should add a personal greeting and additional text disclosures to make it look less phishy. 

*For more information, read our Online Banking Report #129/139, Email Marketing for Financial Services.

In a novel advertising gimmick, Chase Bank affixed two-foot long banners, each pointing to one of 90 electrical outlets in the Indianapolis International Airport. The unique signage, which also includes four months of exposure on in-terminal flight-information monitors, will cost the bank $65,000 for the year, or just under $200 per day.

The signs and slogans are designed to appeal to traveling businesspeople. They include:

This outlet works. Now you can too.

You and your laptop may sigh with relief now.

Congratulations. You found a charge chair.

Analysis
We'll leave the question of cost effectiveness of "outlet advertising" to the outdoor advertising pros. However, similar tactics could be used throughout a community to market online banking and small business services to users of WiFi-equipped cafes and coffee shops. For example, a bank could sponsor a WiFi directory that included names, locations, and hours of WiFi-equipped locations throughout town. For extra credit, include a map of electrical outlets, desired by many laptop owners so they don't have to worry about having to rely on their batteries which are drained relatively quickly when going online.

Most coffee shops aren't going to want a bank slapping advertising stickers on their walls. However, tent cards or brochures carrying the bank's logo could provide WiFi instructions and locations of wall outlets.

With summer just a few months away, this would be a perfect task for a summer intern. Working with existing WiFi directories, the intern could scout out possible locations, map the electrical outlets, document contact information at each location, and post it all to the bank's website. Alternatively, a bank could contract directly with an existing locator service to carry the bank's advertising message.

--JB

Question: What do you call a service that delivers a single consumer payment via fuel-hungry trucks and jets while requiring six or more highly paid technicians and drivers to get the job done?   

Answer: An online banking innovation featured in a page-dominating ad on Chase's homepage today (click to view screenshot, links will not work).

The service, originally launched by Chase's Bank One unit in January, is now available to all Chase online banking customers. Customers initiate payments online and UPS does the heavy-lifting, ensuring they arrive by the end of the following business day. Cost is $14.99 per payment which can be tracked via the UPS tracking number. Cut-off time is a user-friendly 10 pm eastern time.

Analysis
We like the service, even if the delivery mechanism of dead trees and fossil fuels is positively archaic. But given the realities of our complex payment and accounts receivable systems, it's better than the alternative, a $39+ late fee and loads of additional interest. At least this way the user avoids getting in his/her car and spending a half-hour overnighting the payment themselves. And we applaud Chase for making the service available online.

However, despite the clever name and appealing graphic (see inset above); we have to question the homepage ad placement. For a marginally profitable service that appeals to a small niche of the truly disorganized online bankers (I qualify), that's a LOT of screen real estate. One can only hope it's only posted for a short time.

Surprisingly the page that actually explains the service (click on inset for closeup), is sparse and virtually devoid of marketing punch. Anyone clicking on the homepage ad must wonder what the big deal is. If you decide to scream about a new feature on your homepage, make sure you at least spring for a Flash demo and/or thorough documentation of its benefits.

--JB

When natural disasters strike, such as the Southeast Asia tsunamis or Monday's Hurricane Katrina destruction in New Orleans and the Gulf Coast, banks should use their considerable web reach to help their customers make safe and secure donations to sanctioned relief agencies such as the Red Cross.

With all the concern about online phishing and fraud, consumers need a trusted conduit to make donations. And the sooner the link is posted, the better. As bad as it is, for much of the country, it will no longer be top-of-mind in a few days or weeks.

Major banks fail to respond thus far
Granted its only been three days, but we were surprised to find that of the largest 50 U.S financial institutions only three, Chase (Chase.com and BankOne.com), Wachovia (Wachovia.com and Suntrust.com), and Washington Mutual (wamu.com), have posted links to the Red Cross to make online donations (see Wachovia banner above).

Seven others had hurricane-related information, but no links for donations:
- Regions, AmSouth, Navy FCU, Compass Bank, and of course New Orleans-based Hibernia all had information on branch closings
- USAA posted tips for dealing with the aftermath of a hurricane
- Commerce Bank (NJ) ran a headline ticker on the top of the homepage offering to match donations up to a total of $50,000 (which strikes us as bit stingy if you are going to blast it across your homepage)

Action Items
The best response, from a customer service and PR perspective, is to announce a corporate contribution and provide secure links to the Red Cross and other relief agencies. Contributions should also be accepted via mail or in-branch.

Wachovia does it right, with a small, but highly visible homepage link explaining its efforts and providing the important message, You Can Too (see inset above). Clicking on the link leads users to a landing page that explains Wachovia's $250,000 corporate commitment along with two important links (click on inset for a closeup look):
1. Donate Now link to a Red Cross store established on Yahoo handle Katrina donations
2. Email this page to spread the word

Even if your bank is not prepared to make a corporate contribution, it can still support fund-raising efforts with a link to the official donation site.

--JB

Effective Monday, Chase Bank will end its four-year experiment with so-called scan-and-pay bill payment (download the email announcement below). Popularized in 1999-2000 by Cyberbills, PayMyBills.com, and PayTrust, the service allowed users to have their mailed bills redirected to the service provider where they were scanned and posted to a website. Users were alerted to the new bills and could pay them through a variety of methods.

Download final email announcing the termination of Chase Bank's "Premium Plan" total bill management service

As demand failed to materialize, the three service providers all ended up under Metavante ownership. Last year, Metavante sold the remaining PayTrust business to Intuit. Chase was the only major bank to offer the service, using it as the premium option in a three-level product line (see OBR 82, p. 8).

Analysis
This is a service that sounds great on paper, but is too complicated for the benefits provided. Winning electronic bill payment services need to provide quick payback with a minimal learning curve. That's what so nice about CheckFree's new system that allows users to add a new biller by simply entering the biller's phone number.

While the few users who took the trouble to redirect their bills and set-up automated payments were quite satisfied, it was just too much trouble for all but a fringe group of highly-organized computer-savvy types, the kind of person who is a long-term user of Quicken. So it makes a lot of sense that the sole remaining provider of the service is Intuit.

--JB

JP Morgan Chase and Citibank led all banking and lending companies in online ad spending according to the most recent American Banker survey of financial services spending (May 2005).

Chase’s $50 million in online advertising was 21% of its entire advertising expense, the highest among major banks, and considerably above the 11% online share across all financial services companies. In comparison, Citi’s $49 million spent online was only 9% of its total advertising expense, slightly below the industry average.

NetBank, the 16th biggest online advertiser, was the percentage leader, funneling all but $100,000 of its $4.9 million in advertising into online initiatives. Two other major online advertisers spent more than half their money online last year: ING Direct spending 60% of its $40 million total online, and MBNA spending more than half its $14 million online.

Lending Tree, Quicken Loans, HSBC, Sovereign and East-West Mortgage all devoted about one-third of their advertising into the online channel.

Top-20 Financial Institutions Online Advertisers*
2004 Online Advertising (% of total advertising)*
1. JP Morgan Chase  $50 million (21%)
2. Citigroup              $49 million (9%)
3. American Express $28 million (9%)
4. Bank of America    $25 million (9%)
5. ING Direct            $24 million (60%)
6. Lending Tree        $22 million (31%)
7. Ameriquest           $16 million (13%)
8. Quicken Loans       $10 million (33%)
9. Wells Fargo           $9.2 million (14%)
10. HSBC                  $8.3 million (39%)
11. MBNA                  $7.0 million (51%)
12. Wachovia            $6.3 million (7%)
13. E-Loan                $6.1 million (21%)
14. NetBank              $4.8 million (98%)
15. Discover             $4.7 million (6%)
16. GM                     $3.8 million (4%)
17. Royal Bank          $3.2 million (12%)
18. Sovereign           $2.8 million (33%)
19. East-West Mtg.    $2.7 million (32%)
20. WAMU                $1.9 million (2%)

*Banking, Lending, Mortgage, or Credit Card segments only, does not include online brokerage, insurance, or investments.

If you look at the brokerage and mutual fund category, the spending accelerates. Four online brokers Ameritrade ($65 million), Scottrade ($63 million), Schwab ($58 million), and E*Trade $52 million) each outspent even the largest financial institution, and Netstock Direct ($32 million) outspent all but Citi and Chase.

Top-10 Brokerage & Mutual Funds

2004 Online Advertising (% of total advertising)

1. Ameritrade   $65 (64%)

2. Scottrade     $63 (87%)                              

3. Schwab        $58 (35%)                              

4. E*Trade        $52 (77%)                              

5. Netstock       $32 (99%)                              

6. Harrisdirect  $24 (78%)                              

7. Vanguard      $12 (31%)                              

8. TD Bank        $10 (17%)                              

9. Fidelity        $5.3 (4%)                               

10. T.Rowe Price $3.8 (5%)

Download the Excel file with more details.    

--JB                     

Using our live test accounts, we changed passwords then subsequently “forgot” the new one to test how major financial institutions handle the situation. Overall, most received good marks, although everyone has room for improvement.  

Table 1

Password Scorecard

Source: Online Banking Report, 4/03
*We believe users should have at least 5 login attempts, with clear instructions before and after lockout

Testing process

1. Login with existing username and password

2. Change password or username

3. Logout

4. Use online password reset if available

5. Attempt to log back in 10 times with an incorrect password

American Express

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) Browser AutoComplete function not disabled
(2) No email confirmation of password change
(3) Account lockout too quickly, after third login try

Password structure: User defined, 6 to 8 characters with at least 1 letter and 1 number

Username structure: 5 to 20 characters with
at least 1 letter

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Email confirmation of password change/reset: No

Online password reset: Yes, with card number, 4-digit card ID (on face of card), work phone number, last 4 digits of soc, and 5-digit zip code

Account lockout with excessive login attempts: Yes, after third attempt; red warning issued after attempt two

Online username retrieval: Depends, certain accounts can retrieve their username online, others must call; we were in the latter group so could not test this feature

AutoComplete is not disabled on the login screen.

User friendly: American Express warns users after their second unsuccessful login that they will be locked out after one more attempt.

Password reset, step 1: Enter userid, card number, and 4-digit code from back.

Password reset, step 2:
Enter personal info for authentication.

Bank of America Credit Card

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 9 to 20 numbers

Password structure: 4 to 7 characters; cannot repeat 4 or more in same sequence as username; cannot be same character repeated

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 4 attempts; help section carries clear warning

Online username retrieval: No

BofA provides a helpful popup screen with each unsuccessful password attempt.

Centura Bank

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) No warning of account lockout
(3) No customer service link or HELP available from login screen

Username structure: Social security number (with dashes)

Password structure: 6 to 15 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Password change: Online with old password; but neglected to provide an on-screen confirmation that the change occurred, an annoying usability flaw

Online password reset: No, must call; password sent via postal mail

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after sixth unsuccessful attempt; no prior warning

Online username retrieval: Unnecessary (SSN)

Centura had the best login screen “security look and feel.” It also provides a link to disclosures, but not a single mention of customer service or online help, even after making an unsuccessful login attempt. Evidently the bank’s lawyers have been through the site, but where’s customer service?

Charter One Bank

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change
(3) No warning prior to account lockout
(4) No message after account lockout

(5) A bit too easy to gain read-only account access for new users; requires account number and social security number. However there is a crucial safeguard for bill payment which requires mother’s maiden name, date of birth, home phone number, and a 2-day waiting period.

Username structure: Social security number

Password structure: Must be at least 6 characters

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, not sure when it happens, sometime before the tenth attempt; the bank does not provide a warning of impending lockout, nor does it let you know after you’ve been locked out, you only receive a cryptic
error message.

Online username retrieval: Unnecessary (SSN)

AutoComplete has not been disabled
at account login.

New users enroll with social security number and account number. Note the excellent use of security graphics during enrollment.

Chase Bank

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) No warning of upcoming account lockout
(3) No message after account lockout

Username structure: User defined, must include one number

Password structure: 6 to 10 characters, 1 of which must be a number

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with name, account type, account number, social security number, and two user selected challenge questions

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, sometime during the first 10 attempts; no warning message and no indication when account is lockout out, a “try again” message just keeps repeating

Online username retrieval: Yes, displayed online after entering name, account type, account number, social security number

Chase is one of the few banks offering online retrieval of forgotten usernames. After correctly entering name, account number, and social security number, the username is displayed. At that point you can login if you know your password. If not, you can retrieve your password online by answering two previously selected challenge questions. This is great from a usability standpoint, but the bank should send a confirmation via email and/or snail mail.

To reset the password, users answer two
previously established challenge questions. 

DeepGreen Bank

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change

(3) No minimum password length, can be a single letter or the same as the username
(4) No warning before account lockout
(5) No message after account locked out

Username structure: User defined, can be all alpha

Password structure: 1 to 14 characters, can be the same as the username or a single character

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password and mother’s maiden name

Online password reset: Yes, with social security number and mother’s maiden name

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, but not sure when because the lockout is not disclosed until the user attempts to login with correct username/password.

Online username retrieval: No, must call, then wait
7 to 10 days to receive in the mail

A common security vulnerability: Failure to disable IE 6’s AutoComplete function.

Everbank

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) AutoComplete not disabled
(2) No email confirmation of password reset, even though it can be reset with info available to an identity thief, SSN and mother’s maiden name
(3) No email or on-screen confirmation of p/w change
(4) No warning before account lockout
(5) No help on login screen for the memory challenged

Username structure: Initially set as social security # (with dashes); can be changed online one time; 8 to 24 characters, not similar to current username, not same as password, not offensive, at least 2 numbers and 2 alphas

Password structure: 8 to 16 characters with at least one number and one letter, not similar to username, not similar to prior password, not the same reading backward and forward

Second password/challenge: No

IE 6 AutoComplete disabled: No

Password change: Online with old password; no confirmation of the change provided on-screen

Email confirmation of password change/reset: No

Online password reset: No, must call; new temp password given over the phone after providing SSN, name, address, date of birth, and mother’s maiden name

Account lockout with excessive login attempts:
Yes, after fifth attempt, must call to reactivate; no warning prior to lockout

Online username retrieval: No, must call

Everbank provides no help at login for users that forget username or password, just a lengthy warning written by the lawyers.

First USA Credit Card (Bank One)

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password/username change or reset; especially important given relative ease of resetting username/password
(2) No warning before account lockout

Username structure: User defined, 7 to 16 characters, case sensitive

Password structure: 7 to 32 characters, case sensitive,  must have at least 1 number, may not use the same letters consecutively, cannot match username or social security number.

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online username change: Yes, with old password

Online password reset: Yes, with credit card #, social security #, signature panel code, and expiration date

Online username reset: Yes, with credit card number, social security number, signature panel code, and expiration date

Email confirmation of password or username change/reset: No

Account lockout with excessive login attempts: Yes, locked out after four attempts, no warning given

First USA is the only financial institution tested which allowed usernames to be reset online; nice for usability but a confirmation of the reset should be emailed and/or mailed to the cardholder.

Harris Direct (brokerage)

Password Scorecard

Grade: Good

Weakness:
(1) No email confirmation of password change (thought there is for password reset)
(2) Only 3 login attempts allowed before lockout (but can reset online relatively painlessly)

Username structure: User defined, 6 to 15 characters

Password structure: 6 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, a new disguised password is emailed after entering username and birth date; the new password is a created from the account holder’s mother maiden name and social security number but is not disclosed in the email, e.g. the first 2 letter of mother’s maiden name plus last 4 digits of social security number.

Email confirmation of password change: No

Email confirmation of password reset: Yes, confirmation also sent via snail mail

Account lockout with excessive login attempts:
Yes, after third attempt, but can be reset online; no warning before lockout

Online username retrieval: No, must call

HarrisDirect allows online reset after your account has been locked out for excessive login attempts. It was the only company which emails a disguised new password when resetting. For good measure, they also mail an identical confirmation.                    

ING Direct

Password Scorecard

Grade: Excellent

Username structure: Account number

Password structure: 4-digit number (called PIN)

Second password/challenge: Yes, one of 5 user-specified questions asked at login (see below)

IE 6 password remember disabled: Yes

Online password change: Yes, with old password

Email confirmation of password change: Yes; confirmation also sent via postal mail

Online password reset: No, must call

Account lockout with excessive login attempts:
No (not in the first 10 attempts)

Online username retrieval: Unnecessary (acct #)

ING Direct is the only bank we know of using a challenge question at login. In addition to account number and password, one of these five rotating questions must be answered correctly:

•  first 4 digits of social security number

•  zip code of mailing address (first 5 digits)

•  birth year (4 digit)

•  last 3 digits of social security number

•  last 4 digits of social security number

We like the concept, but the implementation is weak. By simply refreshing the browser screen, the would-be thief can select which question to answer, one of which is zip code, which is trivial to ascertain. 

PayPal

Password Scorecard

Grade: Fair

Weakness:
(1) AutoComplete not disabled on the password reset screen (it is disabled on login page)
(2) Username (email address) known to others

Username structure: Email address

Password structure: 8 to 24 characters case sensitive; recommended, but not required that it include upper and lowercase and at least one number or special character

Second password/challenge: No

IE 6 AutoComplete disabled: Varies; yes, on main login screen, no on password reset screen

Online password change: Yes, with old password

Online password reset: Yes, via email; must answer secret question via email link; if unable to access original email account the new password is sent via snail mail

Email confirmation of password change/reset: Yes

Account lockout with excessive login attempts:
Yes, after 10 unsuccessful attempts; a lockout warning appears after the seventh attempt

Online username retrieval: Not necessary since username is equal to email address

PayPal is one of the few financial companies using cookies to automatically insert usernames at login. The company has used this approach since inception, so they must feel that the improved usability more than compensates for the decrease in security.

PayPal’s online password reset process requires the user to have access to the email account registered with the service. If not, users answer one of four authentication questions (top screen) and the password is mailed to a one of the previously confirmed snail mail address (bottom screen).

PayPal explains after the seventh incorrect password attempt that you have 3 more tries before lockout. This is a far more reasonable approach than many banks’ three-strikes-and-you-are-out policy.

Schwab

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too quickly, after 3 login attempts, but can be reset relatively easily online

Username structure: Account number or social security number

Password structure: 6 to 8 characters including at least one number BETWEEN the first and last characters; cannot match or be a subset of username

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, in one of two ways;
(a) If logging in with account number, you must provide social security num