With the personal finance news full of reports of falling deposit rates, EverBank strikes back with an eye-catching email overview of its high-yield deposit choices:

• Yield Pledge Money Market
• Yield Pledge CDs
• FreeNet Checking

The bank's yield pledge, to always offer a rate in the top 5% nationwide, helps take the customer's mind off the actual rate itself, which may not be as high as they'd like (see screenshot below). Not that EverBank isn't competitive on rates. The bank still offers 5% APY's in a number of key deposit products including its Money Market account and most CDs. And it sweetens the pot for new customers with 3-month introductory rates of 6%.

Analysis
Nicely done email with an appropriate, and eye-catching graphic, to-the-point copy, personalization, the yield pledge, and links to all the right places.  

Grade: A

Email header 

Sent: Tue 9/25/2007 2:04 PM
From: EverBank News [service@everbank.com]
To: <your email address>
Subject: 3 high-yield accounts - to fit your style

Personalization: First name in salutation

Email body

Some companies are so innovative, you take them for granted. Five that come to mind, in no particular order:

• Yodlee: account aggregation, credit card-based bill payment, mobile banking
• Vancity (Canada): microcredit, green banking, blogging, community involvement
• Wells Fargo: simple expense tracker, blogging, Second Life
• PayPal: email-based payments, confirmation via twin deposits, integration into eBay (before it was part of eBay)
• Prosper: Social lending, open API to most of its aggregated data, groups, auction style, Facebook app (game)

These companies are all relatively famous, but one that doesn't get nearly as much press, but has long pushed forward on a number of fronts is Everbank. From its website design (here), product marketing (here), to its foreign-currency certificates of deposit (here), the Jacksonville, FL-based bank continues to shine in an increasingly crowded online space (all previous coverage here). 

My inspiration for this post (see note) was the bank's marketing email today announcing its World Energy Index CD, a multi-currency certificate pegged to the currency of four western countries with better-than-average energy resources: Norway, Canada, UK, and Australia. I have no idea if this CD is a good investment, but I do know that Everbank has proven that even the narrowest niches can be profitable using the reach of the Internet.

Everbank Email

Header:
   Date/Time received: July 17, 4:07 PM (Pacific)
   From: Everbank News [service@everbank.com]
   To: James [jim@netbanker.com]
   Title: A new CD with a powerful combination - energy and currencies

Customer type: Current checking account customer

Personalization: First name in salutation

Landing page: none (homepage link only) 

Other offer: Third-party investment newsletter offer (link on right-hand side goes directly to newsletter publisher, Agora Financial Publications, landing page here)

Note: I have had an account for ten years at Everbank. Therefore, I see more of their marketing material and tend to write about them more frequently.

Everbank customers received snail mail today (see inset) announcing a newly designed website and multi-factor login procedure that debuts May 20. The company also changed its corporate "look," adopting a sage green and slate blue that looks modern, but more serious than the lime-green and orange Web 2.0 pallet.

While we'll miss the old look, which featured our Online Banking Report Best of the Web logo in two places (see screenshot below), it was time to move forward. The old look not only was a bit dated, but also too cluttered.

The new design can be previewed now via a well-done, though slightly too long, video at <everbank.com/preview>. The key functional change in the new design is the move from a product-oriented main navigation to a more take-oriented approach. The five main navigation choices in the top bar are:

• Products
• Research & Planning
• Customer Service
• About Us
• Contact Us

Secondary navigation is provided by tabs in the middle of the page.

From a marketing perspective, the homepage now features a single product in a highly visible spot. The upper graphic stands out well with the sweeping lower border (reminiscent of the famous Nike swoosh), while the three lower "banner ads" have been eliminated. The overall effect is a much more focused homepage which should drive more applicants to the core offer, which in the preview is the bank's 6.01% FreeNet checking 

A few other details Everbank cleaned up with the new design:

• Single sign-on button instead of choice of four
• Site-search box, instead of a link to the search function
• Exposure to more rates across more products
• Site map added in to link at bottom of page (not shown below)

One thing that surprised me about the new design was the removal of the toll-free telephone number which is prominently displayed in two spots on the about-to-be-replaced homepage (in the top-right corner and in a bold red font, about halfway down the right side). Perhaps, the bank is attempting to "right-channel" more visitors into the online application. It will be interesting to see if the bank brings the number back after a few months with the new design.

Grade: Overall, it looks like it will be an A or A-, but I will hold off final judgement until it goes live and can be fully evaluated. Maybe it's just me, but I still like the page they used six years ago (see last screenshot). It was short-lived, so it must not have driven enough sales, but it sure was a refreshing look compared to the typical bank website, especially six years ago. For more info, see our Online Banking Report on homepage design here and previous coverage of the topic here.  

New Everbank homepage design

Previous design

Everbank circa 2001 (April)

Snail mail brochure (inside)

Everbank launched its "What are you waiting for?" campaign today by giving away 2,500 free subway tickets at 6:01 AM in lower Manhattan. The time was chosen to coincide with the 6.01% APR promotional start-rate on its FreeNet checking account (see Note 1). 

The campaign targets ING Direct's soon-to-be-released Electric Orange checking account, which currently pays beta users 3% on balances under $50,000 and 5.3% on balances greater than $50,000 (see Note 2).

Everbank launched a microsite called <whyruwaiting.com> with direct comparisons to ING Direct (see screenshot below).

Clicking the large Compare Banks button in the lower right leads to a comparison to ING Direct and several other major competitors (see screenshot below):

The campaign has not been extended to the Everbank website, which shows a banner for the 6.01% offer, but no mention of "Why are you waiting?" (see screenshot below). 

Clicking through the banner leads to the following page:

Notes:

1. The 6.01% is a promotional "teaser" rate is good for three months, then resets to the "regular" rate which are currently as follows: 
      Under $10,000 = 3.25%
      $10,000 to $25,000 = 3.30%
      $25,000 to $50,000 = 3.60%
      $50,000 to $100,000 = 4.00%
      More than $100,000 = 4.41%
   
   The minimum deposit is $1,500 and the maximum that earns 6.01% is $100,000.
2. ING Direct customers can also easily transfer funds into the companion savings account which pays 4.5%. ING's Electric Orange account began rolling out in waves to its 4 million savings account customers in December (see coverage here). Coincidently, I received my invitation yesterday (see screenshot below). 
   
   

Everbank <everbank.com> has been an active emailer, sending a newsletter every few months for the seven years I've maintained an account there. The newsletters have always been chock full of content, from general finance topics to detailed discussions revolving around the bank's unique currency- and commodity-related products.

The newsletter design has evolved with the times, from plain text in the 1990s to the well-designed HTML missive we received last night (see below). The short headlines letter encourages customers to click through and read the full document at the Everbank website (see End Notes).

Email Sample
Date/Time: Oct. 11, 2006, 8:59 PM (received 10:24 PM Pacific Time)
From: EverBank [service@everbank.com]
To: James
Title: Are commodities worthy? Find out in the latest EverBanker newsletter
Personalization: Dear <firstname>
Signature: EverBank Customer Care

Analysis
Email
There is little to criticize. The short email is direct and to the point. Its layout lends itself well to viewing within the preview pane. The small "did you know" box adds an element of interest, and the drop-shadow makes it stand out. 

With four major articles, it makes sense to send just the headlines and ask the reader to click through to the website to read the full article. However, the bank should use the standard convention of hyperlinking each article directly to the appropriate place on the website.

The bank does include two hyperlinks to the Web-based newsletter, a "click here" in the first paragraph and a "read it today" at the end. However, for even better usability, the bank should add a big shiny button that leads directly to the Web version.

Web-based Newsletter
The website demonstrates good usability in its layout and content. A synopsis of each article is provided on the main page and users click through to read the complete article. It's useful and well-written information, better than a lot of what you read in mainstream consumer-finance publications. We especially liked the "whatever happened to" look-back at some recent initiatives, such as Check 21, and the overview of consumer-protection laws.

As good as the newsletter is, we couldn't stop thinking that it would work much better as a blog. That way, readers could pursue subject threads and more easily peruse all that Everbank provides. The bank could also experiment with accepting comments to make the whole experience more interactive.

Overall grades:
Content: A+
Email design: A-
Website (newsletter) design: A

End Notes
Click on the following link to see a screenshot of the newsletter landing page.

Newsletter Landing Page (here's the link)

There is nothing like a long run of rate increases to make your deposit customers happier. You might as well take some credit; it probably won't be long before they move in the other direction.

So every time you raise rates, make sure to let customers know with an email message. Of course, this assumes competitive rates. If you are increasing from 0.45 percent to 0.65 percent, you probably want to keep that to yourself.

EverBank raised checking account rates Jan. 1 from 3 percent to 3.5 percent depending on balance levels. On Jan. 3, it sent an email with the subject (click on inset for closeup view):

You're earning more with EverBank - interest rates rise again!

Analysis
EverBank's message is straightforward. Here's what they did right:

• Included security graphic/link in upper-right corner
• Kept copy concise and to the point
• Included a chart showing rate by balance level; subtle encouragement to add funds
• Reinforced free online banking and bill pay (underneath chart)
• Cross-sold its Yield Pledge Money Market and CD for those looking for better rates; Yield Pledge products are guaranteed to offer a rate in the top 5 percent at BankRate.com
• Included toll-free phone number
• Signed by real person with real signature; in this case, Frank Trotter, president

And a shorter list of improvements:

• Personalization helps make a message look genuine, but there's no personalization in the salutation: "Greetings EverBanker!"
• Clicking through the security graphic leads to a generic page full of links to terms and conditions; the bank should create a page that specifically addresses users' security concerns, especially regarding phishing emails
• The bank should improve its unsubscribe function; currently, it's an all-or-nothing choice triggered by sending a blank email with UNSUBSCRIBE in the subject line; that's easy for users, but the bank's just lost an opportunity to query the customer in more detail about what they do and don't want to receive via email
• Weak P.S.: "The FreeNet Checking Account gives you the yields and the service you deserve. Bank on it!"

Grade
Overall, we'll give it an A-

--JB

If you are a smaller bank or credit union and are phished for the first time, you might consider the approach Everbank took in response to a phishing incident today.

The bank took the unusual step of sending an email to its customers warning them about the fraudulent email (click on the screenshot below for a closeup). They even included a copy of the phishing message at the bottom of the warning. The bank also posted a small red-outlined box on its homepage (see inset) with a link to the same email message.

Analysis
Although it may seem futile to send an email warning about a fake email, we think it's a good idea if the phishing episodes are infrequent. The big targets such as Citibank or PayPal can't do this, not with dozens of attacks every month; however, smaller companies should consider proactive email communications, but no more than a few times per year, otherwise customers won't pay any attention.

Most users will realize the Everbank response is genuine, because it doesn't ask for any customer information, especially when they compare it to the fake message at the bottom of the screen.

Yes, some customers will be even more confused. But hopefully their calls to customer service will provide you with a chance to put them at ease. There are costs associated with these anti-fraud efforts, but that's part of the trust involved in being in the banking business.

--JB

Everbank <everbank.com> dropped an email solicitation (click on inset for closeup) to the registered users of SmartMoney.com. The message featured the bank's newest specialty CD, the Asian Advantage which rewards depositors with above-market returns IF the dollar falls against a bucket of Asian currencies.

Last week, the Internet-only bank dropped an 8.5 x 5.5 inch postcard mailer with a similar theme. Recipients could respond by calling toll-free 800.926.4922 or going online to www.everbank.com/asiancd.

Analysis
This is a great example of deposit product email marketing.

• Focuses on the unique selling benefits
• Good graphics and copy
• Landing page with a minimum of distracting navigation choices
• Visible call-to-action with Apply Now! button

We like the opening sentence in the postcard better than the email (see below). With an advanced investing strategy, the direct statement of how the user will earn a profit is more understandable. However, without the results of the bank's testing, it's difficult to know which pulls a better response.

   Email: "There's a great new way to invest in the active and healthy Pan-Asia currency market."
   Postcard: "Do you want to profit if Asian currencies gain on the U.S. dollar?"

Screenshots (links will not work):

1. Everbank's Asian CD full email
2. Everbank Asian CD landing page
3. Previous article on Everbank foreign-currency deposits

--JB

When I was a deposit product manager in the late 1980s, I worked on a project to bring out an equity indexed certificate of deposit. That project died, one more merger casualty, but I've always been intrigued by the product.

Over the years, a number of banks have offered market-indexed CDs, but they've never been much more than a niche product. That's OK. More than half of Amazon's book sales are from titles not found at retail bookstores. The Internet is a great place to mine the niches. Everbank has already proved that by moving nearly $1 billion worth of foreign currency-denominated deposits.

Analysis
The problem with equity indexed CDs is that they are crummy investments. By the time you pay for the hedging, marketing, and bank overhead, there's not much left over to pay the investor.

Let's look at Everbank's latest incarnation. The MarketSafe CD provides a total return based on a relatively complicated formula that averages S&P 500 prices at six-month intervals during the five-year term. In an up market, the CDs typically return 40% to 60% of the S%P gain (click on inset below).

The main selling point: Investors are guaranteed a minimum 5% total return over the five years (APY = 0.98%). The CDs are FDIC insured up to $100,000 with a minimum investment of $1500.

By Everbank's own figures (click on inset), its CD would have only beaten the S&P 500 index eight times during the previous 31 five-year periods beginning with 1970-1975. And by our estimates, the return would have beaten a normal 5-year CD more than half the time, 17 out of 31 periods. But only twice did the MarketSafe CD beat both the S&P and a regular CD.

Expected returns would be higher if the investor simply bought a mix of regular CDs and S&P indexed funds. The most conservative would be an 82% CD, 18% S&P mix that would still return all principal even if the S&P went to zero (assuming 4% CD APY). For the less conservative, a 67% CD, 33% S&P split would still return the principal even if the S&P dropped 40%. You get the idea.

But the target market for MarketSafe CDs is probably someone that never invests in equities. For that person, the MarketSafe is a reasonable way to put a little money "in the market." From Everbank's perspective, it's a nice addition to their unique deposit product line.

Addendum: View full screenshot of MarketSafe CD page

--JB

Two-time Online Banking Report Best of Web winner, Everbank landed a flattering two-page spread in the April 2005 issue of Business 2.0.

The author, David Dent, is highly complementary of the bank's innovative strategy of allowing deposits to be held in a variety of foreign currencies. Not only has it been lucrative for currency investors, it's been a boon to the bank.

Everbank's foreign-denominated deposits are closing in on US$1 billion. Specifically, at year-end 2004, foreign currency deposits accounted for $850 million, or 25% of the bank's $3.5 billion in total deposits.

Analysis
This is a good example of how a small player can mine a niche using the national reach of the Internet. Look for other banks, both Internet-only, and traditional financial institutions to do the same in other areas, such as lending to small businesses, transaction accounts geared to traveling sales reps, impenetrable savings accounts for the security conscious, and so on. 

Resources: OBR Best of Web winners: 1995 to 2004

-- JB

Using our live test accounts, we changed passwords then subsequently “forgot” the new one to test how major financial institutions handle the situation. Overall, most received good marks, although everyone has room for improvement.  

Table 1

Password Scorecard

Source: Online Banking Report, 4/03
*We believe users should have at least 5 login attempts, with clear instructions before and after lockout

Testing process

1. Login with existing username and password

2. Change password or username

3. Logout

4. Use online password reset if available

5. Attempt to log back in 10 times with an incorrect password

American Express

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) Browser AutoComplete function not disabled
(2) No email confirmation of password change
(3) Account lockout too quickly, after third login try

Password structure: User defined, 6 to 8 characters with at least 1 letter and 1 number

Username structure: 5 to 20 characters with
at least 1 letter

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Email confirmation of password change/reset: No

Online password reset: Yes, with card number, 4-digit card ID (on face of card), work phone number, last 4 digits of soc, and 5-digit zip code

Account lockout with excessive login attempts: Yes, after third attempt; red warning issued after attempt two

Online username retrieval: Depends, certain accounts can retrieve their username online, others must call; we were in the latter group so could not test this feature

AutoComplete is not disabled on the login screen.

User friendly: American Express warns users after their second unsuccessful login that they will be locked out after one more attempt.

Password reset, step 1: Enter userid, card number, and 4-digit code from back.

Password reset, step 2:
Enter personal info for authentication.

Bank of America Credit Card

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 9 to 20 numbers

Password structure: 4 to 7 characters; cannot repeat 4 or more in same sequence as username; cannot be same character repeated

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 4 attempts; help section carries clear warning

Online username retrieval: No

BofA provides a helpful popup screen with each unsuccessful password attempt.

Centura Bank

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) No warning of account lockout
(3) No customer service link or HELP available from login screen

Username structure: Social security number (with dashes)

Password structure: 6 to 15 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Password change: Online with old password; but neglected to provide an on-screen confirmation that the change occurred, an annoying usability flaw

Online password reset: No, must call; password sent via postal mail

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after sixth unsuccessful attempt; no prior warning

Online username retrieval: Unnecessary (SSN)

Centura had the best login screen “security look and feel.” It also provides a link to disclosures, but not a single mention of customer service or online help, even after making an unsuccessful login attempt. Evidently the bank’s lawyers have been through the site, but where’s customer service?

Charter One Bank

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change
(3) No warning prior to account lockout
(4) No message after account lockout

(5) A bit too easy to gain read-only account access for new users; requires account number and social security number. However there is a crucial safeguard for bill payment which requires mother’s maiden name, date of birth, home phone number, and a 2-day waiting period.

Username structure: Social security number

Password structure: Must be at least 6 characters

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, not sure when it happens, sometime before the tenth attempt; the bank does not provide a warning of impending lockout, nor does it let you know after you’ve been locked out, you only receive a cryptic
error message.

Online username retrieval: Unnecessary (SSN)

AutoComplete has not been disabled
at account login.

New users enroll with social security number and account number. Note the excellent use of security graphics during enrollment.

Chase Bank

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) No warning of upcoming account lockout
(3) No message after account lockout

Username structure: User defined, must include one number

Password structure: 6 to 10 characters, 1 of which must be a number

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with name, account type, account number, social security number, and two user selected challenge questions

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, sometime during the first 10 attempts; no warning message and no indication when account is lockout out, a “try again” message just keeps repeating

Online username retrieval: Yes, displayed online after entering name, account type, account number, social security number

Chase is one of the few banks offering online retrieval of forgotten usernames. After correctly entering name, account number, and social security number, the username is displayed. At that point you can login if you know your password. If not, you can retrieve your password online by answering two previously selected challenge questions. This is great from a usability standpoint, but the bank should send a confirmation via email and/or snail mail.

To reset the password, users answer two
previously established challenge questions. 

DeepGreen Bank

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change

(3) No minimum password length, can be a single letter or the same as the username
(4) No warning before account lockout
(5) No message after account locked out

Username structure: User defined, can be all alpha

Password structure: 1 to 14 characters, can be the same as the username or a single character

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password and mother’s maiden name

Online password reset: Yes, with social security number and mother’s maiden name

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, but not sure when because the lockout is not disclosed until the user attempts to login with correct username/password.

Online username retrieval: No, must call, then wait
7 to 10 days to receive in the mail

A common security vulnerability: Failure to disable IE 6’s AutoComplete function.

Everbank

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) AutoComplete not disabled
(2) No email confirmation of password reset, even though it can be reset with info available to an identity thief, SSN and mother’s maiden name
(3) No email or on-screen confirmation of p/w change
(4) No warning before account lockout
(5) No help on login screen for the memory challenged

Username structure: Initially set as social security # (with dashes); can be changed online one time; 8 to 24 characters, not similar to current username, not same as password, not offensive, at least 2 numbers and 2 alphas

Password structure: 8 to 16 characters with at least one number and one letter, not similar to username, not similar to prior password, not the same reading backward and forward

Second password/challenge: No

IE 6 AutoComplete disabled: No

Password change: Online with old password; no confirmation of the change provided on-screen

Email confirmation of password change/reset: No

Online password reset: No, must call; new temp password given over the phone after providing SSN, name, address, date of birth, and mother’s maiden name

Account lockout with excessive login attempts:
Yes, after fifth attempt, must call to reactivate; no warning prior to lockout

Online username retrieval: No, must call

Everbank provides no help at login for users that forget username or password, just a lengthy warning written by the lawyers.

First USA Credit Card (Bank One)

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password/username change or reset; especially important given relative ease of resetting username/password
(2) No warning before account lockout

Username structure: User defined, 7 to 16 characters, case sensitive

Password structure: 7 to 32 characters, case sensitive,  must have at least 1 number, may not use the same letters consecutively, cannot match username or social security number.

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online username change: Yes, with old password

Online password reset: Yes, with credit card #, social security #, signature panel code, and expiration date

Online username reset: Yes, with credit card number, social security number, signature panel code, and expiration date

Email confirmation of password or username change/reset: No

Account lockout with excessive login attempts: Yes, locked out after four attempts, no warning given

First USA is the only financial institution tested which allowed usernames to be reset online; nice for usability but a confirmation of the reset should be emailed and/or mailed to the cardholder.

Harris Direct (brokerage)

Password Scorecard

Grade: Good

Weakness:
(1) No email confirmation of password change (thought there is for password reset)
(2) Only 3 login attempts allowed before lockout (but can reset online relatively painlessly)

Username structure: User defined, 6 to 15 characters

Password structure: 6 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, a new disguised password is emailed after entering username and birth date; the new password is a created from the account holder’s mother maiden name and social security number but is not disclosed in the email, e.g. the first 2 letter of mother’s maiden name plus last 4 digits of social security number.

Email confirmation of password change: No

Email confirmation of password reset: Yes, confirmation also sent via snail mail

Account lockout with excessive login attempts:
Yes, after third attempt, but can be reset online; no warning before lockout

Online username retrieval: No, must call

HarrisDirect allows online reset after your account has been locked out for excessive login attempts. It was the only company which emails a disguised new password when resetting. For good measure, they also mail an identical confirmation.                    

ING Direct

Password Scorecard

Grade: Excellent

Username structure: Account number

Password structure: 4-digit number (called PIN)

Second password/challenge: Yes, one of 5 user-specified questions asked at login (see below)

IE 6 password remember disabled: Yes

Online password change: Yes, with old password

Email confirmation of password change: Yes; confirmation also sent via postal mail

Online password reset: No, must call

Account lockout with excessive login attempts:
No (not in the first 10 attempts)

Online username retrieval: Unnecessary (acct #)

ING Direct is the only bank we know of using a challenge question at login. In addition to account number and password, one of these five rotating questions must be answered correctly:

•  first 4 digits of social security number

•  zip code of mailing address (first 5 digits)

•  birth year (4 digit)

•  last 3 digits of social security number

•  last 4 digits of social security number

We like the concept, but the implementation is weak. By simply refreshing the browser screen, the would-be thief can select which question to answer, one of which is zip code, which is trivial to ascertain. 

PayPal

Password Scorecard

Grade: Fair

Weakness:
(1) AutoComplete not disabled on the password reset screen (it is disabled on login page)
(2) Username (email address) known to others

Username structure: Email address

Password structure: 8 to 24 characters case sensitive; recommended, but not required that it include upper and lowercase and at least one number or special character

Second password/challenge: No

IE 6 AutoComplete disabled: Varies; yes, on main login screen, no on password reset screen

Online password change: Yes, with old password

Online password reset: Yes, via email; must answer secret question via email link; if unable to access original email account the new password is sent via snail mail

Email confirmation of password change/reset: Yes

Account lockout with excessive login attempts:
Yes, after 10 unsuccessful attempts; a lockout warning appears after the seventh attempt

Online username retrieval: Not necessary since username is equal to email address

PayPal is one of the few financial companies using cookies to automatically insert usernames at login. The company has used this approach since inception, so they must feel that the improved usability more than compensates for the decrease in security.

PayPal’s online password reset process requires the user to have access to the email account registered with the service. If not, users answer one of four authentication questions (top screen) and the password is mailed to a one of the previously confirmed snail mail address (bottom screen).

PayPal explains after the seventh incorrect password attempt that you have 3 more tries before lockout. This is a far more reasonable approach than many banks’ three-strikes-and-you-are-out policy.

Schwab

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too quickly, after 3 login attempts, but can be reset relatively easily online

Username structure: Account number or social security number

Password structure: 6 to 8 characters including at least one number BETWEEN the first and last characters; cannot match or be a subset of username

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, in one of two ways;
(a) If logging in with account number, you must provide social security number, date of birth, home phone number, and correctly pick a security in your account from a list of 10 choices including “none of the above”
(b) If logging in with a social security number, you must only provide the answer to the secret question.

Can also reset via automated phone system.

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 3 attempts; no warning prior to lockout

Online username retrieval: Not necessary (acct. # or soc. #)

Schwab’s unique password reset process requires the usual social security #, birth date, and telephone, plus users must correctly choose one of ten securities in the portfolio (including “none of the above”).          

US Bank

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 8 to 24 characters

Password structure: 8 to 24 characters

Second password/challenge: No

IE AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with ATM card number and ATM PIN; new password displayed online

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 6 attempts; can reset online or wait 24 hours; no prior warning

Online username retrieval: No, must call

Password change screen. Note the prominent placement of what happens next.

Forgotten password can be reset online with
ATM card number and PIN.

Wells Fargo

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too soon, after 3rd login try

Username structure: Social security number

Password structure: 5 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with statement account number and ATM PIN; those without an ATM PIN are directed to call customer service.

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 3 attempts; user redirected to online password reset page; no prior warning

Online username retrieval: Unnecessary (SSN)

Wells offers six options for where to go
immediately after login.

After three unsuccessful login attempts users are directed to reset their password, which can be done online with account number and PIN.    

www.everbankbackup.com

Here’s an idea worth considering: a backup site with its own URL, <yourbankbackup.com>. everbank’s backup site contains just three links and the toll-free customer service number.

Here’s another reason why we like everbank.com, our first OBR Best of the Web designee this year. They make it a priority to continually improve their business, some small like this backup site, some large, like everbank Advisors.

The latest innovation is a backup site running under a different URL  www.everbankbackup.com  for use when the main site is down or busy. The backup site contains only four links:

• login for online banking
• login for online brokerage
• link to email
• 800 number

One improvement everbank should consider is changing the email address to the backup server as well. If its URL was attacked or hijacked, it wouldn’t want thousands of customers sending emails to service@everbanker.com . Better to create an email account on the backup server so customers linking off this page would send email to service@everbankbackup.com . (Presumably the bank would quickly post an alternative email address during a service outage, but why not have it set up that way from the outset?)

The bank publicized the backup site in an Aug. 6, 2000, customer email. Following is an excerpt:

Everbank.com Customer Email

DON’T FORGET ABOUT WWW.EVERBANKBACKUP.COM

Despite the everbank.com Web site remaining up and running over 99% of the time, there have been occasional problems with our local Internet Service Provider (ISP) that have caused the Web site to slow down from time to time. In the interest of continually improving our service, within the next month we will be changing over to a new ISP, and will begin implementing a new and faster version of the everbank.com Web site.

Of course, it is always possible that during this transition period, Web site access may be temporarily delayed.

That’s why we developed www.everbankbackup.com ! Any time you experience access problems with the main everbank.com Web site, everbankbackup.com is available so you can speedily access your online banking account.

Of course, if you ever have any problems Web banking, you can always give us a call at 1.888.882.EVER (3837) and press '2' at the prompt to speak to a Web banking specialist.

Source: everbank.com, 8/00

everbank.com

The start-up bank asks,
“Is this the single best Web banking account in the nation?” We say, “It depends.”

It depends on:

(a) Whether you keep at least $1,500 on deposit to earn the 6%.

(b) What the rate resets to after the first 6 months.

(c) How the customer is served.

The Company: The St. Louis, MO-based bank officially launched on Jan. 11, 2000, after a two-month soft-launch period that brought in $8 million in deposits
. The bank was developed by start-up Customer One Financial Network www.c1fn.com Wilmington Savings Fund Society (WSFS) (Wilmington, DE; $1.7 billion) became a minority investor in Aug. 1999 with a $5.5 million investment for a 25% stake. WSFS
is scheduled to invest another $5.5 million in a
few months. The arrangement is referred to as “joint initiative” on the company’s Web site. Everbank also received $7 million in funding from private investors.

The idea for the bank began about four years ago, but actual development commenced in early 1998. EVP Marketing David Galland has experience in direct marketing of investments and expects to see the bulk of everbank’s customer base driven in through conventional direct mail techniques. Currently, a 6.01% promotional deposit rate features prominently in the bank’s sales pitch.

The bank employs 25 (mid-Jan), with eight in customer service. Initial marketing commences in mid-Feb.

The Management Team:

Three of five founding execs came from Signet Bank, an online banking pioneer prior to being purchased by First Union.

The Product: Banking products run on S1’s Internet banking platform which supports categorizing expenses online and downloading into Quicken or Money. The company has also added the following features:

•  100% Web Safe Guarantee - similar to NextCard, guaranteeing account against fraud
•  100% satisfaction guarantee
•  7 x 24 customer care center
•  free/no-fee services: unlimited bill pay, nationwide ATMs, check writing, Visa Check Card, inbound wire transfers, overdraft protection advances
•  ATM surcharge rebates, up to $4 per month
•  airline miles credit card with a low, prime +1.9% “go to” rate (not a teaser)
•  yield pledge - top 5% of all interest checking accounts and money market accounts as listed in Bank Rate Monitor
•  financial organization reports created from categorized transactions
•  investment center (in house) with $19.95 trades and access to 2,000 mutual funds
•  opening promo: 6.01% checking (no maximum balance) for first 10,000 accounts opened before Mar 31, 2000 (1% higher than “normal” APY of 5.01%); minimum average balance of $1,500 required to earn interest and avoid the $4.95/mo maintenance fee (min. opening deposit = $100)
•  15-minute mortgage application with 10-second approval and low-rate guarantee
•  insurance center co-branded with InsWeb
•  home buying research area with Realtor referrals, home listings, calculators, change-of-address service, and so on

Coming Soon

•  Web site for real estate agents to initiate mortgage applications; have signed up 500 (see screenshot upper-right)
•  home equity lending in Q2
•  Evertrade advisors in Q1; expected to be the first Net bank offering investment advice for the typical infrequent trader
•  full-service investment center with private-branded index funds

Source: interview with company execs, 1/15/00