To my knowledge, ING Direct is the only major U.S. bank blocking third-party PFM access. But users can direct their PFM around the gate with a special "read-only" access code.

How it works
It's not particularly easy to find, buried three levels deep in MyAccounts | Preferences | Access Code.

The default setting is Blocked, as you can see in the first screenshot below.

But once you find the page, it couldn't be simpler to set up. Simply press the blue Create Access Code button in the upper right, and in a split second, you have created a read-only access code and opened your account to PFM access.

To change back, you merely click the "Block" button in upper right.

The only thing missing is an explanation of what to do with the Access Code. Is it the username or password? While that's explained in an link from the first page, it's not on the second page where you need it. (BTW, it's the password).

The bank also confirmed the new code via email right away (third screenshot).

-----------------------------------------------------

Access code main page (20 Oct 2011)

New access code

Email confirmation

----------------------------------

Note: OBR subscribers can access our previous reports on security at OnlineBankingReport.com (published in 1999, 2003, 2004, 2005, 2007 and 2008).

ING Direct has brought a number of security innovations to the United States: 

• Password entry via pin pad instead of keyboard
• Trusteer "safe login" browser plugin (previous post)
• Challenge questions at login (when needed)

  Now add a fourth item to that list:

• Authorization required when a new book of paper checks is ordered (see update below)
  

ING Direct, which famously eschewed paper checks when it launched a checking account, Electric Orange, in 2007, recently began offering a paper-check option. True to form, ING Direct added a few twists to standard industry practices:

• Paper checks can be bought only in quantifies of 50
• Each order is just $5
• Only one set of 50 can be ordered at a time (but once they have been authorized, another set can be ordered)
• Before the checks can be used, the book of 50 must be activated online (similar to credit/debit card authorization)
• Because the order must be authorized, third-party paper checks will not work at ING Direct (another security improvement)

_____________________________________________________________________

How it works
_____________________________________________________________________

The bank isn't exactly pushing paper checkbooks. There are no obvious links to the option on the primary or secondary navigation. Users must click on the Payments tab, then select Overview on the secondary navigation. That brings up a list of the ways to make payments, with "Checkbook" listed half-way down the page (see below).

New paper-check option at ING Direct (12 Aug. 2011)

And the bank's order form is drop-dead simple, unlike most major banks which drop you to a third-party order-entry site.

One-click check-ordering process

Confirmation screen explains next steps

________________________________________________________________________

My take
________________________________________________________________________

Offering paper checks is a good move. Most U.S. customers still need the occasional paper check, and waiting 5 days for ING Direct to send one out on your behalf was slow and cumbersome.

And I really like the authorization feature. Since I was old enough to know about check fraud, I've always felt that a book of checks sitting in my mailbox was a bit disconcerting. This solves that worry.

Finally, the $5 per 50 pricing is consumer friendly and competitive. The lower quantity (compared to typical 150-200 orders) subtly discourages paper-check usage, but the price is in line with other financial institutions, which typically charge $15 to $25 per 200 checks (note 1).

-------------------------------------------

PS. ING Direct must be very close to launching remote check deposit. It has a "stay tuned" message posted under the "Deposit Checks" tab in secondary navigation (see below). 

ING Direct's website implies that remote check deposit is coming soon (12 Aug. 2011)

Update (16 Aug. 2011): I heard from Citibank today. Apparently, they've used checkbook authorization for online account opening since 2007.

Notes:
1. And you can pay more: Chase recently dinged me for $23 for a book of 50 money-market checks (which I didn't ask for) when I opened a new business savings account. In comparison, I earned $0.40 (before tax) in interest on the balance. That means it would take more than 7 years to earn enough interest to pay for the book of checks. But I'll give Chase credit for immediately reversing the fee after I dropped the unwanted checks off at the branch. 
2. Apparently ING Direct changed its homepage navigation items earlier this year. The overall minimalist design remains unchanged. But now, in addition to View My Account, the bank offers three choices: Banking, Investing or Retirement. Previously, there were only two other choices: Open an account and Learn more.

Several months ago (previous post), I wrote about Bank of America's online fraud-warning resolution center for consumer cards, MyFraudProtection. It's a great service, though a little hard to use.

At that time, I showed only the online functions. The more important piece is the email alert (below). It's a great way not only to reduce fraud, but also maintain good customer relations.

But it's still read-only. What I'm really waiting for is a truly two-way email, or better yet, text message. That way I can simply respond to the bank's question in a few seconds and both of us can get on with our business. 

Email alert from Bank of America: Irregular Credit Card Activity (11 Jan. 2011)

-------------------------------------

Note:
1. See our recent reports: Paperless Billing and Banking and Email Banking: Revitalizing the Channel.

I've opened about 40 to 50 accounts online in the past decade and rarely has the experience been satisfactory (see note 1). The best experience yet was opening a PNC Virtual Wallet early last year. And I didn't know until after I'd published the blog entry, that the app was powered by Andera (note 2).

So I pay attention when the Rhode Island-based tech company introduces a new feature. The company already had fraud algorithms that stopped most attempts. But there is no such thing as perfect security. So to make it even more robust, Andera is adding real-time monitoring of the application flow across its entire 500-client network to do an even better job of catching criminals.

Under the new Fortifi system, criminals simultaneously applying at multiple financial institutions (on the Andera platform) are indentified in real-time and stopped. Andrea believes the new system will reduce fraud to less than 5 out of every 1,000 applications approved compared to 20 to 30 frauds per 1,000 approved previously.

Even for a smaller institution doing 100 online apps a month, that's one or two fewer frauds to chase down each month, a material cost savings and a reduction in the management burden fraud entails at smaller organizations. It also helps boost internal trust of the online channel, perhaps the biggest benefit of all.

---------------------------------------------

Andera homepage features a pensive pig, apparently wary of new account fraud

Notes:
1. See Online Banking Report: Improving Online Account Opening ROI (published June 2009; paywall).    
2. The post was changed to include Andera a short time later.

If there was any question as to whether Trusteer  had become the industry standard in online banking protection, it was answered this week. Bank of America is now offering the optional Rapport protection to its 29 million online banking customers. Ann Carrns in the NY Times Bucks blog wrote about it a week ago, but I guessed I missed it in all the April Fools Day commotion.

ING Direct was first to offer the program, launching in May 2008. Since then dozens of financial institutions have followed including Zions, PSECU, CIBC, PayPal, Santander, RBS and about 70 more (see full client list below in note 2).

In total, Trusteer says it's been downloaded more than 20 million times.

Analysis: It's a good move by Bank of America. While Rapport does not protect from all possible threats, it does seem to provide material improvements. The bank gets a double benefit: less fraud and improved perceptions from customers concerned about security.

The program is not without downsides, however. It requires a download and installation, though thankfully not a full reboot (see second screenshot). And like any software program, there are real and perceived compatibility and performance issues (see the comments on the NY Times blog entry).

Bank of America would be wise to make it easier for customers to find out more info on the program. There is only a tiny link buried at the bottom of the interstitial ad for more info. And that screen goes away after you press the download button.

Users who are surprised by the download warning, and even worried that they've been attacked by a virus, will find it difficult to find more info at that time. Rapport is not yet mentioned in the bank's security area accessible from online banking. Only by going back to the public site and searching for "Rapport" was I able to find the page offering more info (third screenshot).

Many users are going to need more hand-holding and reassurances before they install the program (note 1). The bank could save itself, and its customers, from thousands of harried support calls, by adding a detailed a "how it works" tutorial integrated into the interstitial.

Bank of America interstitial ad after online banking login (7 April 2011, 2 PM):

To use the service, users must download and run an executable file (Windows version below, there is also a Mac version)

Bank of America Trusteer Rapport info page (link)

--------------------

Notes:
1. For more info on Trusteer and other security topics, see Online Banking Report: New Security Techniques (Sep. 2008)
2. Trusteer financial clients (per company)

• Alliance Bank of AZ
• Alliance & Leicester
• Alta Alliance Bank
• Amegy Bank
• BancFirst
• Bangor Savings Bank
• BankFIRST
• Bank of America
• Bank of Cyprus UK
• Bank of Montreal
• Bank of Nevada
• BBVA Compass
• BOK Financial
• Boursorama
• Cambridge Savings Bank
• Carolina First Bank
• Central Bank KY
• Charter One
• CIBC
• CoBiz Financial
• Commerce Bank WA
• Coutts
• CoVantage Credit Union
• Coventry Building Society
• Ever Bank
• F&M Bank
• Fifth Third Bank
• first direct
• First Independent NV
• First Republic Bank
• Hancock Bank
• Harris Bank
• HSBC
• Huntington National Bank
• IBC Bank
• ING DIRECT Canada
• ING DIRECT USA
• iTransfer
• Mercantile Bank
• Metro Bank
• Mid-Atlantic Corporate
• National Bank of Arizona
• NatWest
• NBC Bank
• Nedbank
• NEFCU
• Nevada State Bank
• PayPal
• Peoples Bank OH,WV,KY
• Peoples Bank (MO)
• President's Choice Financial
• PSECU
• RBS Citizens
• The Royal Bank of Scotland
• Santander
• Selfbank
• Selftrade
• ShareBuilder
• SiebertNet
• Somerset Hills Bank
• Standard Bank
• SunTrust
• Synovus
• Torrey Pines Bank
• Ulster Bank
• United Bank
• USAmeriBank
• Valley National
• Vectra Bank
• Zions Bank

No matter how long you've been banking online and no matter how good you are at keeping your computer virus- and malware-free, there's always the nagging concern that this could be the time where you end up as part of the national fraud statistics.

That's why banking websites need to maintain a solid "perception of security" around the login box. Those padlocks, security FAQs, and so forth are an important reminder to customers that the bank is doing all it can to protect their money.

But it's also important to reach out every once in a while, annually should be enough, through email and statement messaging, to summarize all the protections you've put in place. Saturday, we received just such a message from ING Direct (see below).

As usual, the direct-banking giant did a great job marrying conversational text with its trademark minimalistic graphical style to reassure customers that they are safe banking online at ING Direct.

The bank has long been ahead of the "security curve," at least in the United States. It was first with a pin pad for secure password entry. It was one of the first with a security-challenge question and personalized anti-phish emails. More recently, they were the first bank in the world to deploy Trusteer's Rapport browser plugin.

Saturday's email discussed four security features:

• How to identify legitimate emails from phishy ones
• Reminder to look for your pre-selected image and phrase at login
• Explanation of the pin pad for secure data entry
• Encouragement to register your computer

One other area that could have been addressed is mobile-phone security. Smartphone users have significant security concerns about mobile banking. The bank missed an opportunity to address them and tout its relatively new iPhone app as well.

But, all-in-all, it's a worthy effort from ING Direct, and something every financial institution should have in its annual messaging plan (note 1).

Email Header

From: ING DIRECT <saver@ingdirect.com>

Reply-to: saver@ingdirect.com

Date: Sat., Oct 16, 2010, at 10:39 AM

Subject: Here's how we protect you

----------------------------------

Note: For more info on possible customer messaging topics, see the most recent Online Banking Report.

SmartyPig is the first of my personal banking accounts that allows me to choose the level of detail provided in email alerts. The startup just moved away from sending detailed info in all messages to offering the option to receive a general notification that requires logging in for specific balance/transaction info (see below; link to SmartyPig blog post).

This is a basic level of customer choice that every financial institution should put into their product roadmap. For me, and a great many customers, alerts are practically worthless if they don't include some detail on the transaction. On the other extreme, many customers are not at all comfortable with actual data being included in an email and won't use alerts if that is the only choice. Most customers fall somewhere in between. 

In the future, it won't be a black-and-white decision. Users will be able to select varying levels of detail depending on the account, balance level, email address used, time of day and so on.

---------------------------------

And while we are talking about SmartyPig, check out their very thorough security section. The startup covers far more ground than most financial institutions.  Here are the topics covered:

• White-hat hacker tested via Primeon
• Verisign Extended Validation SSL
• Security scanned daily by McAfee
• TRUSTe privacy seal
• FDIC info for its banking partner
• Secure login
• Firewall
• Encryption
• Constant surveillance
• Technology updates
• Browser support

Note: For more info on email alerts, refer to our most recent Online Banking Report.

This is a somewhat perplexing message to receive after logging in to online banking. It seems almost phish-like (especially with that old-school corded phone in the picture):

A recent review of your account indicated that we are missing your date of birth. We use this information to help verify your identity. Please call us at the 1.800 Customer Service number on the back of your credit card so we can update your file.

I guess I can understand the bank wanting my birth date, but it brings to mind several questions:

1. Why are they asking me now? I've three accounts there, with one dating back to the 1980s. Is something wrong? Has my account been accessed by someone else? Then my more cynical side thinks, did this request come from the marketing dept. or the security folk?  Bottom line: the bank should provide a more detailed explanation via a "more info" link.
2. I have to CALL, really? Why can't I do this online? Will I have to endure a cross-selling session when I make the call? Will I have to go through the entire phone tree to get to an operator? The least the bank could do is provide a direct line for the task.

The whole thing seems like a ridiculous waste of time. A five or ten-minute journey through call center menus in order to provide six numbers to a live operator. Plus, won't this extra call-in requirement drastically reduce user response? 

Bank of America interstitial after logging in to online banking (14 Oct 2009, 5 PM Pacific)

Pennsylvania State Employees Credit Union is the latest big-name client for Trusteer's anti-malware Rapport browser plug-in. The CU's 350,000 members, or anyone else for that matter, can now download the free program via a link on the PSECU security page.

Current clients of Trusteer:

• ING Direct (USA and Canada)
• RBS (RBS, NatWest, Ulster)
• Pennsylvania State Employees Credit Union
• Central Bank (Kentucky) was announced Feb. 23, but the program is nowhere to be seen on its website today
• (Updated 10 June): Zions Bank, which is the only client featuring the program on its home page (screenshot here)

For more information and analysis, see previous posts on Trusteer and our Online Banking Report on New Security Techniques.

Trusteer homepage showcases ING Direct and PSECU (8 June 2009)

PSECU "security software" page (link, 8 June 2009)

Last May, Trusteer launched an optional added security measure for customers of ING Direct in the United States (note 1, see previous post). Although, it's not perfect, users of the Rapport service are less vulnerable to viruses and malware running on the their PCs. We gave the new service an OBR Best of the Web award last fall in our Online Banking Report on Security Innovations.

Although, ING Direct is a great reference account, being endorsed by Royal Bank of Scotland, really puts Trusteer on the map. The security solution is offered for download at both Royal Bank's RBS and NatWest sites (see screenshots below). Anyone visiting the banking sites can download the software, you don't have to be an RBS/NatWest customer. 

Trusteer also lists Huntington Bank as a customer but there is no mention of Rapport on the bank site yet. Other providers include Authentium's SafeCentral (note 2) and Check Point's ZoneAlarm (note 3). 

Bottom line: Security is an issue for many bank customers, now more so than ever. Extra security options deserve consideration to improve customer satisfaction/trust and help reduce fraud losses. 

Rapport download page at NatWest (link, 23 March 2009)

Rapport download page at RBS (link, 23 March 2009)

Notes:
1. Later ING Direct Canada and ING Direct's Sharebuilder added Rapport support.
2. Authentium demo'd SafeCentral at FinovateStartup 2008 (video here). A new version of SafeCentral is in the works. 
3. Check Point demo'd ZoneAlarm at Finovate 2008 (video here).

Last week, the Puget Sound Business Journal reported on a Pacific Northwest stealth startup that's receiving a lot of attention from Silicon Valley, at least measured in dollars. The $10 million round for Finsphere is an impressive endorsement, especially given the apparent involvement of prominent VC Mohr Davidow.

There's not a lot we know about the company other than the founders are out of the wireless industry, and the company's services are described as "location-based transaction verification services." That sounds like using the GPS-based or triangulated location of mobile phone users to authenticate card transactions and/or online banking logins. Armed with the GPS reading, card companies would know that you (or at least your mobile phone) are where your credit card activity says you are, e.g., buying a tank of gas in Washington D.C.

With GPS capabilities coming to the iPhone next month, this could be a very large market indeed. If we are right about the product, we'll try to convince the company to demo at one of our Finovate conferences. 

Last week, we received a tremendous comment/question from one of our readers, an officer in the risk-management department at a very large U.S. financial institution. His question, “I may have overlooked it, but did not see too much discussion around mobile banking fraud threats, such as mobile malware and smishing. Are these threats real? If so, what controls are financial institutions putting in place to mitigate these risks? Are there other mobile banking risks on the horizon?” 

That's a great question. Yes, threats of malware are real, and I expect to see the number of attacks grow exponentially greater over the next 18 months. However, so far only a handful of attacks have been recorded. See Wikipedia for a listing of mobile viruses.

The next question, “What controls are financial institutions putting in place?” The majority of financial institutions with mobile banking are using a vendor product; therefore, they are relying on the tools built in to the solution. In my previous entry on the subject (see Mobile Banking), I explained that after reviewing solutions from numerous vendors I believed they all had done a top-notch job making information security the number one priority. So, unless you are going to follow Bank of America and Wells Fargo down the path of an in-house WAP solution, you should find that the vendor has already addressed the issue on your behalf (see note 1).

That said, there is one HUGE security risk not receiving the attention it deserves and that is – THE CUSTOMER. As with online banking, the most critical element in reducing fraud is to simply educate the customer. Education can take a number of forms, including awareness campaigns, security checklists, recommended settings, and providing examples of how other clients have been deceived.

One good resource is the Microsoft page:  

Also, there are a number of companies already providing mobile antivirus security software including (note 2):

Bullgard
MyMobiSafe
Symantec
UMU
AirScanner
Kaspersky
F-Secure
Trend Micro

And as my Apple friends already know, the iPhone utilizes the OS X platform. While there is no guarantee, the accepted belief is that viruses are not an issue for Apple and that security software is not needed (note 1).

I hope this provides a better understanding of the mobile security environment. I encourage others to comment or send questions.

Notes:
(1) This is an opinion and not an implied guarantee of security or performance.
(2) This is in no way an endorsement of the product(s) or guarantee of performance. These were the top search results for the keywords “mobile antivirus security.”