That was fast. Just two weeks after my latest appeal to the industry to provide small business owners with more security options, a new product launched today aims to do just that. And it's packaged as a turn-key, fee-based service that could be sold by banks at a $10+ per month profit (MSRP is $25/mo).  

That all sounds too good to be true. When I was first contacted by Greenway Solutions last week, I was more than a bit skeptical. But after speaking with CEO Jerry Tylman and Managing Consultant Jon Meyer, I was convinced they had something that as a business owner, I'd definitely buy.

The product, EFTGuard, is a joint venture between Greenway Solutions and Royal Group Services. They say it's a "win-win-win" for banks:

• Helps banks meet "UCC requirement for commercially reasonable security and their FFIEC requirement for customer education and awareness"
• Provides peace of mind to bank clients
• Protects both the bank and each client up to $500,000 in unauthorized online transfers
• Helps differentiate checking and deposit offerings

____________________________________________

How it works
____________________________________________

EFTGuard provides protection against fraudulent online-account withdrawals of $100,000 per account (with no deductible), with a maximum of $500,000 per customer. And because it's not true "insurance" (it just behaves like it), there is no underwriting hassle and the product can be purchased in just a few minutes via online form (demo here). There is, however, the usual list of coverage exclusions; for example, it doesn't cover insider theft. 

The catch? To qualify, business customers must download and install anti-malware software from Trusteer, Iron Key, or Webroot. And every computer accessing the business account must be running these protective software programs. For the time being, that appears to leave out any mobile access. 

Initially, banks looking to offer EFTGuard will need to work with one of these three malware-protection vendors in order to qualify their clients for the fraud protection. Other than that, EFTGuard is turn-key and comes with marketing support, a co-branded signup page, and full claims management.

The $500,000 coverage is backed by Chartis Specialty Insurance Company.

__________________________________________

Bottom line
__________________________________________

Your business customers are rightly concerned about fraud. Offering them an option to protect themselves is a great way to differentiate your deposit offerings while preventing you from getting bogged down in messy litigation with your customers.

I still have questions about how often the list of exclusions will invalidate claims when actual fraud occurs. But the company assures me that the protections are very real.

Assuming EFTGuard delivers on its protection promise AND creates a small profit center, what's not to like? I, for one, will be the first business owner in line to buy it. 

-------------------

EFTGuard homepage (24 April 2012)

----------

Note:
1. I believe insurance is one of the best growth areas in retail banking, especially in niche lines that can be explained and delivered online (see our December Online Banking Report for more about banks delivering insurance online).

A few days ago we published a new Online Banking Report: Delivering that Secure Feeling, arguing for the creation of fee-based subscription packages for those that need more security/privacy assurance than the typical consumer.

What we probably should have made clearer is that this is NOT a product strategy for the mass market. It's geared toward high-end, wealthier customers and/or businesses that have a lot more to lose if their accounts are compromised.

The need for more security is especially acute for the small business owner, especially larger small businesses keeping five- and six-figure balances, sharing account access with accountants, bookkeepers, and partners, while making 100s of transactions per month.

In addition, business accounts generally operate without Federal consumer protections, so fraud losses may have to be absorbed by the business, unless they can prove negligence by financial institution. Litigating a major fraud loss is an ugly situation that should be avoided if at all possible.

That's why it's a win-win-win when a biz-banking client pays a fee for extra fraud protection:

• Biz customers have fewer worries
• Bank profits from the fee-based service
• Fewer unreimbursed fraud losses save both parties time, money and potentially massive ill will

Take it from this small-biz owner. For 15+ years I have wished for more security/control and would be more than happy to pay for it, really! (see note 1). Every single day I dread opening the multiple email alerts from my biz bank afraid that one day I will join the the small but growing number of biz owners that have had their accounts looted (note 2).

Commercial customers have sophisticated tools at their disposal, but the smaller biz is often left using consumer-type controls. This is not how it should be.

-----------------------

Notes:
1. I've long said that I'd be willing to pay $500/mo for the perfect package of online business banking, payment, bookkeeping, and customer-management services. I stand by that statement (though I'd probably pay even more now that we have more international issues with the Finovate event). See our Online Bankin Report on micro and small businesses for more info.
2. Here's one of the paradoxes of more communications, more "worry events." In the past, I would have only dreaded opening my statement once per month. Now I have that little pit in my stomach several times each day. That doesn't seem right.
3. Image licensed from Shutterstock.

OK, let's think this through. Consumers have been concerned about the security of online banking for more than a decade. Technology tools are available to ease their anxiety. So, why aren't these tools readily available?

The answer is that most security enhancements don't pay their own way in terms of reduced fraud. Therefore, these "nice to have" features languish in the priority queue with little hope of getting implemented.

So do we just let customers continue to needlessly fret about the security of their financial accounts?

No, that just irritates already fed-up customers and invites more independent competitors to the table to provide the missing benefits (e.g., BillGuard, Credit Karma, Mint).

Instead, why not move to the win-win solution: Charge an optional subscription fee for extra "peace of mind," but only to customers who want it. Or offer the value-adds free of charge for customers who help you lower costs by using self-service channels and foregoing printed statements.  

But wait. Aren't fees dead after the BofA debacle a few months ago?

While that was a very real customer backlash, optional fees are still possible. Just keep these rules in mind:

• Fees for extra security should NEVER be mandatory; instead, offer a "security bundle" that goes above and beyond the normal state of the art
• Do not charge a fee for any security feature you already offer free of charge (the big problem with the ill-fated debit card monthly fee)
• Do not charge for a security feature that is typically delivered free of charge by others in the industry
• It's better to bundle a group of extra security features into a relative low-priced subscription bundle

In our new 48-page report we cover:

• 12 design elements to make your website feel more secure
• 7 potential positive elements for your business case
• 5 talking points for staff education before implementing a subscription fee
• 37 potential security enhancements to bundle into an "extra security" subscription offering
• 72 additional security features to consider
• 5 customer segments to target with a fee-based package account
• Overview of three promising security services:
  -- Anti-virus for transactions from BillGuard
  -- Self-service suspicious activity reporting from Bank of America
  -- Virtual safe deposit from Northwest FCU, powered by DigitalMailer

__________________________________________________________________

About the report
__________________________________________________________________

Delivering that Secure Feeling (link)
Help consumers reduce perceived risks (for a price)

Author: Jim Bruene, Editor & Founder

Published: 4 April 2012

Length: 48 pages, 8 tables, 12,000 words

Cost: No extra charge to OBR subscribers, US$395 for others here

__________________________________________________________________

There are two problems with the current state of online/mobile login:

• It's too hard for customers to log in to their own accounts, especially using mobile keyboards
• Yet, it's too easy for crooks to log in to other people's accounts

Since the dawn of online banking, the industry has struggled to balance user experience with security. And tiny mobile keyboards make the login experience even more frustrating.

But it doesn't have to be that way.

A number of banks are using 4-digit passcodes making mobile login a breeze. But Commonwealth Bank (Australia) has gone one step further, with no-login pulldown access to account balances in its new Kaching (ka-ching) mobile app (note 2). 
(Update 16 Mar: New Zealand's Westpac also has a no-login mobile option called Cash Tank). 

Commonwealth calls the no-login option Simple Balance. With a quick swipe users pull down a read-only account balance (see screenshot below). The no-login option must be  enabled within the app before the first use. See it in action here (at the 29-second and 54-second marks).

We are awarding Simple Balance our second OBR Best of the Web award for the year (note 3). While it may not be as novel as City Bank's debit card on/off switch, it's likely to be used 100x more.

Bottom line: Requiring full username and password to see your account balance is antiquated, or at least it's rapidly headed that way. The four-digit PIN is a good first step. But ultimately, it needs to get even easier than that for low-risk activities (note 4).

-----------------------------------------

A single swipe on the top of the Kaching app allows users to download their account balance (click to enlarge, see note 2)

----------------------------------

Notes:
1. Many thanks to Australian reader Saif Hazarika, Innovation Manager at Australia Post, for clueing us in on the Kaching feature and creating the illustration above.
2. The Financial Brand published a good overview of Kaching several weeks ago.
3. Since 1997, our Online Banking Report has periodically given OBR Best of the Web awards to companies that pioneer new online or mobile banking features. It is not an endorsement of the company or product, just recognition for what we believe is an important industry development. If anyone knows of other financial institutions offering a similar feature, let us know and we'll update the post. Commonwealth Bank is is the 85th company to win the award and the second in 2012. Recent winners are profiled in the Netbanker archives.
4. USAA's "stay logged in" option is another promising approach, though not quite as user friendly as the Kaching swipe.
5. The Kaching app (inset, click to enlarge) includes integration to the user's Facebook friends to facilitate P2P payments. A cool feature that I will add to the 50 or so discussed in last month's Banking on Facebook report (OBR subscription).

It had been a while since I'd logged in to Mint.com from my iPhone and I had forgotten just how easy it is. The online PFM pioneer has boiled the process down to the bare minimum (assuming you've enabled "passcodes," see note 1).

Logging in takes just four numerical "keystrokes." You don't even have to press a login or done button (inset). As soon as you press the last digit, you are automatically logged in.

As an added bonus, PIN authentication is handled on the phone instead of the server, so you get an immediate error message if you type in the wrong one.It's a great user experience, though I wish Mint still supported the stay-logged-in option, which is fine when accessing a "read only" data file (note 2).

This brings me to my main point (finally!). Banks need a "read-only" account access option (note 3). Than means no account numbers are shown. No check images are accessible. No personal info is available. And of course, you can't perform any transactions (note 4). And the read-only password should be different than the "normal" one.

The read-only option would make customers feel more secure about banking online, especially from:

• Mobile phones
• Tablets
• Wifi hotspots
• Hotel rooms
• Friend's house
• Public terminals
• Home (if you don't trust your own network)
• PFM or third-party programs (note 3)

With read-only services, bank security folk can ease up on unwieldy password requirements for mobile access. And it might even prevent a crook or two from gaining full account access due.

---------------------

Notes:
1. The four-digit PIN option is for users that have enabled passcodes for login from the Settings area in the Mint.com app. Otherwise, users must enter their full Mint username and password.  
2. While it's a privacy concern, read-only account access with no login should be an option for a PFM. Of course, you must make it absolutely clear to users the danger of non-password protected data.
3. ING Direct offers read-only access to PFM programs
4. Funds transfers among existing accounts or even to existing billers could be OK, but it muddies the waters a bit from the perspective of the user.

I get that multi-channel messaging is a mess. I understand that new regulation is creating huge backlogs in project queues. But 17 years into the Web-banking era, I should be able to service my bank account entirely online, if that is my choice. And more importantly, if I've signed on for alert services, there shouldn't be any surprises when I go to log in to my account. 

Yesterday, <largebank> failed me on both accounts (see note 1).

With Finovate Europe less than two weeks away, we are wiring large sums to London to pay for it. My bank got a bit concerned about all this outbound activity, which is good. I'm glad they are paying attention.

But how they went about notifying me about their concerns was simply outdated. Here's how it went down:

1. The bank called me from a toll-free number and left a voicemail asking me to call them back. Despite the fact that I get every alert under the sun, the bank did not send an email or text message. I don't know about you, but listening to voice messages from random 800 numbers is very low on my priority list. By mistake I did happen to hear it a couple hours after the fact. 
2. As soon as I listened to the message, I first went to my email to see if I'd also received a message from the bank to verify the authenticity of the phone call. Seeing nothing there, I attempted to log in to online banking to verify the call and assure myself that my account had not been drained. But guess what? The bank had disabled my account access and gave me a vague error message with instructions to call a toll-free number. The number matched the one on the voice mail so at least I could confirm it wasn't a vishing attack. There had been no mention in the voice mail of my account access being disabled.

Now, when you are 11 days out from an event and the cash in the bank is needed to pay for it, it's beyond disconcerting to be locked out of your account for no known reason.

Luckily, we were able to quickly assure the bank that yes, we really did need to wire that much money. So we are back up and running and our patient vendor simply had to wait one more day. (Update: I wrote this post yesterday. Today, the same thing happened again with another wire. While it wasn't a surprise this time, it's annoying.)

________________________________________________________________________________

A Better Process
________________________________________________________________________________

Let's repeat this scenario using an approach that preserves your customer's sanity while making it more convenient for those that favor digital channels:

1. Bank sees something odd so it freezes outgoing wire-transfer capability and sends me a text message, an email message, and also leaves a voice mail.
2. Instead of shutting down my account access, they let me into my account so I can verify that the balances are still there. And for extra credit, the suspicious activity is highlighted.
3. After confirming the transaction through an extra authentication step, the bank re-opens my outgoing wire capability.
4. For extra credit, let me simply authenticate the suspicious items by replying back to the messages (at least on smaller dollar items).

Now that I can breathe again, I can lay out three rules to guide your "suspicious activity" messaging:

1. Contact the customer via the channel of their choice (but also use others for backup in urgent situations).
2. Allow the customer to authenticate transactions without moving out of that channel.
3. Never completely disable online access (unless absolutely necessary). Yes, shut off transfer-out functions, but continue to allow "read only access." And post a red warning graphic within the account to draw attention to the suspicious activity. 

--------------------------

Notes:
1. I'm not identifying the bank because my "data point of one" may not be indicative of what other customers experience. But I will disclose the name "off the record" if you email me jim@netbanker.com.
2. For more on messaging, small business, security and much more, see our Online Banking Report (subscription required).

In the digital era where teenagers might keep their bank accounts for the next 80 years, it's important to offer services that encourage kids to sign up for a bank account. There are some cool ideas around financial education, money management, and gamification which we explored in our Online Banking Report earlier this year (note 3).  

But what's the one issue that really drives parents' behavior towards their kids? Fear. Fear for their physical safety on the way to school, fear of bad influences at school, and fear of the idiots kids will encounter online. The list goes on and on. 

You may not be able to protect kids from Facebook bullies, but you can help on the money side. Financial institutions can offer services that help protect children from online scams, ID thieves, and so on. You can offer prepaid cards with controlled access. You can keep parents apprised of their child's spending so they can recognize early-warning signs of dangerous behavior.

It's win-win product development. Parents will pay for it through fees and/or loyalty. You'll lock in more youth accounts, and everyone will get a bit more peace of mind.

Bottom line: While family financial security is a promising area, it's no small project. Most banks will need partners to provide at least some of the services (credit-reporting specialists, account-aggregation providers, data analytics, and so on). But once the data feeds are available, they can be bundled together into different packages for various segments. 

And mobile delivery will be crucial. For inspiration, look at Life360, a fast-growing mobile service whose core offering is GPS tracking for family members (see screenshot below, note 2). Life360 is free, but offers an optional identity-theft protection family-plan at $14.95/$19.95 per month. Since going free, the company has mushroomed to 6 million families.

------------------------------

Life360 is a fast-growing startup offering "mobile family safety" (13 Dec 2011)

-------

Notes:
1. Graphic: From the FTC-sponsored one-day seminar on childhood identity theft this summer (link).
2. For more info on Life360, read the series of Techcrunch posts on the company.
3. For more on family/youth banking, see our recent Online Banking Report (subscription).

I'm not sure if this is normal or not, but I enjoy the process of updating the 100-some apps on my iPhone. I'm always interested in what's changed and how the company communicates the new info to users. I've noted before that banks aren't good at leveraging this customer touchpoint, but they are getting better.

In the latest round of app updates, I noticed a nice improvement from USAA (see inset; note 1). Instead of automatically logging you off whenever you move out of the app, say to take a call or fire off a text, the bank provides the option of staying logged in for up to 20 minutes.

Sure, there's a tiny risk that if you were to lose your phone or loan it to someone during that time, they could get into your account. But your average smartphone thief is unlikely to click on the USAA button during those first 20 minutes. And even if they did, it's unlikely they could do much with the info.

Bottom line: I want this option on all my banking apps.

---------------------

Notes:
1. This iPhone update (v. 4.0) was pushed out, 8 Nov 2011
2. For more on mobile banking, see our subscription publication, Online Banking Report.

To my knowledge, ING Direct is the only major U.S. bank blocking third-party PFM access. But users can direct their PFM around the gate with a special "read-only" access code.

How it works
It's not particularly easy to find, buried three levels deep in MyAccounts | Preferences | Access Code.

The default setting is Blocked, as you can see in the first screenshot below.

But once you find the page, it couldn't be simpler to set up. Simply press the blue Create Access Code button in the upper right, and in a split second, you have created a read-only access code and opened your account to PFM access.

To change back, you merely click the "Block" button in upper right.

The only thing missing is an explanation of what to do with the Access Code. Is it the username or password? While that's explained in an link from the first page, it's not on the second page where you need it. (BTW, it's the password).

The bank also confirmed the new code via email right away (third screenshot).

-----------------------------------------------------

Access code main page (20 Oct 2011)

New access code

Email confirmation

----------------------------------

Note: OBR subscribers can access our previous reports on security at OnlineBankingReport.com (published in 1999, 2003, 2004, 2005, 2007 and 2008).

We've been impressed with BillGuard since we first learned about it earlier this year. And they wowed the crowd at Finovate two weeks ago with a great demo, dynamic presentation and more importantly, a product that resonates with consumers across many demographic segments.

One great thing about becoming a trusted consumer watchdog, like identity theft monitoring services, is that your monthly emails are actually read by customers. And unlike FICO scores which usually don't fluctuate that much month-over-month, there's usually something new to look at when BillGuard scans a month's worth of card transactions looking for oddities.

For example, my scan for September across two credit card accounts showed the following activity (see first screenshot below):

• Green: 61 transactions that were identifiable as "normal" activity
• Orange: 2 transactions that were "unknown"
• Red: None were flagged red indicating suspected fraud

Clicking through to the website, I can mark legitimate transaction "OK" and that information is fed back to the network and disseminated to other via the Merchant Transaction Reliability score (see second screenshot). 

Bottom line: This is the kind of value-added service that FIs could bundle with other products, even a debit card for example, that could help justify a monthly fee. $5 perhaps? 
(Note: BillGuard is currently offering free of charge to expand the customer base.)

----------------------------

1. BillGuard emails a monthly Scan Report to customers (4 Oct 2011)

2. At the BillGuard website, each merchant's score across all users is tracked
Note: Apparently, 17 BillGuard customers are using Quickbooks Online and none have flagged the transaction (which makes sense)

We were lucky enough to take a quick trip to Europe this summer and one of the many rituals of modern travel is convincing your card issuers not to block international transactions. The conventional wisdom is to notify issuers in advance. While not an absolute necessity, it is said to improve your odds.

The process is very straightforward. All the bank needs is your travel dates and where you are visiting. However, it is tedious over the phone due to redundant authentication requirements.

Consequently, it's an ideal service to automate with online, or even better, mobile form. I wrote about it the last time I traveled. But this time I put a clock on the process, just to see exactly how much time was wasted, for both the consumer and bank, on the phone. 

Summary: It took about 1 minute per card to register online at Capital One and Chase. Over the phone, it took 6.5 minutes at Wells Fargo and 9.5 at U.S. Bank. No one has it in their mobile app yet (see details below).   

I realize that online travel notifications are not a high priority these days. But, it's such a win-win service, I wish more banks offered it. However, the real end game is to build automatic location notification into mobile-banking apps. Even if customers won't agree to being tracked 24/7, there could be a button in the app that users press to submit their GPS location whenever they land in a new city or country. 

That gives customers total control, but makes it super easy for them to communicate. And it gives you a highly  secure method of knowing your customers are in the same location as their card. 
__________________________________________________________________________________

Capital One: Online -- 2 minutes to register 2 cards (see screenshots in previous post)
__________________________________________________________________________________

Luckily, Capital One, my go-to card abroad with no international transaction fee, has an online form to do this. It's not easy to find, but I'd written about it before so I knew roughly where to look. The form is a little convoluted; if traveling to multiple countries, you have to keep pressing "add another destination," but it took less than a minute to add the five countries were we passing through.

I have Capital One personal and business cards which are integrated into the same online banking platform. But unfortunately, you have to do each card separately, so total time expended, including login, was about 2 minutes.

Capital One gets extra credit for sending me an email on my scheduled departure day asking me whether I needed anything and providing their international call-center instructions. _________________________________________________________________________________

Chase Bank: Online -- less than 1 minute for 2 cards (see screenshot in previous post)
__________________________________________________________________________________

I couldn't remember whether Chase had an online option, so I logged in, didn't see it on the right-hand column of common links. So I went to customer service and found it on the list of available tasks. The form was super-easy; I could do both of my cards at once and just free-form input the countries. Total form-completion time was under 10 seconds, but if counting login and function-search, it took just under a minute. __________________________________________________________________________________

U.S. Bank: Phone: 9.5 minutes on phone + 2 minutes searching online for 1 debit card (with 2 different account numbers)
___________________________________________________________________________________

I first checked online to see if travel notifications had been added since the last time I checked. No such luck, so about 2 minutes were wasted. Because we needed ATM access abroad, we had to have this card working, so I reluctantly called the 800 number on a Friday evening, and was told that wait times were approx 4 minutes. I think they were only half that, but it still took me a full 9.5 minutes to get my ATM cards registered. About one minute of that was spent finding my wife's debit card, which I now know has a different number than mine.

Why the agent couldn't handle both ATM cards from a joint account without needing the other number is beyond me, but he insisted.

Total time expended was 2 minutes online and 9.5 on the phone: 11.5 minutes total.

Extra credit goes to the U.S. Bank agent who activated my new debit card that had recently come in the mail. My old card would have expired during the trip.  
___________________________________________________________________________________

Wells Fargo: Phone: 6.5 minutes on the phone + 2 minutes searching online for 1 card
___________________________________________________________________________________

My wife carries a Wells card at all times, so usually she handles travel notifications. But since I was already on a roll, I took on the task. Although I didn't recall ever seeing it, I assumed Wells would have an online option, but after a search of the site, I found that my hunch was wrong and that I'd wasted a few minutes.

I called the 800 number and was able to complete the process in about 6.5 minutes. Much of that time was spent listening to menu choices and current balance info (which I didn't want). Had I known how to skip through the menus, it would have taken only about 3 minutes. The agent was friendly and efficient, although she twice asked if she could also activate my debit card even though I don't have a checking account there. But I appreciate that she was trying to be thorough. ___________________________________________________________________________________

Bank of America: Phone -- 2 minutes, 0 cards
___________________________________________________________________________________

I was going to take my Bank of America card along, but after searching customer service I could not find an online form to complete, so I decided to leave it at home. Score 1 for the more online-savvy approach at its competitors.

If there was any question as to whether Trusteer  had become the industry standard in online banking protection, it was answered this week. Bank of America is now offering the optional Rapport protection to its 29 million online banking customers. Ann Carrns in the NY Times Bucks blog wrote about it a week ago, but I guessed I missed it in all the April Fools Day commotion.

ING Direct was first to offer the program, launching in May 2008. Since then dozens of financial institutions have followed including Zions, PSECU, CIBC, PayPal, Santander, RBS and about 70 more (see full client list below in note 2).

In total, Trusteer says it's been downloaded more than 20 million times.

Analysis: It's a good move by Bank of America. While Rapport does not protect from all possible threats, it does seem to provide material improvements. The bank gets a double benefit: less fraud and improved perceptions from customers concerned about security.

The program is not without downsides, however. It requires a download and installation, though thankfully not a full reboot (see second screenshot). And like any software program, there are real and perceived compatibility and performance issues (see the comments on the NY Times blog entry).

Bank of America would be wise to make it easier for customers to find out more info on the program. There is only a tiny link buried at the bottom of the interstitial ad for more info. And that screen goes away after you press the download button.

Users who are surprised by the download warning, and even worried that they've been attacked by a virus, will find it difficult to find more info at that time. Rapport is not yet mentioned in the bank's security area accessible from online banking. Only by going back to the public site and searching for "Rapport" was I able to find the page offering more info (third screenshot).

Many users are going to need more hand-holding and reassurances before they install the program (note 1). The bank could save itself, and its customers, from thousands of harried support calls, by adding a detailed a "how it works" tutorial integrated into the interstitial.

Bank of America interstitial ad after online banking login (7 April 2011, 2 PM):

To use the service, users must download and run an executable file (Windows version below, there is also a Mac version)

Bank of America Trusteer Rapport info page (link)

--------------------

Notes:
1. For more info on Trusteer and other security topics, see Online Banking Report: New Security Techniques (Sep. 2008)
2. Trusteer financial clients (per company)

• Alliance Bank of AZ
• Alliance & Leicester
• Alta Alliance Bank
• Amegy Bank
• BancFirst
• Bangor Savings Bank
• BankFIRST
• Bank of America
• Bank of Cyprus UK
• Bank of Montreal
• Bank of Nevada
• BBVA Compass
• BOK Financial
• Boursorama
• Cambridge Savings Bank
• Carolina First Bank
• Central Bank KY
• Charter One
• CIBC
• CoBiz Financial
• Commerce Bank WA
• Coutts
• CoVantage Credit Union
• Coventry Building Society
• Ever Bank
• F&M Bank
• Fifth Third Bank
• first direct
• First Independent NV
• First Republic Bank
• Hancock Bank
• Harris Bank
• HSBC
• Huntington National Bank
• IBC Bank
• ING DIRECT Canada
• ING DIRECT USA
• iTransfer
• Mercantile Bank
• Metro Bank
• Mid-Atlantic Corporate
• National Bank of Arizona
• NatWest
• NBC Bank
• Nedbank
• NEFCU
• Nevada State Bank
• PayPal
• Peoples Bank OH,WV,KY
• Peoples Bank (MO)
• President's Choice Financial
• PSECU
• RBS Citizens
• The Royal Bank of Scotland
• Santander
• Selfbank
• Selftrade
• ShareBuilder
• SiebertNet
• Somerset Hills Bank
• Standard Bank
• SunTrust
• Synovus
• Torrey Pines Bank
• Ulster Bank
• United Bank
• USAmeriBank
• Valley National
• Vectra Bank
• Zions Bank

The reason bank call centers still field millions of calls from online banking customers is that most account problems cannot be solved online. It's not that banks don't have the technology or the business case, it's just a priorities challenge. Effective self-service modules are time consuming to build, test and integrate, while employee and customer education pose an even bigger hurdle.

But slowly, as more and more consumers look to resolve issues with a mouse click or finger flick, financial institutions will add self-service troubleshooting wizards to online/mobile banking.

The latest example comes from Bank of America.

I've been a BofA cardholder for the better part of two decades, and every year spend an hour or so verifying flagged transactions via phone with bank-fraud reps. It's an annoying, but necessary, part of making 50 to 100 charges every month for home and business. 

But my most recent experience was very different. When I went online to pay the bill, not realizing (but suspicious) that my card had been cut off, I was greeted with the following message underneath the card balance on the main Account Overview page (see screenshot 1):

Online access is not available for this account. Please go to
www.myfraudprotection.com and verify recent transactions. Or you may call
1-800-427-2449 for additional information.

_____________________________________________________________

How it works
______________________________________________________________________

Step 1: Following the link, I ended up at an entirely new site, running outside online banking where I was required to re-enter my account number (screen 2), last 4 of SSN, Zip, and phone number (see screen 3).

Step 2: I was then required to answer random questions pulled from the credit bureau to authenticate myself (screen 4).

Step 3: Finally, I was able to review and approve the transactions in question (screen 5). I was then thanked and told I could use my card again (screen 6).

However, after all this, I was still not able to pay my account online and had to call after all. The rep told me that it takes between two and 24 hours for online banking access to become available (note 1).

______________________________________________________________

Analysis
_______________________________________________________________________

All-in-all, I liked the system. However, it needs to be more integrated into online banking (see note 2). Given all the extra work required to authenticate myself, it would have been faster just to call the 800-number. If I were a normal customer, that's what I'd do next time. I hate the stress of going through the authentication process: With everything on autopay, who can remember their exact payment amounts anymore?  

And worse, there is a security disconnect here. I log in to my credit card account only to be told it's unavailable and that I should log in to some site I've never heard of (that doesn't even have a Bank of America URL, note 3) and turn over personal info. It looks more like a crude phishing ploy than something from a major bank. And as far as I can recall, there was no customer education on this process.  

So, I applaud Bank of America for making transaction verification self-service. But there's still much work to be done before it replaces the phone process. 

1. Main Bank of America Account Overview screen (14 Jan. 2011)

 2. First screen at MyFraudProtection.com (link, note 2)

3. Step 2 of 3 of authentication process

4. Step 3 of 3 of authentication process

5. Transaction review

6. Confirmation message (and survey invitation)

----------------------------------

Notes:
1. This was the weekend that BofA was having website trouble, so it may not always be delayed.
2. I realize the bank is using the fraud-protection site as a standalone system so it can direct any cardholder to it without first needing to log in to online banking, hence the authentication requirement. But for logged-in bofa.com users, it seems unnecessary. Although it does provide an extra measure of security, in case the cardholders' online access had been breeched by the person attempting to use the card, that extra security comes at too high of a usability cost, in my opinion. 
3. The www.fraudprotection.com URL does redirect to myfraudprotection.bankofamerica.com, which helps.

Naturally, we use online payments as much as possible both at home and in our business. But even so, we still go through a box or two of old-school paper checks every year.

Running low on business checks, I today logged in to my bank to order a box. Unfortunately, it does not support online reordering of business checks, only personal ones. I was referred to a toll-free number. But rather than go through an unknown phone ordering process, I went back to WalmartChecks.com (note 1), a service from Wal-Mart that I had tested many years ago.

The reordering process was drop-dead simple: Just click Quick Reorder on the homepage, type the bank's routing number, account number, and beginning check number, then make a few selections from the menus, and press reorder. It takes all of about 60 to 90 seconds. You don't even have to input payment info, because the total is simply deducted from your checking account.

But the reason for this post is to highlight the interesting cross-sale made during the reordering process. For $1.95 per box, Wal-Mart offers a check-fraud protection service called EZ Shield from a company of the same name, a recent spin-off from printed-check marketer, Custom Direct (CDI). I was pitched the product through a yellow-highlighted box in the middle of the order-confirmation screen (see first screenshot below).

I wasn't sure what it was, so I clicked on More Details to learn that EZ Shield reimburses users for fraudulent use of the checks in the box (see second screenshot). The service provides coverage of up to $25,000 total if one or more of the 200 checks is altered, stolen from the payee and deposited, or used with a forged signature. The EZ Shield logo is printed on the checks to remind users that they are protected.

Bottom line: While paper-check fraud is not a major concern to me, I still value the small improvement in peace of mind I get for just $1.95. And for Wal-Mart, the $1.95 was a 28% revenue lift to a $6.96 box of checks. More importantly, the value-add makes it more likely I'll be a repeat customer even when my bank eventually enables online check reordering.

WalmartChecks.com shopping card with EZ Shield cross sales (9 Sep 2010)

Popup explanation of EZ Shield (link)

Note:
1. According to Compete, the check-ordering site gets about 150,000 unique visitors per month and traffic has been relatively flat the past year.

I'm a frequent PayPal user and need access to it on the road while logged in to who-knows-how-secure coffee-shop WiFi. Whenever I entered my password, I was hit with the unsettling realization that this could be the time I handed over my credentials to a hacker.

So a few months ago I began using PayPal's optional out-of-band, one-time password solution. Each time I log in, a random six-digit code is sent to my mobile phone. That code must be entered to complete the login. And while I feel much more secure, the extra 20 to 30 seconds it takes is a hassle, especially after a decade of password-only access (note 1).

To improve the user experience, while maintaining the extra authentication security, I'd like to see PayPal make the following changes: 

• Instead of requiring the user to press the "send SMS" button after logging in, just send the SMS code automatically. I've logged in at least a dozen times since enabling this feature and I still forget to press the button. I usually look at my phone for 10 seconds waiting for the code until I remember that I must click the button.
• Allow low-risk transactions to be authorized without the extra SMS code. I bought some iPhone chargers on eBay today for a total of $30. I would have preferred to skip the out-of-band authorization on this low-risk transaction, a small purchase made on eBay through my authenticated eBay account. 

Relevance for Netbankers
The second suggestion (above), what I call "context-sensitive security control," is an important part of the tradeoff between security and usability. As long as customers are hassled for extra info only when the risk is higher, there's a much better chance of gaining their cooperation, and attention, in security monitoring. Many banks feed an extra security question when customers log in from an unrecognized computer. That's a great use of context-sensitive extra security.

Another situation where context-sensitive security controls can be deployed is for determining when an account is locked for excessive login attempts. If a user is logging in from a recognized computer, they should get far more leeway in the number of password attempts before the nuclear option, full lockout, is deployed. Unfortunately for me, Chase Bank has not yet taken this step (notes 2, 3).

-------------------------

Notes:
1. When we go shopping for a new business-banking relationship, out-of-band authorization capabilities will be a non-negotiable requirement.
2. Yesterday, Chase locked me out, without warning, after just 4 attempts (or was it 3?) from my main computer, which the bank knows very well. That's ridiculous, from a recognized computer I should be able to try at least 7 or 8 times. I have multiple Chase accounts with different usernames and passwords and with a typo or two it's easy to surpass 3 or 4 attempts.
3. Yes, I've whined about this before, but it's been 3 years, so I was due.

I've been looking forward to the day when financial companies would begin to leverage mobile phone location to fight payments fraud. That day has arrived with the launch of Finsphere's PinPoint which began its private beta a few hours ago. We have 100 invite codes if you want to test the service free of charge (enter "Finovate" in the Promotional Code box on the signup page).

PinPoint is a subscription-based alert service that runs on top of online banking. Using Yodlee's aggregation technology, PinPoint monitors all of the user's card-based transactions, and sends email and text alerts on potentially fraudulent transactions based on a number of factors, one of which is the consumer's physical location as indicated by the location of their mobile phone. Pricing has not been finalized.

The service competes with aggregated alerts from OFM's such as Mint.com or Strands. But PinPoint's main competition is the card issuers themselves. The service holds several potential advantages compared to financial institution services (note 1):

• The addition of the consumer's location is a huge help in identifying potential fraud and reducing false positives.
• Receiving fraud alerts from a single, trusted source with a consistent design and methodology makes it more likely that the consumer will actually pay attention and take action. 
• The service provides contact info and help for reporting fraudulent transactions.
• PinPoint's entire mission is to identify fraud and help the end-user avoid paying for it; while financial institutions have similar high-level goals, they also have competing priorities that sometimes get in the way.  

The startup also plans to connect the service to credit bureau data where it will compete with the credit monitoring players such as Experian, TransUnion, Equifax, Intersections and others (note 2). The demo videos show a mobile app, but that's not part of the initial release.

Finsphere is a Seattle-based startup that's been operating in stealth mode since 2007. The company has raised nearly $20 million in two rounds from Bezos Expeditions, Mohr Davidow Ventures, Shasta Ventures, and Frazier Technology Ventures. The CEO and co-founder is Mike Buhrmann, a serial entrepreneur in the wireless/mobile space who originally worked at McCaw/AT&T. President Robert Boxberger is a former Wamu/Providian card exec (note 3).

Until today, press reports have been limited to reports of its first two rounds of venture funding (see previous Netbanker post). The company had developed a broad range of patented technologies dealing with location-based fraud tools. In addition to the consumer service launched today, the company has its eye on enterprise fraud-management tools.

PinPoint homepage (9 August 2010)

Activation screen
Users must confirm email address and mobile phone, then add one or more cards

Alert preferences
Users establish dollar thresholds for alerts, whether they want text and/or email delivery, and how often they want to receive then (daily or weekly)

Notes:
1. For more information on alerts, see the most recent Online Banking Report: Transaction Alerts & Streaming.
2. For more information, see Online Banking Report: Credit & Fraud Monitoring Services (August 2007).  
3. Check out the company's About page, where five top execs introduce themselves and provide a 60-90 second overview of the features and benefits of the service. A very good use of video.

Last summer, I had the opportunity to spend a week in an apartment in Paris's 6th. The wonderful 1920s building overlooked a transportation solution even older: bicycles.

But Paris's popular Velib bike-sharing program has a modern twist, an automated rental system run entirely by unmanned kiosks that accept only debit and credit cards.

Subscribers (29 Euros annually, 5 Euros weekly) can ride the bikes free for the first half hour, then the price rises steeply to 3 Euros per hour and higher. But with stations every 300 meters, you can tool around the city very cost effectively. That is, if you are not American. 

Why? Our old-school mag-stripe cards are no longer in step with the international gold standard of security, the imbedded computer chip unlocked by PIN entry, i.e., chip & pin or EMV. 

At most European merchants, it's not a problem. They are plenty willing to take the old-school mag stripe card in order to make the sale. Last year, we never had any trouble using plastic from our friends at Wells Fargo and Bank of America. But in certain situations, such as unattended ticket machines, U.S. cardholders can be out of luck.  

The Paris bikes are one very visible place where mag strip cards are not honored (see note 1). That explains the perplexed tourists I watched last summer struggling at the Velib kiosks trying repeatedly to get the machine to release a bike.

Financial institution opportunity: Here's a great way to pick up market share among well-heeled international travelers. Offer a chip & pin prepaid card. It's a modern-day travelers check, something every traveler will tuck in their wallets and purses, then forget about when they get home (note 2). And it's perfect for Internet distribution, especially if you issue cards nationwide.

Besides card fees, interchange, and travelers-check-like float, first movers could gain real market share with a great demographic.

According to Payments News, Gemalto is offering a chip-and-pin solution for U.S. card issuers. A few weeks ago, United Nations Federal Credit Union became the first U.S. financial institution to announce deployment of the Gemalto card (press release). The CU says it will be available in the second half of 2010. But, you'll have to be on staff at the UN to get it.

Notes:
1. Apparently, there is an exception. American Express cards, with or without a chip, can be used at Velib machines. I wish I'd known that when I was in Paris.  
2. Closer to home, Canada is also in the process of converting to the new standard.
3. Photo credit: Clive Andrews. This was the typical tourist look at the Velib kiosk queue, utter confusion.

As I've pointed out, the key to boosting mobile banking adoption is to make the user experience better than the desktop computer/browser version. But many banks shoot themselves in the foot immediately by requiring existing online banking users to first log in to online banking to enroll in mobile banking (see note 1).

I've never quite understood the logic. Why can't online banking customers use their existing credentials to log in via the mobile app? What's the new risk? If anything, you are more likely to get your credentials stolen via desktop login than mobile login (at least for now).

So far, the mobile banking apps I've used have required initial activation via online banking (see note 2). I'm sure their security folk can sleep better knowing that I've proven ownership of the phone before logging in from it. But you don't have to prove you own the PC before using it, so what's the difference?

But finally, one of my financial providers, American Express, launched an iPhone app (note 3; iTunes link) that I can use right away by logging in with my online banking credentials (see screenshot below). I expect this will soon become the industry standard.

American Express iPhone app screenshots (version 1.1)

American Express mobile landing page (link, 29 April 2010)

Notes:
1. Even more important is enabling online enrollment of customers NOT using online banking; but that's a trickier, albeit potentially lucrative, project.
2. I am using mobile iPhone banking at Wells Fargo, Bank of America, and US Bank. While BofA, Wells and Chase (Update April 30, Chase has online enrollment for text messaging only; you can sign on to its iPhone app with your online banking credentials) all have a relatively painless 60-second signup process, US Bank's is truly cumbersome. It's a ten-screen experience that not only takes several minutes, but also requires the creation of not one, but two new PINs. A 4-digit one for transferring funds via mobile and a six-digit one for use in subsequent mobile app logins. While I'm all for simplified logins, six-digit PINs are not standard and many users will have a tough time remembering it. Many users may resort to using their mobile number, which kind of defeats the purpose. Use four digits and block access after four attempts.
3. The American Express app was released March 31 and a new update was released today.
4. For more on mobile banking see our recent Online Banking Reports.

Here's a test that tells you when you've built a successful mobile app:

1. Place your laptop next to your iPhone/Android
2. Choose a task
3. Reach for the device that's easiest to use for that task 

If you don't reach for the mobile phone first, you still have work to do on the user experience. 

I've always chosen the laptop for banking, even though I've ported more than a dozen other routine tasks to the iPhone (note 1). The hassle of logging in with those tiny iPhone keys pushes me to the laptop. But as of Tuesday, USAA's latest iPhone app, version 2.2, has changed the equation, and there's no looking back. 

Mobile vs. online banking
The key to making mobile a profitable channel is to make the user experience BETTER than online. And USAA is the only U.S. financial institution doing that today.

USAA's biggest mobile "wow" is mobile check deposits (see Deposit@Mobile screenshot below) introduced six months ago for the iPhone. While it may not seem novel to those in the industry familiar with scanner-based remote deposits, the average consumer considers an iPhone check deposit to be almost magical. Other than a few small credit unions, no other major banking competitor offers it, so USAA continues to own mobile magic.  

But with Bank of America rumored to be readying a launch mobile deposits, which will no doubt be featured in Apple TV ads, (see latest one here), USAA needs to keep innovating. 

And this week, USAA delivered with a single-PIN login with authentication powered by VeriSign VIP service. The optional 4-digit sign-on process is available now on the iPhone and will be available in April for Android and "shortly thereafter" for Blackberry (note 2).

In a time when it's more tedious and less secure to log in online, USAA takes us back in time to a simpler day, when you could log in with just a few digits.

And by using techniques that authenticate the mobile phone during login, the bank says that mobile access is more secure than online.

Think about that for a moment. Mobile is MORE SECURE than online. With tens of millions of customers deathly afraid of logging in via their virus-laden PCs, imagine what that could do for mobile adoption.

It will take time to educate the market. Currently, most consumers believe the mobile channel is far less secure. But if they can be convinced the opposite is true, many will kiss online banking goodbye forever.

Notes:
1. According to yesterday's release, USAA has 1.3 million mobile users, 17% of its 7.4 million customer base.
2. Previously, USAA users were required to sign on with username, password and PIN. The simple sign-on process is optional for those not trusting the simpler process.
3. For more info on financial services opportunities on the iPhone, see our March 2009 Online Banking Report.

When I first started banking online with Bank of America, ten or more years ago, no choice in username existed: it was set to your Social Security Number (SSN). But that was back in the days before hackers had become proficient in stealing usernames.

While I've been advised to change the username a few times over the years, the bank finally laid down the law in January. I had two more logins available with my SSN, and then I was required to change. The message was delivered via splash screen after login (see #1 below).

The process was simple and took just a few seconds (screenshot #2). The bank's interactive script helps users make good username/password choices (screenshots #3-4).

While this change isn't likely to do anything to help the bank's bottom line (it probably just drives up tech support calls as users adjust to their new usernames), it's the right thing to do. Helping customers protect their own privacy should be part of every financial institution's mission.

#1: Bank of America splash screen at login (13 Feb. 2010)

#2 Landing page after choosing "update" button above

#3 Interactive help for creating an allowed username

#4 Confirmation when all is well

My Citibank checking account dates back to when iPods were novel and 1GB was enough to satisfy your iTunes cravings (see Jan. 2005 post). For several years, Citibank gave iPods away to anyone who'd open up a checking account online and do a few bill payments. 

I haven't accessed my Citi checking account in at least a year, because last time I tried, I locked myself out with too many password attempts (note 1). And I've been too lazy to go through the often tedious reset process (see below).

So I was pleased to receive an email this morning offering to help me get restarted (see screenshot below). I figured the bank had noted my previously futile attempts to login and was sending along a bit of digital assistance. Sure, it was a year or two after the fact, but I believe in better late than never.

But the main call to action in the activation email is:

Enter the User ID and Password you created when you opened your account online.

So evidently, the bank thinks I'm smarter than I really am and actually can remember the username/password from my two-years dormant account.

Had I not been blogging about the email, I would have deleted it. But as I re-read it more closely, I did see the small light-gray link in the corner for resetting my password. Unfortunately, Citi requires your ATM card and PIN to reset passwords (see second screenshot). This is precisely why I wasn't able to reset the thing when I was locked out two years ago.

My take:
1. An activation to stalled online banking customers is a great idea. But in this case, Citibank did not deliver on its promise to "help" me restart online banking (note 2). As a matter of fact, I am now even more frustrated. If you are going to send a message offering help, make sure there is actual help available for the various ways customers will respond.
2. For infrequent users, consider simpler password-reset procedures based on email address or mobile phone number on file plus Social Security Number and/or shared secrets. 
3. Finally, don't offer a dead-end password reset page. In Citibank's case, if the user doesn't have both their ATM card number and PIN, there is no place to turn. There's not even a phone number listed on the page to seek live help (you have to use Contact Us in the upper right).

Citibank email (sent 3 Feb. 2010, 9:30 AM Pacific)

Citibank password-reset page

Note:
1. I have two Citi accounts with different usernames and passwords, so it always makes for an interesting memory test at login.
2. I should add that I have enough money in the non-interest account to provide Citi with a bit of profit every year. 

I've often wondered how many people use the same username/passwords at their bank as they do at other random websites. I figured it was a substantial number, but never expected it to be as high as the 73% Trusteer cited in a recent white paper (note 1). That's why most financial institutions have used "multi-factor authentication" for years.

One of the most common multi-factor techniques is to ask additional questions if the bank detects a login from an unknown computer. However, it's possible that these same people are also using the same "secret question" answers at non-secure websites, defeating this multi-factor approach.   

Luckily, it's still relatively difficult to remove money from most U.S. consumer accounts because online interbank transfers are more tightly controlled, or simply not offered. However, if crooks are able to log in to online/mobile banking and determine the user's account numbers (debit, credit, or checking), a number of more lucrative frauds can be engineered.

What's a bank to do:

• Use secret questions that are not commonly used across the Web. Or allow users to create their own, but caution them not to use ones they see at other non-banking websites.
• Create an additional out-of-band authentication process (e.g., text message an approval code) for moving funds out of an account.
• Do not allow online banking users to see their own account numbers online
  (note 3)
• Educate/encourage customers to use different username/password for online banking than for other non-financial sites
• Financial institutions using Trusteer's Rapport service can identify which customers are sharing username/passwords at less-secure sites and ratchet up internal fraud control settings for these customers

And the most effective method, which we don't recommend because it's just too painful for the user experience:

• Force users to make more challenging usernames and/or password such as those with a capital letter, number and/or special character

Silicon Valley Bank (SVB) offers Trusteer's Rapport (link, 2 Feb. 2010)

Notes:
1. While 73% shared banking passwords with other sites, less than half the total, 47%, shared BOTH username and password. Two other data points:
- 65% of user-selected banking usernames were used elsewhere
- 42% of bank-selected banking usernames were used elsewhere
2. Trusteer's data was compiled over 12 months using its plugin software running on more than 4 million computers (see previous post).
3. There's still the issue of the easy-to-read account number on check images; it would be nice to mask it, but that's probably not worth the expense) 
4. For more info on Trusteer and other security topics, see our previous reports such as, Online Banking Report: New Security Techniques (Sep. 2008)

This is one of the most valuable freebies I've ever been offered simply for being a customer. Bank of America online banking customers, new or existing, are being given a one-year free subscription to McAfee, worth $70 at retail.

The fine print is relatively clear (reprinted below, after the screenshot). The main "catches:"

• Must not have a current McAfee subscription (see Results below)
• The subscription auto-renews at $34.98/yr, a 50% discount
• While in progress, the BofA offer never mentions number of users covered (the normal $69.99 subscription from McAfee covers three users, see note 1); however, during checkout, after accepting BofA's offer, the product description confirms three users are covered with the subscription

Bank of America is also publicizing the offer on its main website (here). To accept, users must log in to online banking first.

Results: I signed up for the account this morning and was surprised to find that you are not required to use Bank of America for payment. In fact, BofA is never mentioned again after leaving the original landing page (see second screenshot). The McAfee cart offered the usual choice of Visa, MasterCard, American Express, PayPal and others. 

Opportunity for financial institutions: Assuming you can swing a deal with McAfee that requires no out-of-pocket expense, offering your customers a year's worth of anti-virus protection is a win-win. The primary downsides are a few extra calls to customer service and a few irritated existing McAfee customers who do not qualify for the freebie.

Bank of America logout screen (21 Oct 2009; 7 AM Pacific)

Fine print on bottom of page above:
This exclusive offer is available only to Bank of America Online Banking customers. Online Banking customers receive McAfee Internet Security for PC free for 12 months, a $69.99 value. At the end of the 12-month period, Online Banking customers are eligible to renew for another 12-month period at 50% off MSRP or $34.98. Customers with a current McAfee subscription are not eligible for this offer. Bank of America reserves the right to modify this offer and eligibility requirements at its discretion.

Landing page (link)

Same offer on BofA website (link)

Notes:
1. The service is currently offered at a discount at Intel's software store for $32.95 for one year for three users. Intel's offer was positioned via paid ad at the number-one position on a Google search for "McAfee Internet security."
2. For more information on online banking security, see Online Banking Report: New Security Techniques (Sep 2008)

Checking account profits are being attacked on several fronts. Near-zero short-term interest rates have destroyed the profitability of the balances. Regulators and activists are putting pressure on penalty fees. And consumers are loath to pay monthly charges for what's been positioned as a free service for so long.

So how is it that Fifth Third Bank is able to bundle a service into its checking account that typically costs consumers $12 or more per month? They are bringing back the monthly fee (see note 1), charging either $7.50 or $15 per month for a so-called package account (see options below). It's a strategy right out of Marketing 101: figure out what customers want, then build the  product, package it right, promote it well, and price it for the value delivered.

I believe Fifth Third has taken the right tack with its checking accounts, though it should go even further (see analysis). The bank offers two non-interest checking account bundles (PDF comparison here), neither of which are free of charge no matter how high the balance (note 2). Instead of offering fee waivers, the bank has bundled full-service three-bureau credit report monitoring and identity theft services powered by Affinion (link to Fifth Third Identity Alerts). And the monitoring is available for BOTH names on a joint checking account (note 3). 

• Secure Checking at $7.50/month, comes with free credit report
  monitoring and identity theft protection (valued at $9.95/month per person)
• Gold Checking at $15/month, comes with the same free ID protection &
  monitoring plus free nationwide ATM access

Analysis of Secure Checking
Now more than ever, customers are craving security and safety in all things financial (see yesterday's post). Bundling identity theft/credit report monitoring in checking accounts is an excellent way to address customer concerns AND differentiate your account in the marketplace. And naming it Secure Checking helps drive home the key benefit.

I like what the bank has done. It would be even better if it highlighted more of its current security features available in mobile and Internet banking (note 4):

• Email alerts
• Mobile text alerts
• Secure storage of estatements
• Transaction monitoring for fraud and error
• Other security protections as outlined on its security page

• Out-of-band authentication via text message
• Disposable credit/debit account numbers
• Long-term (7+ years) secure transaction archives
• Enhanced fraud protection guarantees
• Dedicated security reps on call 24/7 to help out in the case of a suspected problem
• Software and tools to safeguard online banking (e.g., Trusteer, Authentium, Check Point)

Fifth Third Bank non-interest checking accounts (link, 2 Sep 2009)

Secure Checking landing page

Notes:
1. Ref: Is This the End of Free Checking?, SmartMoney Magazine, 31 Aug, by Kelli B. Grant
2. The bank does offer an interest-bearing checking account with its $15 monthly fee waived with a $2,000 average balance in checking or $20,000 across all deposit and investment products. The bank also has a free non-interest checking account option.
3. I'm not sure the bank gets enough mileage out of covering BOTH account holders to justify the additional costs. To improve profits, the bank should consider a modest additional fee (approximately $5/mo) to cover joint account holders. 
4. These benefits are hidden behind a tab that most consumers, including myself on my first two passes, will likely miss (see second screenshot above).
5. For more info on how to package security benefits into your services, refer to the following Online Banking Reports: Marketing Security (June 2005) and New Techniques for Securing Online Banking (Sep 2008).

A few weeks ago, I was lucky enough to tour the British Museum's exhibit on the history of money. And one thing that remains the same throughout the millennia, a concern about the security and authenticity of the various objects used to convey wealth.

It's no surprise that security is the number-one online banking concern of today's consumer. Had there been market research three thousand years ago, I'm sure security would have been at the top of the list of fears of the Chinese rich enough to hold a cache of cowrie shells (inset).  

So, until we figure out a way to eradicate crime, financial institutions need to address security concerns head-on and provide tools for consumers to take more control (note 1).

That's what I love about Addison Avenue FCU's launch of VeriSign's Identity Protection (VIP) security tokens. Addison Avenue members now have the tools to make their online banking extremely secure, should they desire to. And with set-up charges of $30 to $48 (waived for mobile) and an annual fee of $10 (waived the first year), the program is relatively self-funding (screenshots below).

As an added bonus, the "VIP Access" theme, even though it's powered by a security vendor, provides a nice boost to member relations. It also gives the CU an iPhone (link to app) and Blackberry presence it wouldn't otherwise have. 

Addison Avenue e2: The VeriSign program is one leg of a three-part effort dubbed E2, that the credit union launched today (press release; see third and fourth screenshots below).

The three core features:

• VIP security: as outlined above (link)
• E-deposit: remote check deposit via basic in-home scanner (link)
• Mobile banking: mobile web-based (link)

Addison Avenue security key landing page (link, 21 July 2009)
A short informational video brings the service to life.

VIP token options shown on VeriSign's website

Addison's three-part "e2" effort is highlighted on its homepage

E2 landing page (from homepage)

Notes:
1. Granted, most customers are not willing to spend the extra effort to bulletproof their accounts.  So extreme security measures such as this should be optional and carry a nominal extra fee. 
2. For more info on addressing security concerns, see our Online Banking Report on Security Marketing (published in 2005) and our more recent Online Banking Report on New Security Techniques published nine months ago.

While reviewing M&I Bank's Metavante-powered online application for our latest report (note 1), I noticed the bank's Online Security Guarantee (first screenshot below).

It's important to post reassurances prominently on banking websites, especially on product application pages. It helps users overcome their security and trust fears and move forward with opening new accounts online. 

Often the explanations of guarantees are full of legalese and exceptions in the fine print, reducing their effectiveness. But M&I does a good job with concise and easy-to-comprehend copy (see second screenshot).

Here are the four parts to the guarantee, taken directly from the website:

• Zero Liability Protection: You will not be responsible for any withdrawals which result from unauthorized online access to your personal M&I deposit accounts.
• Bill Payment Promise: If we fail to process a payment in accordance with your instructions, we will reimburse any late charges assessed by the payee.
• Security Commitment: We use data encryption to protect you when applying for accounts, conducting transactions or paying bills online.
• Privacy Protection: As further detailed in our Privacy Policy, we are committed to protecting your personal information.

M&I also includes a short section outlining the customer's responsibility to monitor their account and safeguard passwords.

We congratulate both the bank's product group, and its attorneys, for keeping legal language to a minimum . 

M&I Bank's Platinum Checking application (7 June 2009)

 M&I Bank's Online Guarantee page (link), 7 June 2099)

Note:
1. For more info, see Online Banking Report: Opening Accounts Online, published June 21, 2009.

My credit card number was stolen again. It's the third or fourth time since the Internet came along. It's annoying, and a little disconcerting, but not a major problem, thanks to efficient card issuers who take the info, credit my account, and send me a new card. On a ten-point "hassle scale," where 10 is having your hard drive crash, it's only a 2 or 3.

And my previous stolen cards resulted in little financial loss to the issuer, other than the cost to process the chargeback and reissue the plastic. In those cases, either the issuer caught the fraud before anything was shipped, or the items purchased were digital (online subscriptions) and didn't result in any lost inventory.

But this time was different. Someone used my card number to buy a PS3 gaming console and three games at a Best Buy in the Bronx. Assuming Best Buy follows proper procedures, Wells Fargo will be out more than $600 just for the merchandise. All told, with the cost of the investigation and processing, it's probably an $800 to $900 loss to the bank and merchant.

Wells Fargo is generally very good about suspicious charges and usually calls us. I've had the card for almost two decades, and it's been othe primary card for both my wife and me for much of that time. WF knows our purchasing habits better than we do.

Yes, we get to NYC at least once a year, but our charges are usually travel- and tourist-related ones in Manhattan. And we probably visit Best Buy in Seattle a couple times a year (we have teenage boys), so the gaming system charge is understandable. But it's highly unlikely we'd buy a system while visiting NYC, and we've never visited the Bronx, so the authorization request likely triggered flags.

But unless there was inside theft, the bank's authorization system evidently decided the $10 in interchange was worth the risk. Bad call this time, but probably right 99%+ of the time; otherwise, they'd be out of the card business.

What's mobile have to do with it?
But if Wells Fargo had a real-time connection to me via mobile phone, they could have texted me for an OK (similar to the screenshot above, which is a text-based activity request to Wells Fargo). If it really had been I who stood at Best Buy's register, it would have taken a second to reply "yes," and the transaction would have gone through.

Of course, in this case, I would have said 'no, I'm in San Francisco right now.' Or even better, in the not-so-distant-future, if I'd allowed the bank to track me via GPS, they would have known, without even contacting me, that I was 3,000 miles away from that store. Either way, the bank saves nearly a grand from that single text message. Multiply that by the millions of fraud purchases every year and you have serious money, billions by most estimates.

So yes, mobile banking (really mobile payments) does have a robust and tangible business case from fraud reduction and customer service savings. The technology is in the hands of the users now, and most know how to use it. So, let's get moving.

Note: For more information see our Online Banking Report on iPhone Mobile Banking. 

Over the years, E*Trade has been consistently innovative in both product development and marketing, two areas that provide natural synergies. The company didn't disappoint with its latest missive to existing customers. 

An email arrived yesterday afternoon (Thurs., 11 June 2009) and immediately grabbed my attention with its clever and timely subject line:

Re-plan Your Retirement with E*TRADE and Get Up to $500

Analysis
One thing I've heard consistently from my friends, no matter how secure their jobs, is that they will "be working forever" now that the Great Recession has slammed their net worth with the double whammy of a bear market and home-price declines.

So this is a great time to get in front of customers with new efforts to help them re-plan retirement with new investment ideas, asset rebalancing and just a general reboot of their portfolio. And it's also an excellent time to discuss 401(k) rollovers, as E*Trade did in this message, with an "up to $500" (see note 1) incentive to roll over a retirement account to the company (see landing page, third screenshot below). As Americans change jobs by necessity, there will be millions of retirement accounts in play. 

Security features in email
E*Trade also demonstrates another best practice to improve trust in customer emails: personalization. The company includes customer name and last four digits of their account number to help distinguish the message from fraudulent phishing attempts. E*Trade draws attention to the feature with a Security Enhanced icon on the top-right (see first screenshot below).

Clicking on the Learn More link drops readers to the bottom of the email message where product URLs provide direct-navigation alternatives to paranoid readers (see second screenshot below). I hadn't seen that before, a nice touch.

E*Trade email promoting 401(k) rollovers (received 11 June, 3 PM Pacific)

Security "fine print" at bottom of above message

Landing page for email offer (link)

 
Note:
1. Detail on the rebate:

• $500 for rollovers of $250,000 or more
• $250 for $100,000 to $250,000
• $100 for $50,000 to $100,000
• $50 for $25,000 to $50,000

In yesterday's post, I missed an important client of Trusteer's anti-malware software. Zions Bank, a leader in showcasing its online security efforts (see 2006 post on multi-factor authentication), is the only Trusteer client to feature the program on its homepage (see below).

Zions Bank home page (10 June 2009)

Zions Bank security page (link)

 Zions Bank Rapport page (link)

It's not often I see an unfamiliar name amongst the top bidders for "online banking" at Google. But today, the sixth advertiser on the right-hand column (number nine overall), was an ad supposedly from CenturyCU.org (see ad right and  search results page below).

The ad had a seemingly clear call to action, Visit Our Credit Union Today For Online Banking! However, when I clicked on the link, it lead to a .info page full of ads unrelated to the legitimate Century Credit Union (see second screenshot below).

While this doesn't appear to be a phishing attempt since it's not displayed on searches for "Century Credit Union" or "Centurycu.org," it is a bit disconcerting. It's clearly a violation of Google's terms of service and shouldn't have made it past Google's filters, but they are not perfect.

But my bigger question is: How does a spammy .info site make it to the top-10 advertisers on this popular banking term? Are there really so few serious bank or credit union bidders in the area? Or is it that the Google AdWords ROI just isn't there right now? 

Other than a regional Chase ad on the top <chase.com/washington>, it wasn't until the fifth page of results that another Northwest financial institution made an appearance, Coastal Community Bank advertising its BancVue/FirstROI-powered high-yield checking account (landing page here).  

Search results page for online banking (1 June 2009, 3:20 PM from Seattle/Comcast IP address)

Landing page for the fake CenturyCU.org Google ad (1 June 2009)

Thank-you, American Express, for removing one of the little annoyances of online commerce. During login, the company warns users when they've typed more than the maximum eight characters allowed in the password field. The login page suddenly becomes grayed out and the error message appears on the right (see screenshot below).

It would be interesting to see what this small change saved in reduced password resets and customer service calls.

Bottom line: If you have unique password requirements, such as special characters, consider telling customers during login if their password is invalid for that reason. Sure, it makes it slightly easier for crooks to guess, but mostly you'll just have a bunch of slightly-less-annoyed customers.

American Express log-in message when attempting to use a password that doesn't fit the company's requirements (15 April 2009)

Last May, Trusteer launched an optional added security measure for customers of ING Direct in the United States (note 1, see previous post). Although, it's not perfect, users of the Rapport service are less vulnerable to viruses and malware running on the their PCs. We gave the new service an OBR Best of the Web award last fall in our Online Banking Report on Security Innovations.

Although, ING Direct is a great reference account, being endorsed by Royal Bank of Scotland, really puts Trusteer on the map. The security solution is offered for download at both Royal Bank's RBS and NatWest sites (see screenshots below). Anyone visiting the banking sites can download the software, you don't have to be an RBS/NatWest customer. 

Trusteer also lists Huntington Bank as a customer but there is no mention of Rapport on the bank site yet. Other providers include Authentium's SafeCentral (note 2) and Check Point's ZoneAlarm (note 3). 

Bottom line: Security is an issue for many bank customers, now more so than ever. Extra security options deserve consideration to improve customer satisfaction/trust and help reduce fraud losses. 

Rapport download page at NatWest (link, 23 March 2009)

Rapport download page at RBS (link, 23 March 2009)

Notes:
1. Later ING Direct Canada and ING Direct's Sharebuilder added Rapport support.
2. Authentium demo'd SafeCentral at FinovateStartup 2008 (video here). A new version of SafeCentral is in the works. 
3. Check Point demo'd ZoneAlarm at Finovate 2008 (video here).

I love personal financial management websites. Not so much for the reality, actually I hate tracking expenses, but for the promise. The illusion of having everything under control, never overdrafting, never missing a payment, and with perfectly-shaded multi-color pie charts just a click away (inset from Mint). 

But I've always thought that once banks and credit unions added basic PFM functions to their online banking services (see note 1), it's game-over for most independent PFM sites. They would have to either license their platform to financial institutions, sell out, or close their doors.

Now I'm not so sure.

Mint did something recently that made me reconsider. It was really pretty simple when you think about it. Yet as far as I know, no bank, card issuer, or even credit union has ever taken this on. 

The Mountain View, CA-based startup scanned their members' credit card statements to identify bogus charges from a known scam. And the company plans to make the resulting fraud alert service a standard part of its offering.  

From American Banker (23 Jan 2009):

Mint Software Inc. is planning to roll out a tool that will automatically scan its 800,000 users' accounts for potentially bogus charges....Aaron Patzer, Mint's founder and chief executive, said the idea for the new product came after his company heard of a scam involving Adele Services of Melville, N.Y., a bogus merchant that was making 25-cent charges to millions of consumer accounts. The news was widely reported, and Mint decided to check its users' accounts its to see if any had been affected; it found 800 that were.

Score 1 for the upstarts.

Bottom line: If the online PFM purveyors harness technology to take better care of banking customers than the banks themselves, especially with practical, money-saving ways such as Wesabe's Cutback Tool (below), the newcomers have a bright future indeed.

Note: For more info, see our Online Banking Report on Personal Finance Features for Online Banking.

The fourth presenter this morning is Jordy Berson, group product manager at Check Point Software Technologies.

Check Point is a new Finovate presenter and will demo its security solution for safer online banking.

Check Point is showing their ZoneAlarm ForceField, which, when installed on users' machines, warns them if they go to a phishing site; even more important, it keeps malicious programs from being accidentally downloaded during Web surfing. It uses a virtual sandbox to protect Web sessions even if users' machines already contain malicious software.

With bad news pouring down from all corners of the financial services world, it's a difficult time to be a bank marketer no matter what condition your financial institution is in (see note 1).

But besides sending reassuring emails to your customers, highlighting your strong balance sheet on your website (see inset), and for the few with blogs, dropping the occasional rosy post into the RSS or Twitter feed (note 2), what's a banker to do?

When fear is rampant, little things can make a difference. Your customers have long been nervous about banking online. Most aren't afraid enough not to use it, but lingering doubt remains.

Now might be a great time to follow the lead of ING Direct, Firstrade, and Muriel Siebert and introduce a software solution that provides extra security for online banking. While it won't make a Fannie Mae shareholder any happier, it's reassuring in these times that at least there are no crooks stealing your username and password.

Online Banking Report publishes Security 4.0 (note 3)
In the latest Online Banking Report, we look at several promising software solutions that allow even malware-infested users to connect safely to their bank. Both solutions earned OBR Best of the Web designations (note 4): 

• Rapport from Trusteer, now being distributed by ING Direct in the United States and Canada (previous post here)
• SafeCentral from Authentium, being distributed by Firstrade and in testing at several major banks (Finovate Startup demo video here)

We also take a closer look at Bank of America's SafePass (previous post here), which is an easy way for customers to add an extra security layer to their login, although it won't prevent certain malware to hijack the session. See the inset for the complete Table of Contents.

Online Banking Report subscribers may download it now here. Others may download abstract here, or purchase here. Cost is US$495. 

Notes:
1. But be thankful if your financial institution is not in the headlines right now. I'm in the hometown of WaMu and the headlines this morning were not pretty.
2. Blog post from Verity CU on 16 Sept.; Twitter update from First Federal today   
3. Our fourth full Online Banking Report on security/privacy; previous reports were #119, #93/94, and #48. 
4. OBR Best of the Web awards are given periodically to pioneering online banking features. It is not an endorsement of the company or product, just recognition for what we believe is an important development. Trusteer and Authentium were the 71st and 72nd recipients of the designation since we began awarding them in 1997.

I heard from a new company last week that has created a service to help life insurance and bank-account holders to notify beneficiaries periodically that they are named on the account. According to FindYourPolicy.com (see screenshot below), $1 billion in insurance policies go unclaimed each year due to unknown or lost beneficiaries. Although it sounds simple, tracking down beneficiaries can be a timely and expensive process. Outsourcing some or all of that is an appealing idea.

However, as a consumer-direct service, I don't think FindYourPolicy.com will get a lot of traction. The list price of $29.95 plus $3.95 per month is a lot for twice-yearly postcards (see note 1) to your beneficiaries. But the company is likely more interested in setting a high retail "value" on the service so they can wholesale it to financial institutions for pennies on the dollar.

Using the same concept for safe deposit boxes
While the beneficiary notification is an idea deserving of a second look, I was more intrigued with another of its features, safe deposit documentation and notification service. I just spent 30 minutes last Friday making a trip to the bank to look in my safe deposit to see if my son's social security card was there (note 2). Of course, it wasn't. I could have saved the trip if I'd had good records on its contents. I'm sure I wrote it down somewhere, but it would likely take much longer than 30 minutes to find it.

Ideas to help memory-challenged customers like myself:

• Simplest: It would be great if my bank had a simple email-like software app available near the safe-deposit area where I could list the contents of the box and then email the info to myself AND store a record of that communication within online banking so I could access it years from now when the email is long lost.
• Harder: In addition to manually entering info, have a scanner available so that I can scan copies of the documents in the safe deposit box for a digital record.
• Hardest: Extend the service to the home/office and allow me either to store items virtually, using my home/office scanner, or by uploading/emailing documents into the virtual safe-deposit box. This is the core idea behind vSafe from Wells Fargo.

However, as Tripp Johnson at Gonzobanker so eloquently laid out in this article, there are  serious questions regarding overall demand for virtual safe-deposit services, not to mention pesky compliance issues that cannot be ignored.  

FindYourPolicy.com homepage (29 May 2008; see note 3)

Note:

1. Why TWICE yearly? Once per year seems like plenty. Or how about one postcard and one email message each year? (Update 1 June: The reason for mailing 2x per year is that the U.S. Postal Service forwards mail only for six months, so with this frequency the company ensures it gets the forwarding address. (See comment #2 from Michael Hartmann of FindYourPolicy.com) 

2. My bank is requiring a faxed copy of my 18-year-old son's social security card in order to add him to my account. I'm all for good authentication (who isn't?), but that seems extreme. More on that in a future post. 

3. Sometime during the past 10 days, FindYourPolicy.com added the "member of American Bankers Association" seal. It's a reasonable touch, but it only means they've paid at least $1,250 for a service membership to the ABA.

While everyone wants better online banking security, the business case for most solutions is elusive. Even the simple step of adding an password in front of sensitive transactions can cost millions in customer service, enrollment procedures, employee training, and other soft costs.

So financial institutions, especially in the U.S., have taken a pragmatic approach to security, adding behind-the-scenes monitoring and making it difficult to transfer large amounts of cash out of the bank, rather than incur the expense of more robust login security. Banks have been especially reluctant to get involved in the security of the customer's desktop due to the potential tech support costs and liability issues.

That's what makes ING Direct's new solution especially novel. The large U.S. direct bank, which has pioneered several security procedures, including multi-factor login and PINpad data entry, will offer a downloadable 400k plugin that creates a "secure tunnel" from the user's computer to the bank (more analysis from Gartner's Avivah Litan here). 

According to the software provider, Israel-based Trusteer, even if the user's computer is infected with malware, the company's Rapport software defeats all attempts to view, capture, or take over the transaction. It also encrypts keyboard entry without impacting the speed of the interaction with the bank. If it works as billed, it could be a boon for online banking security. 

The optional plug-in is expected to be made available to the direct bank's 14 million customers worldwide, including 6.5 million in the U.S. The software is already in use by U.S. brokerage Muriel Siebert & Co. which mentions it in the What's New section of its homepage (see screenshot below; read more here).

" width="539" height="378">

Cost
The software is now available here. It is free-of-charge to communicate with ING Direct and three other websites. Users will likely have the option to purchase a premium version that communicates with a larger number of websites. 

This so-called freemium business model should help minimize the cost of the software to the financial institution. But the bigger cost issue for the bank is the customer service expense. ING Direct, which has famously kept customer-service costs down by focusing on serving only profitable customers, likely will offload as much of the tech-support burden as possible to Trusteer. But there's no such thing as zero impact. So it will be interesting to see if they can make the ROI work across 6.5 million customers, many of whom haven't a clue about safe computing basics.

A competing system, Safe Central from Authentium, was showcased at our Finovate Startup conference in April. The full-length demo of the program will be available here within a few days.

It was online banking week in Walt Mossberg's popular Wall Street Journal technology columns. Yesterday in The Mossberg Solution, authored by 20-something Katherine Boehret and edited by Mossberg, Mint's personal finance service received a half-page article so complimentary I had to look twice to make sure it wasn't an advertisement. Boehret couldn't find a single thing wrong with the service, although she did wish for bill payment capability so she could do all her banking with Mint. I'm sure she'll have her wish granted relatively soon.

In today's Personal Technology column entitled, How to Avoid Cons that Can Lead to Identify Theft, Mossberg himself dropped a bomb which will impact bank-marketing efforts for years to come. His first of seven tips for safe computing:

Never, ever click on a link embedded in an email (from your) financial institution....

That's harsh, but it's also understandable why he'd take that stand. Mossberg strives to make technology issues understandable to non-techie readers. However, it would have been better to add, "unless your bank adds account-specific personalization to the messages so you know for sure where they originated." 

Action items
Many financial institutions, including Citibank and Bank of America, have long used personalization to distinguish legitimate messages from phishing attempts. Financial institutions with good personalized messaging should consider a public outreach program to counter the negative perception from the Mossberg column. It also might be a good time to remind front-line employees how to respond to customer concerns about phishing emails.

For more information, see our Online Banking Report on Marketing Security. 

The best way to get the attention of your online banking customers is by dropping a landing page in front of them right after they login. It's a bit annoying, but if used judiciously it can be extremely effective. PayPal has been using this technique for most of the eight years I've had an account there.

U.S. Bank is fairly new to this technique, using it just a few times a year for service-related messages. The latest, a 100-word message that reads like it was crafted by the legal department, was posted on Nov. 29 and warned customers about fake emails (screenshot below). 

It's a good idea to remind customers about your email policies to help them avoid scams. However, U.S. Bank only warns against low-tech fakes asking for account info or PINs. Few consumers would fall for that any more. The bank fails to address the more common, and far more effective, approach of sending users to a fake website via a disguised link. The bank should explain what a genuine U.S. Bank email looks like and how to tell it apart from the fakes. 

A few other ways to make this message more effective:

• Link to an area on website for more info on security
• Provide an email address and/or phone number to call if there is a question about the validity of a bank message
• Use a professional copywriter to craft a clearer and more concise message
• Use a larger font
• Use a heading or subheading that introduces the specific subject 
• Add a graphic to make the topic standout, for example the security image from U.S. Bank's homepage (inset above)

I was looking at Geezeo's new Facebook app this morning (more on that later), and I noticed one of the best credit report monitoring ads I'd ever seen. 

Instead of focusing on the negative aspects of your credit history, the banner ad features "testimonials" of the significant savings available with good credit (the banner above claims a $310 savings in her house payment). The stories are provided under the header, "Credit Diagnosis." And, I was initially impressed after clicking through the ad to find a good, landing page with more of the same.

However, the mostly-anonymous company behind the banner, FreeCreditReportsInstantly.com uses a $1, 7-day trial come-on for its $29.95/mo credit report monitoring service. I have no problem with the company charging what the market will bear. And to its credit, FreeCreditReportsInstantly (FCRI) does disclose the go-to fee on the first page of the application. But I think the typical young Facebook user is not going to be happy seeing $29.95 monthly fees on the credit or debit card.   

Why would anyone pay $360/yr for credit monitoring?
The Internet was supposed to make it hard for companies to charge 2x to 3x the going rate when dozens of competitors were just a few clicks away. But here we have a company doing just that and evidently bringing in enough revenue to afford a Facebook ad buy, not to mention holding down the number 3 ad slot on Google searches for "free credit reports" (note 1)?

The answer is complex. It has to do with consumer confusion over the whole business of credit scores, ID theft, and the government-mandated free reports which is what most Googlers are looking for when they type "free credit report." And consumers must share part of the blame too. In a rush to get "something for nothing" they blindly fill out "free trial" forms without reading the fine print or taking time to investigate alternatives.

Taking the high road
But the dizzying array of credit monitoring options provides an opportunity for banks and credit unions to do the public a great service, and turn a nice profit, by educating their customers and offering value-priced alternatives: 

1. Credit scores/monitoring: Instead of pushing credit monitoring services that are too confusing and too expensive for the mass market, provide customers with their credit score each month, and if it takes a dive, alert the customer and provide the tools to access their credit report to investigate any potential problems (see our post yesterday and note 2).
2. Identity fraud support: Citibank's Identity Theft Solutions advertising blitz was a nice humorous break from most bank advertising. However, I think it did a disservice by making full-blown identity fraud seem more commonplace than it really is. Consumers needn't be frightened, they need to be careful, they need to understand what to look for, and they need to know where to turn in the event of suspected fraud.

And since most banks and credit unions don't have the resources to provide full-service fraud assistance, turnkey solutions providers have stepped up to fill the need. We are lucky to feature one such company at our Finovate conference next Tuesday in NYC.

Full-service education and victim response from Identity Theft 911
Five years ago, I met the entire Identity Theft 911 team when they were in Seattle making sales calls. It was refreshing to see someone in the identity fraud space taking a genuine interest in helping the end-user out of a jam, rather than simply trying to get them on the hook for a $150+/yr monitoring service. And over the years, I've kept in touch with the company chairman, Adam Levin, as he's worked the trade shows to garner support for Identity Theft 911 and his other company, Credit.com. Adam will take the stage Tuesday morning in NYC to demonstrate the full range of his company's resources to help banks and credit unions make their customers feel MORE secure, rather than more afraid (see screenshot below of AFL-CIO Employees Federal Credit Union's Identity Theft 911-powered services, link here).  

Note:
1. Search performed from Seattle IP address mid-morning on 26 Sep 2007.   

2. For more information on credit monitoring, see the latest Online Banking Report here.

In terms of website design, I find most Citibank pages to be somewhat busy. But overall, the pages usually work well due to the eye-catching graphics, appropriate use of colors, and good copywriting.  

I've had a Citibank Business AAdvantage credit card for at least a decade. Even though I don't visit the site often, maybe once every few months, I find that it's generally easy to find what I'm looking for. 

As you can see in the business card example below, the bank uses purple and green "buttons" to catch your eye, then inserts important key words within them to drive action:

1. The purple, "Fraud is not your fault" reinforces that customers are not liable for unauthorized transactions, something most people are still concerned about, even though their liability is minimal. The button leads to a page that discusses advanced fraud fighting tools such as virtual account numbers and a picture card.
2. The navy, "How much have I spent lately?" allows users to quickly drill down into a key area of concern for most card users. Although not as powerful as Wells Fargo's My Spending Report (previous coverage here), it's still a good starting point for many users.
3. Finally, the bright green, "Help prevent an identity crisis" pitches the bank's credit monitoring solutions (note 1).
   

Citibank Business Credit Card main account overview page (22 Sep 2007)

Note:

1. For more information on bank and credit union opportunities selling credit report monitoring see our most recent Online Banking Report.

If you were in the office yesterday, you probably heard about Bank of America's announcement of SafePass, an optional out-of-band authorization technique for high-risk online banking transactions. It was all over the news, including the trades, blogs, and a few mainstream press articles. Here's the press release.

The system, common in many countries, but available only at Citibank in the United States (previous coverage here), sends users a 6-digit code via text message. The code is then entered at BofA's website to authorize larger transfers, new bill-pay merchants, new accounts for funds transfer, or to login from a new computer, not previously "registered" for online banking. VeriSign developed the technology.

The service will roll out across the BofA empire this year, with many customers having it as soon as next week. Next year, a wallet-card token "SafePass card" will be offered for customers who don't have text-messaging capabilities on their phones.

Analysis
SafePass is a solid enhancement to security, at least perceived security, since it probably won't do much to cut down on actual fraud losses. It's already pretty difficult to get through BofA's security gates and pull money out of someone's online account. The bank did the right thing in making it optional. Only the paranoiacs, road warriors, or those with unusually high transaction amounts will want to undergo the extra steps.   

So while it may be ho-hum in terms of fraud reductions, SafePass is brilliant marketing (note 1). It's a tangible and easily understood copy-point as to why one should choose BofA over the other 15,000 U.S. financial institutions. Think of the bragging rights they now have (all firsts are U.S. only):

• First to integrate mobile messaging into the authentication process
• First to offer optional extra security
• First to safeguard the process of adding a new bill payment payee
• Potentially first to offer choice of token or mobile text message for out-of-channel authorization
• Only bank able to put "SafePass" on their website—a very good name
• Able to say, "no one has more security options than us"
• Able to say they are a "pioneer in security enhancements"
• Able to they "put the customer in charge of their own extra security"
• And so on ...

Congratulations to Bank of America for once again raising the bar in online security.

Rant
While I like what the bank has done, once again I find it astonishing that even 48 hours after releasing the news in a press release here, THERE IS NOTHING ON THE BofA WEBSITE ABOUT IT. A site search for "SafePass" pretending to be from North Carolina, New York, or California results yields just a single obscure business insurance product. Bank of America's search doesn't even return the press release announcing the service!

SafePass is also not mentioned in the bank's security, online banking, or mobile banking sections. I've worked in a Fortune 50 company, so I understand all too well how hard it is to sync advertising, PR, sales, and so on at a huge company. But with 22 million active online banking users, you'd think BofA would be a leader in syncing its website to its marketing plan. 

Am I being overly critical?  It's certainly worth writing about. 

Note:

1. For more information on the synergy between security and marketing efforts, see our full report on the subject at Online Banking Report.

Today, I was home for lunch and my son was watching a recorded episode of Myth Busters, a great show as anyone with a pre-teen child knows. As he was fast-forwarding through the commercials, I happened to see a glimpse of a LifeLock spot (see inset).

My son knows I like the commercials better than the shows, so he graciously replayed the entire thing for me. It seemed to go on forever, he said, "like a sponsored program of its own." Which from him is actually a compliment, I think. I checked out the replay online and saw that it was a 2-minute spot (note 1).

It features street scenes of New York (I think). It plays like news coverage as the big "billboard trucks" drive through town plastered with CEO Todd Davis's social security number in red, 3-foot high numbers. Interspersed are man-on-the-street soundbites from astonished pedestrians and a great testimonial from a LifeLock customer who credit the company from saving him from having someone buy an $83,000 RV in his name. It also has Mr. Davis pitching the product through a bullhorn on a crowded Manhattan street.  

It's a real in-your-face commercial, but I really liked it. It does a great job of grabbing attention, reinforcing the benefits, and providing a can't-miss call-to-action. It's a good compliment to the over-the-top print ads featuring the CEO's social-security-number (see previous coverage here and note 2).

LifeLock uses two different URLs in the commercial, the normal <lifelock.com> and <lifelocktv.com>. Both point to the same page now, but the company must be considering a distinct landing page for the TV URL.

The video is available in the lower-left corner of the company's homepage (below). For more information on the market for credit report and identity theft services, see our most recent Online Banking Report here.

Note:

1. The commercial doesn't appear to be on YouTube yet, so I was unable to post the actual spot here.

2. A half-page version of LifeLock's social-security-number ad was in a recent WSJ.

I received an email from American Express late last night after resetting my password earlier in the day (see screenshot below). I can never remember my AmEx password, because I can't use my usual one due to the company's surprisingly short field of just 8 characters that also doesn't support special characters. I have it written down somewhere, but I can never find that either.

I went online late Friday afternoon to pay my overdue bill at AmericanExpress.com. I was pretty sure it was one of three possibilities, but after two unsuccessful attempts, and with the website warning me the third attempt would cause a lockout (note 1), I decided to go through the online reset process instead. 

That was easy. I just needed the card number, the code on the front of the card, and the answer to a security question. At that point, AmEx displayed my username and let me reset the password. It's one of the easier reset processes I've tested. That's a benefit to customers and helps cut customer service costs for AmEx. 

But the thing I liked most was the email message sent later that night informing me of the password reset (screenshot below). But I don't understand why it was sent more than six hours later. Why not send it right away? That would be way more impressive to customers, and would help reduce any potential fraud or privacy violations. Better yet, send a text message right to the customer's mobile, so they have real-time knowledge of the account changes.

Email Critique
Personalization: The company uses two pieces of personalization, cardmember name and the last five digits of the account number, to differentiate this message from the average phish. Excellent.  

Subject line: Your American Express Forgotten User ID is good and right to the point

From: "American Express" using an American Express email address. Good.  

Headline: Verify Your Account Transaction is a little confusing. All I did was reset my password. I'm not sure that average person views that as a "transaction."

Copy: The copy is short and to the point, but it could use a little editing for clarity. The third sentence, "If you did contact us...." seems unnecessary. And "If you did not complete the retrieval...." is not very user friendly language.

Design & Layout: Excellent.

Overall Grade: A- for the message, B- for timeliness

Note:

1. We recommend allowing more than three attempts before lockout. It's pretty easy to forget a digit or make a typing mistake. See our Online Banking Report on Security (#119) for more information.  

Want a shock? Open today's Wall Street Journal to p. D3 (West Coast edition).

You'll see a full-page, black-and-white ad featuring LifeLock CEO Todd Davis's social security number in a massive reverse-type, page-dominating format. There is also a 1/4 scale photo of a smiling Davis holding his social security card out to the camera. The ad offers a 30-day free trial using the WALL10 promo code, before reverting to the normal $10/mo price.

The WSJ spread will be less of a surprise if you've seen LifeLock's television spots or website recently, where the same technique has been used for some time (see screenshot below).

Although the ad may partly be for PR in the investment community, the relatively large spend demonstrates just how lucrative, and appealing, financial security services can be. We'll look at LifeLock and the whole identity theft/credit monitoring space in our upcoming Online Banking Report, due out in about 10 days.

A commenter yesterday asked if anyone had heard of BudgetPulse, an online personal finance site that opened its public beta site two weeks ago.

Well, we hadn't heard of it, but in this increasingly crowded space, that's no surprise. We are now tracking more than 20 online personal finance sites (previous coverage here). With low-cost server space, easier programming tools, APIs, and cheap viral marketing through blogs and social networks, the barriers to entry are a fraction of what they were just a few years ago. A good programmer could put together a simple financial tracker in their spare time.

While this will spur creativity and innovation, ultimately benefiting end-users, there is a downside. Security and privacy.

As we looked at BudgetPulse, which at first glance looks like several other Web 2.0-inspired finance sites, we couldn't help but wonder who was behind the site. There are no names, personal or company. Even the who is info for the domain is masked (domain registered in April). The only email address is disguised in spam-defeating format: "info (at) budgetpulse.com". Right now, the public portion is a two-page website with a few popup forms. The FAQs are empty. The forum is coming soon. There is a blog, but it only has three short posts. And there are misspellings in the website and blog copy. The websites entire security discussion is a single sentence:

We protect your account and data with advanced security methods.

More than likely this is simply the work of one individual who concentrated on coding the functionality first, and whose day job prevents him/her from spellchecking their HTML. But what if it's a scam? Convince a few people to use it to track their finances, then hit them with requests for their credit card numbers "to enhance the experience" or to their checking account number for payments, e.g., "Join our beta test and earn $500/mo as you test it."  

I admit that could be far-fetched, and I have absolutely zero knowledge of that happening at BudgetPulse or any other site. But it does bring up the bigger issue of consumer trust at independent, non-regulated personal finance sites (i.e., non-financial institutions). Even the well-funded personal finance sites such as Wesabe and Mint must deal with the mistrust and skepticism consumers have for new companies wanting to get involved in their lives, especially their finances. 

The solution: Financial institutions, with their trusted brands, partnering with or acquiring online personal finance sites to bring new functions and features to their customers.       

Intersections, with 4.7 million subscribers (as of March 30, 2007), is a leader in the U.S. credit monitoring business. Its private-label programs are offered by Bank of America, Capital One, Discover, Citibank and many more leading financial institutions. I have personally used the Intersections service for nearly a decade through its distribution agreement with American Express, a partnership which ended last year.

Last year, Intersections redesigned its core consumer-direct website, Identity Guard, to feature four levels of protection (see screenshot below):

1. Good Start (single-bureau monitoring only): Free for six months, then $4.99/mo
2. Watchful Eye (above plus Internet fraud database scanning and quarterly credit report and score): $7.99/mo or $69/yr
3. Extra Caution (same as above, but expanded to all three credit bureaus plus $20,000 id theft insurance): $12.99/mo or $119/yr
4. Total Protection (above plus constant scanning of public record databases): $17.99/mo or $159/yr

Analysis
The free six-months of service is a great way to get customers accustomed to using a daily monitoring service. However, the company does themselves a disservice by completely ignoring the obvious customer question: What happens after six months? As far as I could tell there is no way to get an answer to that question without calling or emailing prior to starting the application (see note 1). That's unacceptable for any eCommerce application, but especially in credit monitoring, which has had its share of questionable marketing practices.

We'll look at the Identity Guard application process and products in detail in our upcoming new report, Online Banking Report: The Market for Fraud Protection, Identity Theft, and Credit Monitoring Services (available at the end of July here).

Identity Guard homepage showing four product choices

Note:

1. My first email about the potential fee has not been answered or confirmed 48 hours later. But my call to customer service this morning was answered promptly, I was speaking with someone in about 50 seconds from dialing. He was a little unsure of the fee, saying "I believe it's $5.95/mo" and he "thought" that yes, you would be charged automatically to a card entered at signup. But overall, he did a decent job answering my question and surprisingly did not try to get me to signup even though I was obviously hesitant.  

If you live in the U.S. hurricane zone, the memories of the summer of 2005 are still all too fresh. That's why it's great to see Gulfport, Mississippi-based Hancock Bank take a proactive approach to storm season with its "storm readiness" plan released in a June 1 press release (here).* 

While normally, your disaster planning efforts rate no more than a deep link on your website, Gulf Coast residents need more prominent reassurances. Hancock does a great job reassuring customers in its press release covering these four areas of storm preparation: 

• Designated certain branches "lighthouse branches -- beacons to safety." These branches stay open as long as possible and re-open as soon as possible. Emergency procedures for employee communications, food, shelter, back-up power, and fuel are detailed.
• Offsite backup for its website and online banking so there will be "virtually no downtime." 
• Data center precautions, including safeguards at its main center, dubbed "the fortress," plus plans for emergency off-site backup.
• ATM system procedures and priorities in the event of a prolonged emergency.

Analysis
Overall, this is a good press release and sound plan, especially the concept of "lighthouse branches" which play off the company's logo and branding. It should receive good play in the local media.

However, I couldn't find this info anywhere on the bank's website, other than the press release buried in Investor Relations. This time of year there should be a prominent link to the bank's plan on the homepage or at least in the personal banking section. If you were looking for a new bank in the Gulf area, this would help your decision.

And financial institutions should do even more by making online banking and electronic communications prominent in the disaster plan. Here are eight additional ideas. While, some would require product development, they are relatively minor projects. Financial institution benefits are in italics.  

1. Create a "customer communication plan" that send emails or text messages to customers to keep them informed of developments with branch, ATM, and online banking outages. 
       Helps bump up online banking and email registrations. 
   
2. Remind customers how important it is to have up-to-date email addresses and cell phone numbers on file. 
       Helps improve your delivery rate on marketing and
       service messages.
   
3. Since customers may not have power, they may need to rely on mobile phones for information. And since waiting on hold uses up precious phone charge time, create a call-back plan for emergencies. Customers would call or text the bank requesting a call back on their mobile.  
        Helps differentiate you from the competition.
   
4. Create an "open branch & ATM" query. Customers could send a text message requesting a list (with address, phone number) of all open branches and ATMs.  
        Again, differentiates you from the competition.
        And if ever needed, will help create lifetime customers.
   
5. Let customers use designated branches to charge phones or laptops in the event of widespread power outage.
        More differentiation and customer advocacy.
   
6. Develop a blog that can be used to keep customers apprised of any changes to banking services. Several employees should be prepared to update the blog through mobile phones if power was out. And at least one person should have access to a satellite phone so they can remotely post updates to the blog (perhaps working with someone outside the disaster zone, who can do the actual typing/posting).
        Another great relationship builder.
   
7. The Web-based branch finder should include a search for "lighthouse branches." 
        Expose your impressive disaster preparations to
        prospective new customers.
   
8. Refer customers to disaster preparation website resources for so they can put together household stockpiles and family communication plans.
        More customer advocacy, not to mention the "right" thing to do. 

*Full disclosure: We have done some website evaluation work in the past for Hancock Bank.   

When I saw the blog postings this week that Freakonomics authors, Steven D. Leavit and Stephen J. Dubner, had penned an article on identity theft, I anxiously clicked into the Sunday NY Times Magazine to read the article (11 March 2007, link here). I had hoped that the popular statistical wizards had taken on the subject of why ID theft loss estimates vary by as much as 20-fold, from a couple billion to more than $50 billion (note 1).

Unfortunately, the article, Identity Crisis, shed no light on any of the statistical anomalies nor did it offer any help with definitions, even after using this lead sentence:

There are as many varieties of identity theft today as there are varieties of, say, mushrooms.

The lightly researched article relied on the usual Javelin and FTC numbers and reached the unsurprising conclusion that merchants are the ones that most care about credit card fraud. But the authors glossed over the fact that it's the online merchants who are burned most by card fraud, due to card-not-present chargeback rules (note 2). Real-world card swiping merchants are often made whole for fraud situations provided they followed the card association rules for checking the signature scrawled on the receipt against the 1/8 inch script scribbled on the back of the card (as if that stops much fraud).

The authors also failed to realize, or at least note, that the oft-cited Javelin finding that more than half of ID theft is from people you know, includes only the situations where the victim has knowledge of who perpetrated the fraud. In round numbers, here's what the pie looks like:

• 50% of ID theft victims don't know who stole from them
• 25% know who stole from them, but have no relationship with the crook
• 25% know who stole from them, and the crook was family, friend or co-worker

I believe that it's a bit of stretch to say that half of all identity theft is from related parties when it could be a little as 25% or as much as 75%.  

Blog Comments on ID Theft
Unlike the old days when the only way to interact with an article was a letter to the editor, Leavit and Dubner maintain a blog (here) where readers can sound off on the issues. The blog entry, Who Cares About Identity Theft?, went up on March 9, two days before the full article appeared in the Sunday Times. I was surprised today (March 17) to find only 29 comments on the identity theft piece, especially since the blog has more than 55,000 readers and both the print and online NY Time's columns directed readers to the Freakonomics blog.

And no one seemed to care that the authors did little to further the debate on identity theft, chargebacks, or law enforcement priorities (note 3). In fact, it appeared that only a half-dozen of the commenters had even read the full article. So we have at least a partial answer to the "who cares" question, not the blog readers (note 4).

Notes:

1. During the past month, I've had conversations with extremely frustrated reporters from the Wall Street Journal and Wired Magazine, who were trying to figure out what the true costs of financial fraud in the U.S. really are. 

2. I have to admit being biased here. As an online-only merchant, I pay large credit card fees, around 3% that cover the supposed "high-risk" nature of online commerce, even though I have zero recourse if the charge is later disputed as fraudulent.

3. The article had conflicting anecdotal evidence on law enforcement efforts to stem financial fraud, saying the FBI usually needed at least $100,000 in losses to get involved. The article implied, but did not explicitly say, that lesser amounts are not pursued aggressively by local police departments. Although it cited an officer from the Los Angeles County Sheriff Department's ID Theft Task Force, which at least sounds like significant enforcement action.

4. It's not so much consumer don't "care," but that they are no longer so interested in discussing it and/or they are less concerned now that many understand that they are well protected against financial loss.

There is no doubt consumers love debit cards. Despite cloudier fraud protections, no free float, and the confusion of "signature vs. PIN," growth continues at a 20% annual clip, with total U.S. transactions surpassing credit 15 to 18 months ago (see numbers here).

But continued negative press coverage could slow the growth. For instance, today's lead article in the Wall Street Journal's Personal Journal section, How to Protect Your Plastic, focused on recent debit card skimming incidents. 

What can a financial institution do to counteract the negative press?

1. Educate customers on their limited liability

2. Provide clear and understandable zero-liability fraud protection guarantees

3. Provide tools for monitoring checking accounts, such as transaction and security alerts

But once you have those "best practices" in place, you can still boost usage, and differentiate your debit card and checking accounts by integrating actionable text-message alerts (see ClairMail example above). 

While the industry-standard email alerts are helpful, the phishing epidemic, spam filling up the in-box, and  the time lag for reading and responding to bank emails, make them less and less effective for time-sensitive communications such as fraud alerts.

Enter the mobile phone. Most banking customers now keep a mobile device with "three rings" of their person much of the day, and almost always when out of the house. Therefore, a real-time text message each and every time a debit cards is used, will go a long way towards making users comfortable that their card has not been comprised. And in the event their is a fraudulent transaction, a quick text message back to the issuer can lock the debit card down, avoiding any additional unauthorized transactions.

This is about as win-win as you can get in banking. The user is happier with his debit card leading to increased loyalty and more debit transactions, boosting both short- and long-term revenues for the bank, credit union, or card issuer.

For more information see our latest Online Banking Report, Mobile Banking & Payments 2.0 (OBR 138/139).

Once again (previous post here), Chase used a three-quarter page color ad in the front section of the New York Times (p. 17, National Edition) to showcase its alert services (see partial screenshot right). The ad shows a man relaxing in the stands at some type of sporting event, Yankee Stadium perhaps.

The camera looks over his shoulder, focusing in on the image displayed on his Treo smartphone, which says "SECURITY ALERT" in large white letters on a light-blue background.

You had to feel for this poor guy, jarred from his leisure time with an urgent missive from the bank. Within a few seconds, three things likely crossed his mind: 

1. What the (expletive deleted)? Pretty poor timing to be interrupted at a baseball game with a security alert from the bank (which, these days is 99.9% likely to be a false positive, or a phishing attempt, see number 2).

2. Is this even from Chase? How do I know it's not a new kind of mobile phishing attach (mishing?). Should I ignore it? Does my liability go up if I don't respond immediately?

3. Now what? Can I click the message and find out if this was just a notification that I'd used my debit card to buy beer at a Yankees game, something I'd never done before, or has someone just transferred my 401k to a numbered account in the Jersey Islands? Or will I have to excuse myself and make a voice call, spending the 6th and even part of the 7th inning, talking to a Chase CSR, who may not even have enough info to explain why I got the alert? 

Analysis 
The ad demonstrates the pitfalls of using a very negative attribute, security breaches, in marketing your brand. But despite the uncomfortable thoughts that come to mind, we think it's an effective ad because it grabs attention and positions Chase as caring for the financial security of its customers. However, given that Chase's actual alerts look nothing like this, it's a bit of a stretch. I suppose they're allowed a bit of creative license; it's advertising after all. 

We'll give it an A-

Looking for the ultimate in frustration? Try this sometime. Go to all of your bank, brokerage and credit card accounts and enter the correct username, then make up passwords and hit enter until you are locked out of your account. 

For research on a previous report in our Online Banking Report (here), I locked myself out of more than a dozen accounts. That was almost four years ago, and I have no plans to do that again, ever. However, yesterday, through a bit of miscommunication with my wife (note 1), we found ourselves locked out of our account at US Bank.

Due to this inadvertent bit of research, I found out that US Bank has added a "lock-out alert" (one step forward) to its messaging services, but fails to tell users what is going on and how to resolve it (two steps backwards). Here's what the alert looks like (see notes 2 & 3):

Recommendations:

• The alert (above) needs to tell users EXACTLY what to do next. US Bank correctly tells the 1% of users what to do if the failed login was not imitated by them (call the bank), but the bank fails to explain to the other 99%, who simply forgot their password, what they should do.
• The screen displayed after lockout (see below) also must tell users EXACTLY what to do. US Bank's message to frustrated users: "Internet Banking is unable to verify the information you've entered. Please confirm your Personal ID and password." At the very least the bank should empathize with the user and explain the possible causes of the problem and link them to the password reset screen.  
• Don't lock out users after only three or four attempts: US Bank locked my wife out after 3 or 4 trys, more stringent that the six allowed in our test four years ago. That is just too few. Most users who make a mistake (attempt 1), will retype the exact same info (attempt 2), then try once more paying very close attention to their typing (attempt 3), before trying a different password (attempt 4). So at minimum you must allow four tries. Even better is 5 or 6 or up to ten. The cost in customer service for locking out at 3 or 4 attempts is far more than any fraud that will be prevented with such strict measures.
• Help users remember they created a new password: In our case, if the on-screen error message had said, "You recently changed your password, are you using the new one?", the whole episode could have been avoided. Instead, US Bank gives no information to its customers (see screenshot below). It doesn't even explicitly tell them they entered the wrong username/password. It just drops them onto this blank page that has a vague message about logging in.
• Warn users before lockout: Tell users they are about to be locked out, with a warning, "One more incorrect attempt will lock you out of your account. If you've forgotten your username or password, click here." 
• Let users back in after lockout: The last time we tested, US Bank allowed users to log back in 24 hours after lockout if they remember their username and password (note 4). That's a good policy, but why 24 hours? Why not 12 hours, or 3 hours, or 1. If you have the correct username and password, why should you not be allowed back into your account after a relatively short period of time? 

Enough with the rant. I know these policies are in place to discourage unauthorized entry. But you also shouldn't run up your customer service costs, not to mention irritating customers, with arbitrary lockout parameters.

Notes:

1. Anyone with a joint checking account can probably recognize that "a bit of a miscommunication," is a euphemism for, "I forgot to tell her I changed the password."

2. An alert is generated for each failed attempt. We receive three identical messages. The email address has been erased from the screenshot.

3. Note the email is generated from the URL, cs.usbank-email.com, which cannot be verified through direct navigation (it results in an error message). That's phishy looking. Emails should carry the normal, user-recognizable URL, in this case, usbank.com. If that's not practical, at least post a page at the email URL verifying that the URL is genuine.

4. It's been about 16 hours since lockout, and we still cannot get back into the account.

I hate phishing. Not only has it cost the world's financial institutions tens of millions in fraud losses, it's just about killed the email channel in terms of getting your customer's attention in a timely fashion, and it's diverted management's attention from much-needed online marketing improvements. That's much worse than the actual fraud losses. 

Like most people with widely published email addresses, I get a half-dozen phishing messages every day (note 1). I rarely give them a second look unless they purport to be from my bank. Almost all of them are placed in the junk folder by Outlook, one of the nicer services of Microsoft Office.

Phishers have to be much more creative these days. The time has past when a few paragraphs of broken English and the bank's logo could net the fraudsters a few extra coins. Now I get fake emails asking me to verify my security settings, authorize account changes, or claim a sweepstakes prize.

For example, today I received a fake credit card authorization request from Wells Fargo (see inset). I'm not sure why it prompted a blog entry. Maybe because I use a Wells card or maybe because I've been talking to mobile banking execs about this very subject. But the fake was good enough to force me to take a closer look. The biggest clue is the wrong format for the USD charge, using a "comma" instead of a decimal point between the dollars and sense. But otherwise it's pretty good, and may even net a few card numbers before its taken down.

Analysis
I am optimistic that email can still be effective if financial institutions clearly personalize their messages (see samples here and here). However, gaining customer trust back, especially for security-related messages, is a long-term project. That's why we are telling financial institutions to invest in RSS/XML feeds (Online Banking Report #135/136) and/or mobile banking (Online Banking Report #138/139) in order to reach their customers in a way that is less prone to fraud, at least for now.

Notes:

1. A great online repository of phishing examples is housed at MillerSmiles.co.uk

2. There's a whole book on phishing, click on cover above to go to Amazon's description of the title.

In an American Banker article today (here), Wachovia says it is developing security controls that will put users in charge of some of their own security settings such as the size of a funds transfer allowed. According to John Watkins, Wachovia's Director of Online Services, the new capabilities will be available "sometime this year."

This is not a new concept. The first full-service online-only bank in the world, Security First Network Bank, offered user-set bill payment limits more than ten years ago. Other international banks, such as ABSA Bank in South Africa, have long allowed users some control over security matters.

However, in the United States user-controlled security has been slow to catch on, other than via triggered email alerts, which remain the first line of defense. For several months, Bank of America has been reminding online banking users that alerts can help them prevent fraud in their accounts. 

While it's too early to speculate on what Wachovia will or won't do, the concept is a good one, and will eventually be used to some extent by all financial institutions. It's a win-win, providing users a better sense of control while reducing actual fraud losses within the bank.  

For more information:

See Online Banking Report #119, "Marketing Security" for more ideas on how to turn security concerns into a marketing advantage.

Texans Credit Union <texanscu.org> has added complimentary ID theft insurance and help services to their checking accounts. The new service is promoted through a somewhat confusing "Upgrade Now" call-to-action near the bottom and a large graphic (which rotates with two other spots) in the middle section of its gorgeous homepage (see screenshot below; notice how they use drop shadows to highlight the page).

Analysis
It's an OK perk, but doesn't do anything to help members prevent ID theft. To do that, members need credit report monitoring, which is available for $70 to $140 per year from the credit union's co-branded program with Identity Fraud Inc. (see screenshot below; read the full terms and conditions here).

However, it's not clear on subsequent pages whether members must take action to get the free service and which options they should choose to upgrade to credit report monitoring. We'd like it better if the credit union were more upfront about what is and is not included, and what the member must do.   

Update (Nov. 12, 10 AM PST): Twenty-two hours later, the Verity website has been taken offline, but the blog is still running. However, there are no new posts since the original, although Verity's Shari Storm has responded to several member comments. From information in the comments, it sounds like Verity's log-in page was redirected for up to four hours on Saturday morning beginning about 6:00 AM. At least one member said they answered "screening questions" including mother's maiden name.

Seattle-based Verity Credit Union is in the midst of a major website spoof that began earlier today. The credit union is reporting that the log-in function to online banking, located on its homepage (upper-right below), has been redirected by a hacker.

Apparently, only the log-in function was hijacked. The credit union has control of its homepage and plastered a large warning over the front. The link after the warning, "more information," linked to the Verity blog for updates (see below).

It appears the log-in process is back under the credit union's control, although the warning is still there. When attempting to log in at 3:15 PM with a test name (I do not have a Verity account), I was redirected to an error message at <https://secure-veritycu.com/Common/SignOn/SignOnError.asp>, which appears to be a legitimate Verity secure page. There was no follow-up question asking for my credit card number as mentioned in the blog post (see below).

The incident was first posted to their blog at 12:02 PM today (see post below).

The silver lining
As bad as this is, Verity should be applauded for the rapid response, using both its website and blog to get the word out. Presumably, they also emailed customers, but those messages may or may not be believed in this day of rampant phishing.

You can follow the ongoing drama at the Verity blog, where customers have been redirected for the latest news. We'll keep you posted.

Despite calls for banks to stop marketing via email (see here) to help reduce fraud, PayPal, probably the most phished brand in the world, shows that the technique can still be effective. 

It requires a professional layout, good personalization, and behind-the-scenes fraud monitoring to nip phishing attempts in the bud.

Here's the latest from PayPal. Note the 30-second credit card button (bottom left) and personalized greeting at the top of the message.

Classification

Type: Marketing email with educational focus

Product: Payments with credit card cross-sell

Customer Type: Active customer

Personalization: Hello <yourname> at top of message

Header

Date received: Wed 11/1/2006 9:38 AM
From: PayPal [paypal@email.paypal.com]
To: Jim Bruene
Subject: Simple Steps to Protect Against Fraud and ID Theft

There seems to be a new announcement every day about a bank or credit union intent on stalling this or that security solution to comply with the FFIEC's year-end guidelines (see previous coverage here).

However, if you drill-down through the press releases, usually initiated by vendors, details are sketchy. In fact, according to the Glenbrook Partners in-house security wizard, Linda Elliot, only 26 U.S. financial institutions have disclosed specific security solutions from a total of 13 vendors. Her most recent scorecard, as published in the consulting company's Payments News, is here.

We added another three credit unions to bring the total to 29:

Banks (22)

• American Bank (RSA)
• AMSouth Bank (vendor not disclosed)
• Associated Bancorp (Corillian)
• Bank of America (RSA/Passmark) our post
• Barclay’s (RSA)
• Citibank (Consumer: Entrust; Business: VASCO DigiPass)
• E*Trade (RSA SecurID)
• Farmer's and Merchant's Bank of Long Beach (RSA/Passmark)
• Frost Bank (RSA/Passmark)
• ING Direct (RSA)
• M&T Bank (Corillian, Cydelity)
• Nevada State Bank (RSA/Passmark)
• North Fork Bank / All Points Capital (Arcot)
• Northern Trust (Verisign)
• Silicon Valley Bank (Bharosa)
• Stonebridge Bank (RSA)
• The Bankers Bank (Digital Persona)
• United Bankers' Bank (Digital Persona)
• U.S. Bank (Entrust)
• Washington Mutual (RSA)
• Wells Fargo (Bharosa, Quova, Actimize, RSA SecureID,
  Symantec)
• Zions Bank (RSA/Passmark) our post

Credit Unions (7)

• Automotive Federal Credit Union (BioPassword)
• North Island Credit Union (RSA/Passmark) our post
• Schools Financial Credit Union (RSA/Passmark)

our post

• Desert Schools FCU (Bharosa)
• FORUM Credit Union (BioPassword)
• Parda Federal Credit Union (BioPassword)
• Stanford Federal Credit Union (RSA/Passmark) our post

Today, the Federal Financial Institutions Examination Council (FFIEC) issued a 7-page list of questions and answers about its October 12, 2005, bestseller, Authentication in an Internet Banking Environment.

The main thing you need to know about the new document is what it does NOT say, that the year-end deadline has been extended (see Timing, Q1, p. 4, reprinted below). However, the answer does appear to provide a bit of wiggle room, saying that banks must "implement risk mitigation activities by year-end 2006." I'm sure many creative interpretations of the precise meaning of that phrase will surface. 

Q-1- What do the Agencies expect institutions to have accomplished by year-end 2006?
A-1- The Agencies expect that institutions will complete the risk assessment and will implement risk-mitigation activities by year-end 2006. The Agencies are not considering any general extension of the timing associated with this guidance.

Good luck to all.

--JB

A number of banks, including ING Direct <ingdirect.com> and ABSA <absa.co.za> have added virtual keypads to defeat keyloggers, but the U.S. Treasury Department's Treasury Direct <treasurydirect.org> website is the first time we've seen an entire virtual keyboard. The layout is scrambled after each login, an extremely non-user-friendly feature.

The Treasury may have added a bit more security than is necessary, especially in light of Aite Group's <aitegroup.com> latest research that online banking fraud in the United States was a scant $4 million last year (correct, that is no typo, it's MILLION as in 4 cents per U.S. household). The virtual keyboard itself would defeat most hacks; there's no need to scramble it every time.

Thanks to MyMoneyBlog for the tip. Interestingly, most of the 16 comments on the new security feature were negative because of the extra hassle.

Today's Wall Street Journal ran a run-down of identity theft startups. Companies mentioned:

• LifeLock: Founded by Todd Davis, the Chandler, AZ-based firm has been offering its $10/mo service since April 2005. The company also protects children living in the same household for an additional $10 per year. Its plain-language guarantee featured prominently in the upper-right corner of its home page should serve as an example for financial institutions (see inset).
• TrustedID: A Redwood City, CA-based company co-founded in January by former Fair Isaac executive Scott Mitic offers protection services for $7.95/mo.
• CardCops: The Malibu, CA-based firm scans the Internet for stolen information and for $24.95/mo alerts its customers if their data has been compromised.
• Cyveillance: The Arlington, VA firm also sifts through the online world looking for stolen data. The company resells its service as Identity Guard through Intersections Inc.

Financial institutions should be partnering with credit bureaus and/or identity theft providers to provide education and protection services to banking customers. Refer to previous articles here.

-- JB

Zions Bank <zionsbank.com> is one of the early entrants in the parade of banks and credit unions rolling out multi-factor authentication this year. The Utah-based bank is using the PassMark/RSA <passmarksecurity.com> system pioneered by Bank of America last year (NB May 26, 2005).

Although there are compliance and security reasons enhancing security, the biggest benefit is marketing and PR. Just today, highly influential Wall Street Journal columnist Walt Mossberg urged readers to ignore financial institution emails saying, "...never, ever consider any email from a financial institution as legitimate." Ouch.

SecurEntry positioning
While we like the SecurEntry name, its page-dominating position on the Zions homepage (see above) is a bit over the top. Granted, they are in education mode as they race to enroll every customer within the next two months. But there's a reason why bank branches in high-crime areas use Plexiglas enclosures instead of steel bars; you don't want to make your customers afraid. The best security measures are subtle and discourage criminals without overly impacting the 99.9% of your customers who would never try to make off with the contents of the cash drawer.

It would work better to place the SecurEntry logo near the log-in area in the upper-right. That way, customers concerned about security could click-through to learn more, and customers that weren't already paranoid could go about their banking business without feeling new insecurities.

How it works
SecurEntry is a multi-factor authentication scheme identical to that used by 20 million customers of Bank of America, Stanford Credit Union, and others (see NB April 12). The new system, launched July 11, is optional for the first two months and becomes mandatory on Sept. 8. The bank estimates it will take five minutes to enable. Zions posted a Flash and HTML demo explaining the system, a one-page Quick Reference Guide (PDF), seven-page illustrated tutorial (PDF), and 11-question FAQ. 

Off-topic: brief homepage critique
Zions' new homepage design is hard to judge. Taken individually, the modern graphics and succinct copy are excellent. However, the overall effect is way too busy, with too many elements screaming for the user's attention. The bank needs to better prioritize what they want to communicate on the homepage. The main points can be emphasized with strong graphical treatment while less-important areas are reachable through more subtle navigation, such as sub-menus.

--JB

To learn more about how to promote online security and peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

Although they've been around for years, with relatively little success, the time may be right for disposable card numbers. However, this time, the emphasis should be on debit, the payment of choice for many younger consumers.

A compelling case can be made for disposable debit which:

• is the favored payment vehicle for the under-30 crowd, and often the ONLY payment option for high school and college students
• differentiates your checking account from 16,000 other U.S. providers
• encourages more debit card usage
• cements account relationships
• adds value to online banking archives
• provides excellent PR (customer advocacy) and branding benefits

But while great strides have been made in educating consumers about credit card fraud protection, the issue is murkier on the debit side.

Consumer appeal
We were reminded of the appeal of disposable card numbers when reviewing Cambrian House <cambrianhouse.com>, a Web-based venture attempting to "open-source" the business-startup process. While we don't see that taking off, the company does maintain an interesting database of user-submitted business ideas. Of the 433 ideas listed, the most popular according to site visitors is:

Self-destructing credit cards submitted by Rohan Pinto

Essentially what Mr. Pinto is proposing is the one-time-use credit card number offered since the late 1990s by Citibank, American Express, and, more recently, Discover Card (see inset). The main difference is the name, which actually is pretty good, if it hasn't been trademarked yet (we couldn't find any business using the term in a quick Google).

--JB

by Pieter de Villiers, CEO of Clickatell

In the fight against financial fraud, it's a simple technology that is proving one of the most effective deterrents, as well as being a cost-cutting tool that builds customer loyalty.  Thanks to the incredible reach of SMS, its simplicity, and the fact that it is the most accessible messaging technology in the world, banks are introducing text messaging as an added layer of security for their customers to tackle the problem of identity theft.

Case studies
In South Africa, for example, First National Bank (FNB) <fnb.co.za> claims that its SMS service, called inContact, has not only reduced fraud by 43%, but also has brought about increases in Internet-banking security. Client retention has increased by 15%, and call center costs have been reduced. With 22 million messages sent every month to more than 1.1 million subscribers, FNB is the largest single sender of text messages in the country, responsible for 26% of all messages.

With the widespread adoption of mobile communications, it’s a fair assumption that most people with a bank account, credit and debit cards will have a mobile phone. “Contactability” is rarely an issue. With very few exceptions, a text message will reach its intended destination, and it will be read. It is a peculiarity of mobile communications that while many people will ignore a call, they will always look at a text message. It is also a private communication.

Like FNB, a growing number of banks are realizing the power of the text message, and SMS is being introduced as an added layer of security for their customers. By simply receiving a text every time a transaction takes place, money is transferred, or an account is accessed, customers have immediate visibility of their account and can alert their bank about any suspicious activity.

The “soft” benefits are enormous as well. Banks can’t operate without a high level of credibility. Customers have to trust banks to trust them with their cash, their money management and their credit. FNB’s efforts have gone a long way to building and maintaining this level of credibility and trust. In addition, SMS brings the bank closer to its customer: It shows that the bank is innovative and at the forefront of best banking practices, and it raises brand awareness. SMS is not just a technology for FNB; it’s another channel to the customer just like its branches, ATMs, the Internet and telephone banking.

This is not just a South African trend. Spanish bank Bankinter <bankinter.com> has launched an SMS-based service to inform people each time their bankcard is used. A system warns the user via SMS of each banking operation made with the card. If the customer has not initiated the transactions, the card can be canceled immediately.

An article in Australia’s Herald Sun Business Daily cites an internal report from the National Australia Bank (NAB) <national.com.au>. The bank is concerned that it is losing AUS$1 million (US$760,000) due to Internet banking fraud. As one of its initiatives to reverse this, the bank has launched an SMS system to provide PIN-protected access to Internet banking services. According to the report, executives at the bank predict that online fraud will be reduced by 90% once 90% of customers have signed up for the scheme.

SMS and consumer behavior
It is the very nature of SMS and mobile phone use that contributes to these success rates. People have their mobile phones with them, wherever they are, and typically welcome the SMS security initiative as it means that both the customer and the banks are responsible for account security. The proactive alert makes life far more difficult for the criminal. If the losses through fraud of the financial industry can be reduced, then ultimately the customer could benefit from lower charges.

Never intended to be a commercial product, SMS has taken the world by storm. Mass implementation by mobile operators happened in the early 1990s, and the spread of inter-network roaming agreements provided the momentum to drive SMS take-up and make it a true mass market messaging service. According to Portio Research, 761 billion SMSs were sent in 2004 – that’s more than 100 messages for every man, woman and child on the planet.  Portio estimates that worldwide SMS traffic volumes will grow to 2,379 billion in 2010.

With the benefit of hindsight, the success of SMS is not surprising. It is simply an ideal form of peer-to-peer communication: cost-effective, with exceptionally high reach. As a marketing tool it demonstrates a very high response rate of up to 82% for branded campaigns and an average of 16% for other campaigns. It is immediate, reliable and personal. Messages can be customized to appeal to individual groups. Communicators can automate message sending and receive detailed reporting on activities. It is the accidental cash cow of the cellular industry, and the strength of its very simplicity is being leveraged by increasing numbers of businesses worldwide.

***

Pieter de Villiers is the CEO of Clickatell <clickatell.com>, a mobile messaging provider that allows businesses to connect people anywhere, with any message, across any device. Clickatell is headquartered in Redwood Shores, Calif., with offices in South Africa and the United Kingdom.

The recent revelation that the Veteran’s Administration lost the data files of more than 26 million veterans when an employee’s laptop was stolen in a burglary is just another reason for payments providers to tighten internal security standards. It’s also another reason to stop complaining that disclosure, not the loss of the files, is the real problem.

In the VA case, it took three weeks for the loss to come to the attention of the agency head. Even then, he stumbled across it. Apparently, nobody had thought the event important enough to tell him. Naturally, he was vilified before Congress. But the real problem was in cyberspace, where the number of Social Security numbers available for sale more than doubled in the weeks following the burglary.

The liabilities created by this theft—and the hundreds of others we’ve read about in the past 18 months—are not merely theoretical. The victims will be dealing with the effects for years, and financial institutions have a duty to make them whole.

--AR

As we predicted almost a year ago (OBR 119), PassMark Security's two-factor authentication system is proving popular. We've heard the usability arguments, we've read the security blogs pointing out the weaknesses, and we even had doubts ourselves after using the system on our Bank of America account.

But the overriding fact of the matter is, if it's good enough for Bank of America and its 15 million users, it's good enough for anyone. While no other major U.S. bank has signed on, the announcement today that Fiserv would make the system available to its 5,000 clients, coming on the heels of the Feb. 28 endorsement from S1 Corporation with 1,000 clients, means the system may win the small and midsize markets.

As further evidence, the company recently announced several new clients including North Island Credit Union <myisland.com> (125,000 members) and Schools Financial Credit Union <schools.org> (100,000 members), who touted their pioneer status with this PR-quote-of-the-year candidate:

"...Schools Financial Credit Union will be one of the first financial institutions in the country to act on Federal Financial Institutions Examination Council guidance that strongly recommends banks and credit unions implement multi-factor authentication by the end of 2006."

Finally, the company made a splash on the other side of the Atlantic by aligning with Alliance & Leicester <alliance-leicester.co.uk>, a major financial institution in the United Kingdom with five million customers. It's a company we've previously singled out for its flashy website and marketing prowess (NetBanker Feb. 23, 2005).

With the launch of the Alliance program last month (see screenshot right), Passmark is now in front of 20 million users worldwide, demonstrating a spectacular first year for the Silicon Valley startup.

--JB

Previous articles:
Online Banking Report: June 30, 2005, Marketing Security
NetBanker Oct. 12, 2005: Scottrade to use Passmark
NetBanker May 26, 2005: Bank of America unveils multi-factor security for consumer accounts

Despite the old saying that there's no such thing as bad publicity, online banking credibility took a hit today courtesy of The New York Times, page one. In the second-most-emailed article of the day, the story chronicles the threat from keyloggers around the globe. In the fourth paragraph, the article tells of a Brazilian scheme, dismantled two weeks ago, that netted $4.7 million from 200 accounts at six banks. A separate keylogging incident in France is also said to have netted $1.1 million.

Action items
While there isn't a whole lot you can do about keylogging, you should take these steps to help keep the problem in perspective:

1. Remind customer service staff that customer accounts are protected by numerous technology safeguards, policies limiting consumer liability, and internal controls that make withdrawing money online quite difficult.
2. Encourage customers to use triggered alerts so they know within minutes when a large withdrawal occurs.
3. Educate customers on the benefits of safe computing, including links to resources, downloads, and so forth.
4. Mitigate customer concern with plain-language guarantees that eliminate any customer liability for fraud perpetrated against their accounts. For a great example, see E*Trade's Compete Protection Guarantee (NB Jan 18).

For more information, read recent security articles from NetBanker or Online Banking Report (# 96/97).

--JB

The same week that Pay By Touch settled outstanding government claims against CardSystems, news of a new computer breach that could be at least as damaging emerged from California, while keylogging made the front page of the New York Times.

Continue reading "News from the Online Fraud Cyberwar" »

ModaSolutions <modasolutions.com> and several merchant clients including Big Al's <bigalsonline.com> online aquarium supply store and CompSource <c-source.com>, an electronics retailer, are making waves in online bill payment circles. In one of the more counterintuitive developments we've ever seen, Big Al's is seeing 6 percent of its customers opt for a convoluted two-step bill payment process at checkout. To increase buyer comfort levels, the connection to online banking is reinforced through banners and copy (see the logo from Big Al's above and the banner at CompSource below).

How it works
Rather than simply entering a credit card number or inputting checking account info to authorize a funds transfer, the SECURE-ebill system allows a customer to complete the checkout process without entering any personal payment info. The system then kicks an email to the customer summarizing the amount owed and the merchant's contact info. Customers are then instructed to log in to their bank's bill pay system, set up Big Al's as a payee, and then pay the amount owed. Payments are routed through MasterCard's RPPS for electronic settlement within 48 hours.

To summarize:

1. Customer shops at merchant online
2. Customer selects SECURE-ebill option during checkout (see screenshot #1 below)
3. Email is sent to customer restating the amount due and deadline to pay (see screenshot #2 below)
4. Customer logs in to online banking at their bank
5. Customer sets up the merchant as a payee
6. Customer pays the bill using online bill pay
7. Payment is settled electronically through MasterCard RPPS
8. Merchant ships the goods

Results
Approximately 6 percent of all Big Al orders now choose the SECURE-eBill option. Of those, nearly 40 percent are new customers. In addition, the cost to process the checks is 60 percent less than the discount rate the company would have paid had the customer paid with a credit or debit card.

At CompSource, customers are rewarded with a 5 percent savings ($25 maximum discount) at checkout when selecting the ebilling option. The company has not released results, but it must really like the system. Its website has numerous references to the 5 percent savings, including a link by each price reminding users that they could save "up to 5%."

Analysis
If you consider the time it takes to log in to your bank account, set up a new merchant, then pay the bill, it will take three to five times as long as using a credit card at checkout. However, it is slightly faster to check out using the ebill option because you avoid entering a credit card number, expiration date, and security code.

As irrational as it seems to regular online shoppers, this system evidently has considerable appeal. How else can you explain 6 percent penetration at Big Al's with no merchandise discount? Evidently, it appeals to customers who are either concerned about entering payment info on a merchant's website, or who somehow like the extra control they get by entering the payment into their bill pay system where they can keep closer tabs on the payment. It's a good lesson in payment system design: Not all customers trust the most efficient system.

Merchants like it because it increases sales. And transactions cost less than credit card interchange, although the interchange savings are likely eaten up by extra customer service and reconciliation costs at the merchant.

--JB

Continue reading "E-billing at the Point of Sale for eCommerce" »

Judging by media reports, almost everyone in the civilized world has lost their identity to cyber-criminals. But while there has been an unending torrent of news about data breaches and related identity thefts, the damage has been much less drastic than that, says a study from Javelin Strategy & Research.

“The impression in the general public is that identity fraud is spiraling out of control, but what we came away with is the contrary; the growth [in the phenomenon] has been contained,” says Rubina Johannes, the Javelin research analyst who wrote the report.

Continue reading "The Truth about ID Theft from Javelin Strategy" »

A consortium of six major banks and the country’s largest accounting firms said Wednesday that they were setting uniform computer-security standards, designed to ensure that the third-party computer providers they do business with are adequately protecting both their computer systems and the information those financial firms send them.

“This is good news,” says Avivah Litan, vice president and research director of Gartner Inc. “I don’t think it goes far enough, but it’s smart for them [the institutions] to do it in steps, if that’s what they’re doing. But they need to do it beyond the service providers. They need to do it themselves”

Continue reading "Data Security Standards Set by Major Financial Institutions" »

ING Direct <ingdirect.com> is the latest bank to move to greater personalization in order to distinguish its messages from phony phishing attempts. The bank has added the customer's first name and masked all but the last three digits of the customer's number (click on inset for a closer look).

The message at left was sent to customers to market ING's latest deposit promotion: 4.75 percent APR for new money.

The same technique is also used for routine account alerts (see inset right).

Note: The high-impact sales pitch for its 4.75 percent deposit promotion.

Analysis
While it doesn't prevent phishers from attempting to recreate the same look (see footnote), it's an effective first line of defense. Besides, the personalized greeting is a friendler way to communicate with customers. Citibank has been using a similar approach for more than a year (NetBanker, May 30, 2005).

Footnote: Yesterday, we received a fake email that recreated the Citibank personalized area in the upper-right corner. The crooks just left blank the Email Security Zone in the upper-right corner, figuring many users won't look that closely at the box (click on inset for a closer look).

--JB

Wow. It's not often a press release rates an article in BOTH The Wall Street Journal and The New York Times. But that's exactly what happened today when E*Trade made the relatively innocuous announcement that it wouldn't hold its brokerage customers responsible when their accounts were defrauded.

Consistent with previous innovations, the online brokerage and banking powerhouse wrapped its new message with impressive graphics and copy (see inset above-left for graphic displayed on its homepage today). Clicking on Learn More leads to an impressive security area where E*Trade touts four main protective measures (click on inset above-right for a closeup)*:

1. Security tokens
2. Electronic statements with paper turnoff
3. Email alerts
4. Antiviral and firewall software, which can be purchased through a link to Norton (60-day free trial offer); users can also run a real-time scan to check for vulnerabilities

Analysis
It just goes to show you how skittish the public has become about online security. I'd wager that most brokerage customers are sophisticated enough to realize they will eventually get their money back if it's stolen from their account. So this is a non-event from a financial standpoint. E*Trade even admits that online fraud cost it only $2 million last year, less than the cost of one of their famous Super Bowl ads. The brokerage also said there were "fewer than 50 incidents," implying a fraud loss of approximately $40,000 per incident.

Evidently E*Trade's marketing department prevailed over its legal counsel and actually put the company's fraud-protection policies in writing. It's amazing that makes headlines in 2006 and may say more about the growing need to cover your behind to fend off the class-action bar even if it means scaring off customers.

We hope this prompts other financial institutions to take similar action. One of the main functions of financial institutions is safeguarding assets. Customers, online or otherwise, shouldn't have to guess whether certain types of fraud are covered. As any good lawyer would say, "Put it in writing."

--JB

*The screenshot displayed here is only the top portion of the security area, to download a screenshot of the entire page, click here.

Remember the old saying (usually attributed to Mark Twain), "Never pick a fight with someone who buys his ink by the barrel." An unnamed "national bank" has created an enemy of LA Times reporter Steve Lopez, who so far, has not publicly identified the bank that refused to reimburse him for the $2000 drained out of his account after an ATM-card-skimming incident. But given his location, and the hints in the article, it's probably Wells Fargo, BofA, or WAMU. Given our personal experience with the relatively strict Wells Fargo credit card authorization guidelines, combined with the relatively small WAMU checking account base, our money is on BofA as the culprit.

In this particular case, the bank did the right thing initially, crediting the reporter's account for the $2000. However, it reversed the amount four weeks later, sending a form letter with no explanation. In a followup call, the bank service rep told Mr. Lopez that he had not returned phone messages from bank investigators, so they concluded the disputed ATM withdrawals were "authorized and posted correctly."

Action Items
This type of bad publicity is entirely avoidable:

1. Prevention: Your ATM system should not allow four $500 withdrawals in three days, unless the customer has a history of large cash withdrawals.
2. Notification: All large ATM withdrawals should trigger alerts, first by email, then by phone if the withdrawals continue.
3. Communications: Make sure you communicate the results of your ongoing investigation clearly to the customer. Customers should receive a stream of emails, letters, and phone calls keeping them apprised. If possible, all emails should be posted to the customer's online banking account to create a paper trail.
   
   

   Most of the above steps are relatively expensive to implement if not supported by your current systems. So you might want to consider a fourth item:

4. Flag reporter accounts: Treat reporters like VIPs, making sure their accounts are flagged, and that you bend over backwards to give them the benefit of the doubt when disputes arise.

--JB

If you are a smaller bank or credit union and are phished for the first time, you might consider the approach Everbank took in response to a phishing incident today.

The bank took the unusual step of sending an email to its customers warning them about the fraudulent email (click on the screenshot below for a closeup). They even included a copy of the phishing message at the bottom of the warning. The bank also posted a small red-outlined box on its homepage (see inset) with a link to the same email message.

Analysis
Although it may seem futile to send an email warning about a fake email, we think it's a good idea if the phishing episodes are infrequent. The big targets such as Citibank or PayPal can't do this, not with dozens of attacks every month; however, smaller companies should consider proactive email communications, but no more than a few times per year, otherwise customers won't pay any attention.

Most users will realize the Everbank response is genuine, because it doesn't ask for any customer information, especially when they compare it to the fake message at the bottom of the screen.

Yes, some customers will be even more confused. But hopefully their calls to customer service will provide you with a chance to put them at ease. There are costs associated with these anti-fraud efforts, but that's part of the trust involved in being in the banking business.

--JB

Bank of America launched a co-branded version of Earthlink's toolbar designed to prevent users from surfing to fraudulent websites. Of note is its official name, Bank of America Toolbar Powered by Earthlink. It's highly unusual for a bank, especially the largest consumer bank in the country, to give a partner such high billing. Our guess, although unconfirmed, is that Earthlink is paying the bank for the product placement.

In a similar manner to eBay's toolbar released in 2002, the BofA/Earthlink version uses red, green, and yellow lights to indicate whether a website is known to be safe (green), known to be fraudulent (red), or unknown (yellow). A popup blocker is also included. The toolbar is free and can be downloaded by any Internet Explorer for Windows user, you do not have to be a customer of the bank or Earthlink. According to Earthlink, a Mac version will be available soon. The toolbar does not work in other browsers.

The toolbar was announced in a press release today, and is accessible from a small link on the right of the homepage (click on inset for a closeup).

Analysis
Bank of America's toolbar is the first of what we expect to be a major source of differentiation during the next five years: the branded desktop presence (see OBR 85, for more information). The Scamblocker toolbar is a relatively low-tech entry into the space. More sophisticated offerings, such as Southwest Airlines Ding (NetBanker, 5 Dec), are on the way later this year, if not at BofA, then at its U.S. competitors.

--JB

ING Direct's <ingdirect.com> three million U.S. customers now must enter passwords into the site with an on-screen PIN pad. Users have the choice of clicking on their numerical PIN or typing the corresponding letter into an on-screen box (see screenshot below). The letters are scrambled each time to defeat many keylogging programs.

Although, the virtual PIN pad technology has been widely deployed elsewhere in the world, it's new in the United States.

Analysis
Until recent deployments at Bank of America (NetBanker May 26), Citibank (NetBanker May 30), E*Trade (NetBanker March 2), and a handful of others, ING Direct has been the sole U.S. bank making at least a minimal attempt to make login more secure. For the past four years, it's required a third piece of information at login (partial social security number or year of birth). It's not really multi-factor authentication, because the third piece isn't too difficult to figure out, but it at least provided the perception of better security (click on screenshot below to see closeup of login page).

The virtual PIN pad, first used by ABSA Bank in 2003 (see Online Banking Report 96/97), isn't foolproof, but it does make it tougher for key-loggers and phishers to successfully recreate the login process at the bank. It's also a relatively inexpensive improvement with very little customer impact. In fact, I'd expect that the customer response is overwhelmingly positive.

If the bank combines these cosmetic security features with robust behind-the-scenes authorization controls, it should have enough to keep the crooks at bay AND satisfy regulators.

--JB

Washington Mutual <wamu.com>, which has been pitching free checking in Seattle for as long as we've lived here (mid 1980s), recently added ID Theft Services to its list of free checking account enhancements.

A mid-October direct mail we received at our home touted the following benefits, along with a $75 American Express Gift Cheque, for signing up for a new checking account (italics are theirs):

• No direct deposit required
• Free Telephone Banking
• Visa Check Card
• No per-check charge
• Free Personal Online Banking
• Free Personal Bill Pay service
• Free ID Theft Services

In addition, to the above bullet points, the Free ID Theft Services had its own paragraph, one of just four total in the short sales letter:

Exclusively for Washington Mutual customers: Free ID Theft Services. If you become a victim of identity theft, we provide insurance that helps you with your legal and other identity theft expenses up to $5,000 with no deductible. This valuable service also provides professional assistance, plus access to credit reports, management tools and more.

No other information was provided in the letter or the fine print. But looking at the bank's website we find that the free services lead to a pitch for full three-bureau credit report monitoring from Intersections <intersections.com> (click on inset for partial screenshot or download the entire screenshot, links will not work). It's all explained on Washington Mutual's proprietary identity theft site, ID Theft Inspect <idtheftinspect.com>.

Analysis
With all the concerns about online safety and fraud protection, it makes perfect sense to offer identity theft protection services to customers, especially when you will be helping defrauded customers whether you make it an account benefit or not.

We like how WAMU offers certain services to all account holders, then upsells them into full credit report monitoring. However, the bank's pitch for fee-based protection could be far more effective if it:

• Offered online signup -- Currently customers must signup in branch or call a toll-free number.
• Disclosed the price -- There is no mention of a monthly fee, either in the main body of the copy, or in the detailed disclosures. This is a sure way to lose customers.
• Provided a more detailed view -- The promotional copy does a good job of explaining the benefits; however, beyond a few blurry screenshots, there is no way to preview the level of detail to be provided with the service. The bank needs an online demo, tutorial, or FLASH presentation.

Overall, we give it a B+; disclose the price and it's an A-.

--JB

It's been four months since Bank of America surprised the industry with its endorsement of PassMark Security <passmarksecurity.com> for multi-factor consumer login (see NB 26 May 2005). Since then, we've talked to a number of industry participants that claim to have a better mousetrap, which they may.

We are not in a position to pass judgment about the technical merits of one system compared to the next; we'll let the market sort that out. And true enough there are weaknesses in the PassMark system as we noted in our Online Banking Report article (OBR 119).

But we still believe PassMark will be one of the survivors as it builds upon its BofA relationship and adds other customers down the road. The first new win is discount broker Scottrade <scottrade.com>, which announced yesterday that it will install PassMark to improve login security for its 1.4 million consumer accounts (see inset above). The broker also becomes the first client to say that they will also add the PassMark identifying image to outbound emails so recipients know the message is legitimate.

Added to the 13+ million BofA accounts, PassMark now boasts that it will be "protecting 15 million users in 2006," a powerful marketing message for the startup. Separately, the company announced v2.0 of its two-factor authentication system.

Off-Topic
Speaking of marketing, you should take a peek at PassMark's website if only to see how it markets to financial institutions (see inset left). The company provides a 4.5-minute comprehensive audio briefing done in Macromedia Breeze along with a series of three short demos showing how the system works for: a) new users; b.) users logging in from a known computer, or; c.) users logging in from an unknown location.

The company's website is remarkably brief and to-the-point, especially for a B2B tech vendor. If you are looking for ideas on how to spruce up your online marketing to businesses, this is a good model.

--JB

If you are looking for a spam/spyware/phishing resource for your online customers, OnGuardOnline.gov is a good resource, especially for novice users.

The site is sponsored by The Federal Trade Commission, Dept. of Homeland Security, U.S. Dept. of Commerce, and The United State Postal Inspection Service. They also had some help from the private sector, with some content provided by Microsoft and The Internet Education Foundation www.neted.org. The site also lists a number of other partners, but does not disclose their contribution. None of the listed partners are closely associated with the financial services industry.

The main content areas cover:

• ID theft
• Spam scams
• Phishing
• Spyware
• Shopping
• P2P file sharing
• VoIP

Analysis
The information is thorough and presented in a audio-visual format that is easy to digest (click on inset to see a closeup of the homepage). The videos from Microsoft are particularly well done. And surprisingly there is no plug for the software giant, they don't even have a logo on the site.

The interactive Flash games are a little on the hokey side, but they get their points across. The Stop-Think-Click: 7 Practices for Safer Computing is very well written and hopefully will become widely circulated in the popular press.   

Action items
Financial institutions should use the site either as a direct resource for customers or as a blueprint for the material which should be presented in a bank's security and privacy area. The 7-point Stop-Think-Click material is especially useful to present to users.

The only slight hesitation we have about referring customers directly to OnGuardOnline.com is that it may be somewhat overly frightening. We think it's better to cover these issues yourself so you can provide reassurances along the way as to how you are helping solve these vulnerabilities.

But for those who haven't the resources or budget to create your own security center, this is a good reference point.

-JB

Katie Kuehner-Hebert looks at the issue of mandating consumer password changes in today's American Banker. She cited only a single bank doing it, West Georgia National Bank <www.wgnb.com>, which recently began requiring new passwords every 45 days. None of the financial institutions we are familiar with force password changes, although NextCard did when it first launched in 1997, but later it did away with the annoying requirement.

Analysis
This is one of the least effective ways to improve security. In fact, it may have exactly the opposite effect for two reasons:

1. Customers cannot memorize a new password every 45 days, so they will have to write it down somewhere near their PC where it can be seen by others.
2. Once users begin to realize what a hassle it is logging in to your website, they will forgo online access altogether or use it much less frequently, therefore reducing the frequency of account monitoring which can reduce the impact of identity theft and other fraud.

And even the method did reduce fraud, it's unlikely to be cost effective due to the increased burden on customer service and decreased customer satisfaction.

Offer choice
Some customers do like the idea of periodic password changes, but forget about mandatory changes. We like the M&T Bank <www.mandtbank.com>. The Buffalo-based banks allows customers to choose whether to have mandatory password changes at either 30, 60, 90, 180 or 365 days. They can also choose NOT to have a mandatory password change (click on inset for a closeup).

An even simpler way to give customers the choice is to allow customers to program an alert reminding themselves to change their password. The alert should NOT have a link back to the bank, otherwise it will look like a phishing message.

--JB

Under the "every little bit helps" theory, Citibank's popup window when registering for online credit card access is a nice touch.

The popup (click on inset for closer view) reassures users that they are entering information into a secure site. The well-crafted verse goes like this:

Secure.
A little word that that means a lot--especially online.
Rest assured, this registration process is just that.

The window closes itself in about 10 seconds, if the user hasn't done so already.

--JB

To learn more about how to promote online security and peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

The problem with most published information on consumer attitudes is that they don't show the trend. It's interesting to see that a certain portion of the population expresses concern about ecommerce security, but it's not really actionable unless you see it in context. That way you know if the concern is growing, stable, or lessening. Or if consumers are more concerned about branch lobby security, telephone, or mail security.

Kudos to Informa Research for publishing a table showing consumer attitudes on online banking security dating back to 2000. As you might expect, consumers are significantly more confident than they were five years ago (59% vs. 49%), but there has also been a substantial drop-off since 2003 (59% vs. 70%).

Percent of consumers that Completely or Strongly Agree with the following statement:
Internet-based transactions handled by financial institutions are safe and secure

2000  49%
2001  56%
2003  70%
2005  59%
-----------_
Source: Informa Research, Aug. 2005, n = 1690

Analysis
Taking a cup-is-half full approach, we are pleased to see that the majority of consumers still consider online banking to be safe. Although the drop-off from 2003 is a concern, we've probably hit bottom, barring any dramatic breeches in the near future. As banks institute security upgrades such as multi-factor authentication, broader security alerts, and secure messaging, consumer confidence will grow.

--JB

If you'd like to learn more about the future of online banking, check out the Online Banking & Bill Pay Forecast: Current, future and historical usage: 1994 to 2016 from our sister publication, The Online Banking Report.

We've warned against using too many scare tactics on your website (see OBR 119, Marketing Security). Here's data to support that argument.

The latest Pew Internet Project survey (PDF) found that more than 70% of Internet users had either never heard of the term Internet phishing (15%) or were unsure of its meaning (55%), leaving just 29% who said they had, "a pretty good idea of what the term meant." In comparison, 88% of Internet users had a pretty good idea of what Spam meant, 78% knew Firewall and also Spyware, while 68% understood Internet cookies, and even 52% knew Adware.

--JB

Bank of America issued a press release saying that it went live today in Tennessee with its OBR Best-of-the-Web-winning multi-factor authentication system. However, a search of the bank's website, using Tennessee as our state, found no mention other than the "coming soon" paragraph that's been posted for the past several weeks (click on inset to read).  

">Read our previous article.

--JB

Now that Visa, MasterCard, and American Express and others are actively putting so-called contactless cards into the hands of consumers (Chase's blink for instance), it's not such a far-fetched thought that these radio-frequency (RF) cards could be used as the extra factor for online banking login.

PCs equipped with RF card readers could read the user's plastic, allowing the user to log in securely with just a username/password, or conceivably just a password.

But PC makers aren't going to add card reading technology, no matter how cheap it is, just for online banking. But if merchants began insisting on the RF readers to cut down on card fraud for online purchases, perhaps with the associations agreeing that a purchase made with a PC-based RF reader qualified as a "card present" transaction, then the technology could take off.

Using contactless cards online could be more beneficial than using them for off-line purchases. In the physical world, the contactless card merely saves a few seconds compared to swiping it through a conventional terminal. But online the savings could be more dramatic, potentially allowing the customer to skip typing their card and verification number into a web forms. 

--JB

Today's American Banker reports that $365 million-asset Stonebridge Bank (West Chester, PA; $365 million) and American Bank (Allentown, PA; $500 million) are following E*Trade's move to offer hardware tokens to authenticate consumer logins.

As of May 30, Stonebridge is offering the token free-of-charge to any of its 4500 consumers who request one. The token will be mandatory for its 500 business customers. In its security FAQ, the bank says it will charge $25 annually, its out-of-pocket expense for the device, after the first year. They also charge $25 to disconnect the token during the first year and $25 to replace it within 5-7 business days, or $45 total for overnight delivery.

American Bank is sending the token to 1000 customers who said they would like one in a recent survey. There is no charge for the service. The bank expects to order another 1000 from RSA Security next month. It pays approximately $20 each, which does NOT include maintenance costs to operate the system.

Analysis
We applaud these three financial institutions for moving beyond the username/password. However, except for the most demanding customers, primarily businesses, hardware-based solutions are overkill.

The Bank of America/Passmark approach is much better. Not only is it more cost effective, it also much easier to use and also helps prevent the user from logging in at a fake site. 

--JB

It's fitting that the financial company most targeted in phishing attacks, Citibank, would be the first to introduce a new email format that goes a long way towards helping users identify legitimate email messages.

The personalized emails (click on inset to enlarge) include not only the name of the recipient, but also the last 4 digits of the user's ATM card. While simple personalization with the customer name would help many users identify legitimate emails, it's far from fool-proof.

First, there's the relatively common practice of including first name and/or last names in email addresses. Also, some phishers are using direct marketing tactics and first running email addresses through various databases to append actual names and other info to the email record in order to develop a personalized pitch (see ZD-Net article).

Citibank's new email format was announced to customers through a short message on the top of the online banking screen in early May. It is also now mentioned in the bank's main FAQ page.

Analysis
This is a great first step in winning back the confidence of users. Eventually email standards will evolve so that the email client will be able to readily identify legitimate emails, but that could be years in the future.

If you are considering a similar approach, you might want to let users choose the name and identifying information that appears in the personalization box. In February, we reported on a UK security initiative that took that approach.

For more information:

• Previous NetBanker post on eBay's personalized email strategy
• Security & Privacy from Online Banking Report (#93/94)

-- JB

Editor's Note: Citibank received an OBR Best of the Web award for this and other security features in Online Banking Report #119, "Marketing Security."