It was online banking week in Walt Mossberg's popular Wall Street Journal technology columns. Yesterday in The Mossberg Solution, authored by 20-something Katherine Boehret and edited by Mossberg, Mint's personal finance service received a half-page article so complimentary I had to look twice to make sure it wasn't an advertisement. Boehret couldn't find a single thing wrong with the service, although she did wish for bill payment capability so she could do all her banking within Mint. I'm sure she'll have her wish granted relatively soon.

In today's Personal Technology column entitled, How to Avoid Cons that Can Lead to Identify Theft, Mossberg himself dropped a bomb which will impact bank-marketing efforts for years to come. His first of seven tips for safe computing:

Never, ever click on a link embedded in an email (from your) financial institution....

That's harsh, but it's also understandable why he'd take that stand. Mossberg strives to make technology issues understandable to non-techie readers. However, it would have been better to add, "unless your bank adds account-specific personalization to the messages so you know for sure where they originated." 

Action Items
Many financial institutions, including Citibank and Bank of America, have long used personalization to distinguish legitimate messages from phishing attempts. Financial institutions with good personalized messaging should consider a public outreach program to counter the negative perception from the Mossberg column. It also might be a good time to remind front-line employees how to respond to customer concerns about phishing emails.

For more information, see our Online Banking Report on Marketing Security. 

The best way to get the attention of your online banking customers is by dropping a landing page in front of them right after they login. It's a bit annoying, but if used judiciously it can be extremely effective. PayPal has been using this technique for most of the eight years I've had an account there.

U.S. Bank is fairly new to this technique, using it just a few times a year for service-related messages. The latest, a 100-word message that reads like it was crafted by the legal department, was posted on Nov. 29 and warned customers about fake emails (screenshot below). 

It's a good idea to remind customers about your email policies to help them avoid scams. However, U.S. Bank only warns against low-tech fakes asking for account info or PINs. Few consumers would fall for that any more. The bank fails to address the more common, and far more effective, approach of sending users to a fake website via a disguised link. The bank should explain what a genuine U.S. Bank email looks like and how to tell it apart from the fakes. 

A few other ways to make this message more effective:

• Link to an area on website for more info on security
• Provide an email address and/or phone number to call if there is a question about the validity of a bank message
• Use a professional copywriter to craft a clearer and more concise message
• Use a larger font
• Use a heading or subheading that introduces the specific subject 
• Add a graphic to make the topic standout, for example the security image from U.S. Bank's homepage (inset above)

I was looking at Geezeo's new Facebook app this morning (more on that later), and I noticed one of the best credit report monitoring ads I'd ever seen. 

Instead of focusing on the negative aspects of your credit history, the banner ad features "testimonials" of the significant savings available with good credit (the banner above claims a $310 savings in her house payment). The stories are provided under the header, "Credit Diagnosis." And, I was initially impressed after clicking through the ad to find a good, landing page with more of the same.

However, the mostly-anonymous company behind the banner, FreeCreditReportsInstantly.com uses a $1, 7-day trial come-on for its $29.95/mo credit report monitoring service. I have no problem with the company charging what the market will bear. And to its credit, FreeCreditReportsInstantly (FCRI) does disclose the go-to fee on the first page of the application. But I think the typical young Facebook user is not going to be happy seeing $29.95 monthly fees on the credit or debit card.   

Why would anyone pay $360/yr for credit monitoring?
The Internet was supposed to make it hard for companies to charge 2x to 3x the going rate when dozens of competitors were just a few clicks away. But here we have a company doing just that and evidently bringing in enough revenue to afford a Facebook ad buy, not to mention holding down the number 3 ad slot on Google searches for "free credit reports" (note 1)?

The answer is complex. It has to do with consumer confusion over the whole business of credit scores, ID theft, and the government-mandated free reports which is what most Googlers are looking for when they type "free credit report." And consumers must share part of the blame too. In a rush to get "something for nothing" they blindly fill out "free trial" forms without reading the fine print or taking time to investigate alternatives.

Taking the high road
But the dizzying array of credit monitoring options provides an opportunity for banks and credit unions to do the public a great service, and turn a nice profit, by educating their customers and offering value-priced alternatives: 

1. Credit scores/monitoring: Instead of pushing credit monitoring services that are too confusing and too expensive for the mass market, provide customers with their credit score each month, and if it takes a dive, alert the customer and provide the tools to access their credit report to investigate any potential problems (see our post yesterday and note 2).
2. Identity fraud support: Citibank's Identity Theft Solutions advertising blitz was a nice humorous break from most bank advertising. However, I think it did a disservice by making full-blown identity fraud seem more commonplace than it really is. Consumers needn't be frightened, they need to be careful, they need to understand what to look for, and they need to know where to turn in the event of suspected fraud.

And since most banks and credit unions don't have the resources to provide full-service fraud assistance, turnkey solutions providers have stepped up to fill the need. We are lucky to feature one such company at our Finovate conference next Tuesday in NYC.

Full-service education and victim response from Identity Theft 911
Five years ago, I met the entire Identity Theft 911 team when they were in Seattle making sales calls. It was refreshing to see someone in the identity fraud space taking a genuine interest in helping the end-user out of a jam, rather than simply trying to get them on the hook for a $150+/yr monitoring service. And over the years, I've kept in touch with the company chairman, Adam Levin, as he's worked the trade shows to garner support for Identity Theft 911 and his other company, Credit.com. Adam will take the stage Tuesday morning in NYC to demonstrate the full range of his company's resources to help banks and credit unions make their customers feel MORE secure, rather than more afraid (see screenshot below of AFL-CIO Employees Federal Credit Union's Identity Theft 911-powered services, link here).  

Note:
1. Search performed from Seattle IP address mid-morning on 26 Sep 2007.   

2. For more information on credit monitoring, see the latest Online Banking Report here.

In terms of website design, I find most Citibank pages to be somewhat busy. But overall, the pages usually work well due to the eye-catching graphics, appropriate use of colors, and good copywriting.  

I've had a Citibank Business AAdvantage credit card for at least a decade. Even though I don't visit the site often, maybe once every few months, I find that it's generally easy to find what I'm looking for. 

As you can see in the business card example below, the bank uses purple and green "buttons" to catch your eye, then inserts important key words within them to drive action:

1. The purple, "Fraud is not your fault" reinforces that customers are not liable for unauthorized transactions, something most people are still concerned about, even though their liability is minimal. The button leads to a page that discusses advanced fraud fighting tools such as virtual account numbers and a picture card.
2. The navy, "How much have I spent lately?" allows users to quickly drill down into a key area of concern for most card users. Although not as powerful as Wells Fargo's My Spending Report (previous coverage here), it's still a good starting point for many users.
3. Finally, the bright green, "Help prevent an identity crisis" pitches the bank's credit monitoring solutions (note 1).
   

Citibank Business Credit Card main account overview page (22 Sep 2007)

Note:

1. For more information on bank and credit union opportunities selling credit report monitoring see our most recent Online Banking Report.

If you were in the office yesterday, you probably heard about Bank of America's announcement of SafePass, an optional out-of-band authorization technique for high-risk online banking transactions. It was all over the news, including the trades, blogs, and a few mainstream press articles. Here's the press release.

The system, common in many countries, but available only at Citibank in the United States (previous coverage here), sends users a 6-digit code via text message. The code is then entered at BofA's website to authorize larger transfers, new bill-pay merchants, new accounts for funds transfer, or to login from a new computer, not previously "registered" for online banking. VeriSign developed the technology.

The service will roll out across the BofA empire this year, with many customers having it as soon as next week. Next year, a wallet-card token "SafePass card" will be offered for customers who don't have text-messaging capabilities on their phones.

Analysis
SafePass is a solid enhancement to security, at least perceived security, since it probably won't do much to cut down on actual fraud losses. It's already pretty difficult to get through BofA's security gates and pull money out of someone's online account. The bank did the right thing in making it optional. Only the paranoiacs, road warriors, or those with unusually high transaction amounts will want to undergo the extra steps.   

So while it may be ho-hum in terms of fraud reductions, SafePass is brilliant marketing (note 1). It's a tangible and easily understood copy-point as to why one should choose BofA over the other 15,000 U.S. financial institutions. Think of the bragging rights they now have (all firsts are U.S. only):

• First to integrate mobile messaging into the authentication process
• First to offer optional extra security
• First to safeguard the process of adding a new bill payment payee
• Potentially first to offer choice of token or mobile text message for out-of-channel authorization
• Only bank able to put "SafePass" on their website—a very good name
• Able to say, "no one has more security options than us"
• Able to say they are a "pioneer in security enhancements"
• Able to they "put the customer in charge of their own extra security"
• And so on ...

Congratulations to Bank of America for once again raising the bar in online security.

Rant
While I like what the bank has done, once again I find it astonishing that even 48 hours after releasing the news in a press release here, THERE IS NOTHING ON THE BofA WEBSITE ABOUT IT. A site search for "SafePass" pretending to be from North Carolina, New York, or California results yields just a single obscure business insurance product. Bank of America's search doesn't even return the press release announcing the service!

SafePass is also not mentioned in the bank's security, online banking, or mobile banking sections. I've worked in a Fortune 50 company, so I understand all too well how hard it is to sync advertising, PR, sales, and so on at a huge company. But with 22 million active online banking users, you'd think BofA would be a leader in syncing its website to its marketing plan. 

Am I being overly critical?  It's certainly worth writing about. 

Note:

1. For more information on the synergy between security and marketing efforts, see our full report on the subject at Online Banking Report.

Today, I was home for lunch and my son was watching a recorded episode of Myth Busters, a great show as anyone with a pre-teen child knows. As he was fast-forwarding through the commercials, I happened to see a glimpse of a LifeLock spot (see inset).

My son knows I like the commercials better than the shows, so he graciously replayed the entire thing for me. It seemed to go on forever, he said, "like a sponsored program of its own." Which from him is actually a compliment, I think. I checked out the replay online and saw that it was a 2-minute spot (note 1).

It features street scenes of New York (I think). It plays like news coverage as the big "billboard trucks" drive through town plastered with CEO Todd Davis's social security number in red, 3-foot high numbers. Interspersed are man-on-the-street soundbites from astonished pedestrians and a great testimonial from a LifeLock customer who credit the company from saving him from having someone buy an $83,000 RV in his name. It also has Mr. Davis pitching the product through a bullhorn on a crowded Manhattan street.  

It's a real in-your-face commercial, but I really liked it. It does a great job of grabbing attention, reinforcing the benefits, and providing a can't-miss call-to-action. It's a good compliment to the over-the-top print ads featuring the CEO's social-security-number (see previous coverage here and note 2).

LifeLock uses two different URLs in the commercial, the normal <lifelock.com> and <lifelocktv.com>. Both point to the same page now, but the company must be considering a distinct landing page for the TV URL.

The video is available in the lower-left corner of the company's homepage (below). For more information on the market for credit report and identity theft services, see our most recent Online Banking Report here.

Note:

1. The commercial doesn't appear to be on YouTube yet, so I was unable to post the actual spot here.

2. A half-page version of LifeLock's social-security-number ad was in a recent WSJ.

I received an email from American Express late last night after resetting my password earlier in the day (see screenshot below). I can never remember my AmEx password, because I can't use my usual one due to the company's surprisingly short field of just 8 characters that also doesn't support special characters. I have it written down somewhere, but I can never find that either.

I went online late Friday afternoon to pay my overdue bill at AmericanExpress.com. I was pretty sure it was one of three possibilities, but after two unsuccessful attempts, and with the website warning me the third attempt would cause a lockout (note 1), I decided to go through the online reset process instead. 

That was easy. I just needed the card number, the code on the front of the card, and the answer to a security question. At that point, AmEx displayed my username and let me reset the password. It's one of the easier reset processes I've tested. That's a benefit to customers and helps cut customer service costs for AmEx. 

But the thing I liked most was the email message sent later that night informing me of the password reset (screenshot below). But I don't understand why it was sent more than six hours later. Why not send it right away? That would be way more impressive to customers, and would help reduce any potential fraud or privacy violations. Better yet, send a text message right to the customer's mobile, so they have real-time knowledge of the account changes.

Email Critique
Personalization: The company uses two pieces of personalization, cardmember name and the last five digits of the account number, to differentiate this message from the average phish. Excellent.  

Subject line: Your American Express Forgotten User ID is good and right to the point

From: "American Express" using an American Express email address. Good.  

Headline: Verify Your Account Transaction is a little confusing. All I did was reset my password. I'm not sure that average person views that as a "transaction."

Copy: The copy is short and to the point, but it could use a little editing for clarity. The third sentence, "If you did contact us...." seems unnecessary. And "If you did not complete the retrieval...." is not very user friendly language.

Design & Layout: Excellent.

Overall Grade: A- for the message, B- for timeliness

Note:

1. We recommend allowing more than three attempts before lockout. It's pretty easy to forget a digit or make a typing mistake. See our Online Banking Report on Security (#119) for more information.  

Want a shock? Open today's Wall Street Journal to p. D3 (West Coast edition).

You'll see a full-page, black-and-white ad featuring LifeLock CEO Todd Davis's social security number in a massive reverse-type, page-dominating format. There is also a 1/4 scale photo of a smiling Davis holding his social security card out to the camera. The ad offers a 30-day free trial using the WALL10 promo code, before reverting to the normal $10/mo price.

The WSJ spread will be less of a surprise if you've seen LifeLock's television spots or website recently, where the same technique has been used for some time (see screenshot below).

Although the ad may partly be for PR in the investment community, the relatively large spend demonstrates just how lucrative, and appealing, financial security services can be. We'll look at LifeLock and the whole identity theft/credit monitoring space in our upcoming Online Banking Report, due out in about 10 days.

A commenter yesterday asked if anyone had heard of BudgetPulse, an online personal finance site that opened its public beta site two weeks ago.

Well, we hadn't heard of it, but in this increasingly crowded space, that's no surprise. We are now tracking more than 20 online personal finance sites (previous coverage here). With low-cost server space, easier programming tools, APIs, and cheap viral marketing through blogs and social networks, the barriers to entry are a fraction of what they were just a few years ago. A good programmer could put together a simple financial tracker in their spare time.

While this will spur creativity and innovation, ultimately benefiting end-users, there is a downside. Security and privacy.

As we looked at BudgetPulse, which at first glance looks like several other Web 2.0-inspired finance sites, we couldn't help but wonder who was behind the site. There are no names, personal or company. Even the who is info for the domain is masked (domain registered in April). The only email address is disguised in spam-defeating format: "info (at) budgetpulse.com". Right now, the public portion is a two-page website with a few popup forms. The FAQs are empty. The forum is coming soon. There is a blog, but it only has three short posts. And there are misspellings in the website and blog copy. The websites entire security discussion is a single sentence:

We protect your account and data with advanced security methods.

More than likely this is simply the work of one individual who concentrated on coding the functionality first, and whose day job prevents him/her from spellchecking their HTML. But what if it's a scam? Convince a few people to use it to track their finances, then hit them with requests for their credit card numbers "to enhance the experience" or to their checking account number for payments, e.g., "Join our beta test and earn $500/mo as you test it."  

I admit that could be far-fetched, and I have absolutely zero knowledge of that happening at BudgetPulse or any other site. But it does bring up the bigger issue of consumer trust at independent, non-regulated personal finance sites (i.e., non-financial institutions). Even the well-funded personal finance sites such as Wesabe and Mint must deal with the mistrust and skepticism consumers have for new companies wanting to get involved in their lives, especially their finances. 

The solution: Financial institutions, with their trusted brands, partnering with or acquiring online personal finance sites to bring new functions and features to their customers.       

Intersections, with 4.7 million subscribers (as of March 30, 2007), is a leader in the U.S. credit monitoring business. Its private-label programs are offered by Bank of America, Capital One, Discover, Citibank and many more leading financial institutions. I have personally used the Intersections service for nearly a decade through its distribution agreement with American Express, a partnership which ended last year.

Last year, Intersections redesigned its core consumer-direct website, Identity Guard, to feature four levels of protection (see screenshot below):

1. Good Start (single-bureau monitoring only): Free for six months, then $4.99/mo
2. Watchful Eye (above plus Internet fraud database scanning and quarterly credit report and score): $7.99/mo or $69/yr
3. Extra Caution (same as above, but expanded to all three credit bureaus plus $20,000 id theft insurance): $12.99/mo or $119/yr
4. Total Protection (above plus constant scanning of public record databases): $17.99/mo or $159/yr

Analysis
The free six-months of service is a great way to get customers accustomed to using a daily monitoring service. However, the company does themselves a disservice by completely ignoring the obvious customer question: What happens after six months? As far as I could tell there is no way to get an answer to that question without calling or emailing prior to starting the application (see note 1). That's unacceptable for any eCommerce application, but especially in credit monitoring, which has had its share of questionable marketing practices.

We'll look at the Identity Guard application process and products in detail in our upcoming new report, Online Banking Report: The Market for Fraud Protection, Identity Theft, and Credit Monitoring Services (available at the end of July here).

Identity Guard homepage showing four product choices

Note:

1. My first email about the potential fee has not been answered or confirmed 48 hours later. But my call to customer service this morning was answered promptly, I was speaking with someone in about 50 seconds from dialing. He was a little unsure of the fee, saying "I believe it's $5.95/mo" and he "thought" that yes, you would be charged automatically to a card entered at signup. But overall, he did a decent job answering my question and surprisingly did not try to get me to signup even though I was obviously hesitant.  

If you live in the U.S. hurricane zone, the memories of the summer of 2005 are still all too fresh. That's why it's great to see Gulfport, Mississippi-based Hancock Bank take a proactive approach to storm season with its "storm readiness" plan released in a June 1 press release (here).* 

While normally, your disaster planning efforts rate no more than a deep link on your website, Gulf Coast residents need more prominent reassurances. Hancock does a great job reassuring customers in its press release covering these four areas of storm preparation: 

• Designated certain branches "lighthouse branches -- beacons to safety." These branches stay open as long as possible and re-open as soon as possible. Emergency procedures for employee communications, food, shelter, back-up power, and fuel are detailed.
• Offsite backup for its website and online banking so there will be "virtually no downtime." 
• Data center precautions, including safeguards at its main center, dubbed "the fortress," plus plans for emergency off-site backup.
• ATM system procedures and priorities in the event of a prolonged emergency.

Analysis
Overall, this is a good press release and sound plan, especially the concept of "lighthouse branches" which play off the company's logo and branding. It should receive good play in the local media.

However, I couldn't find this info anywhere on the bank's website, other than the press release buried in Investor Relations. This time of year there should be a prominent link to the bank's plan on the homepage or at least in the personal banking section. If you were looking for a new bank in the Gulf area, this would help your decision.

And financial institutions should do even more by making online banking and electronic communications prominent in the disaster plan. Here are eight additional ideas. While, some would require product development, they are relatively minor projects. Financial institution benefits are in italics.  

1. Create a "customer communication plan" that send emails or text messages to customers to keep them informed of developments with branch, ATM, and online banking outages. 
       Helps bump up online banking and email registrations. 
   
2. Remind customers how important it is to have up-to-date email addresses and cell phone numbers on file. 
       Helps improve your delivery rate on marketing and
       service messages.
   
3. Since customers may not have power, they may need to rely on mobile phones for information. And since waiting on hold uses up precious phone charge time, create a call-back plan for emergencies. Customers would call or text the bank requesting a call back on their mobile.  
        Helps differentiate you from the competition.
   
4. Create an "open branch & ATM" query. Customers could send a text message requesting a list (with address, phone number) of all open branches and ATMs.  
        Again, differentiates you from the competition.
        And if ever needed, will help create lifetime customers.
   
5. Let customers use designated branches to charge phones or laptops in the event of widespread power outage.
        More differentiation and customer advocacy.
   
6. Develop a blog that can be used to keep customers apprised of any changes to banking services. Several employees should be prepared to update the blog through mobile phones if power was out. And at least one person should have access to a satellite phone so they can remotely post updates to the blog (perhaps working with someone outside the disaster zone, who can do the actual typing/posting).
        Another great relationship builder.
   
7. The Web-based branch finder should include a search for "lighthouse branches." 
        Expose your impressive disaster preparations to
        prospective new customers.
   
8. Refer customers to disaster preparation website resources for so they can put together household stockpiles and family communication plans.
        More customer advocacy, not to mention the "right" thing to do. 

*Full disclosure: We have done some website evaluation work in the past for Hancock Bank.   

When I saw the blog postings this week that Freakonomics authors, Steven D. Leavit and Stephen J. Dubner, had penned an article on identity theft, I anxiously clicked into the Sunday NY Times Magazine to read the article (11 March 2007, link here). I had hoped that the popular statistical wizards had taken on the subject of why ID theft loss estimates vary by as much as 20-fold, from a couple billion to more than $50 billion (note 1).

Unfortunately, the article, Identity Crisis, shed no light on any of the statistical anomalies nor did it offer any help with definitions, even after using this lead sentence:

There are as many varieties of identity theft today as there are varieties of, say, mushrooms.

The lightly researched article relied on the usual Javelin and FTC numbers and reached the unsurprising conclusion that merchants are the ones that most care about credit card fraud. But the authors glossed over the fact that it's the online merchants who are burned most by card fraud, due to card-not-present chargeback rules (note 2). Real-world card swiping merchants are often made whole for fraud situations provided they followed the card association rules for checking the signature scrawled on the receipt against the 1/8 inch script scribbled on the back of the card (as if that stops much fraud).

The authors also failed to realize, or at least note, that the oft-cited Javelin finding that more than half of ID theft is from people you know, includes only the situations where the victim has knowledge of who perpetrated the fraud. In round numbers, here's what the pie looks like:

• 50% of ID theft victims don't know who stole from them
• 25% know who stole from them, but have no relationship with the crook
• 25% know who stole from them, and the crook was family, friend or co-worker

I believe that it's a bit of stretch to say that half of all identity theft is from related parties when it could be a little as 25% or as much as 75%.  

Blog Comments on ID Theft
Unlike the old days when the only way to interact with an article was a letter to the editor, Leavit and Dubner maintain a blog (here) where readers can sound off on the issues. The blog entry, Who Cares About Identity Theft?, went up on March 9, two days before the full article appeared in the Sunday Times. I was surprised today (March 17) to find only 29 comments on the identity theft piece, especially since the blog has more than 55,000 readers and both the print and online NY Time's columns directed readers to the Freakonomics blog.

And no one seemed to care that the authors did little to further the debate on identity theft, chargebacks, or law enforcement priorities (note 3). In fact, it appeared that only a half-dozen of the commenters had even read the full article. So we have at least a partial answer to the "who cares" question, not the blog readers (note 4).

Notes:

1. During the past month, I've had conversations with extremely frustrated reporters from the Wall Street Journal and Wired Magazine, who were trying to figure out what the true costs of financial fraud in the U.S. really are. 

2. I have to admit being biased here. As an online-only merchant, I pay large credit card fees, around 3% that cover the supposed "high-risk" nature of online commerce, even though I have zero recourse if the charge is later disputed as fraudulent.

3. The article had conflicting anecdotal evidence on law enforcement efforts to stem financial fraud, saying the FBI usually needed at least $100,000 in losses to get involved. The article implied, but did not explicitly say, that lesser amounts are not pursued aggressively by local police departments. Although it cited an officer from the Los Angeles County Sheriff Department's ID Theft Task Force, which at least sounds like significant enforcement action.

4. It's not so much consumer don't "care," but that they are no longer so interested in discussing it and/or they are less concerned now that many understand that they are well protected against financial loss.

There is no doubt consumers love debit cards. Despite cloudier fraud protections, no free float, and the confusion of "signature vs. PIN," growth continues at a 20% annual clip, with total U.S. transactions surpassing credit 15 to 18 months ago (see numbers here).

But continued negative press coverage could slow the growth. For instance, today's lead article in the Wall Street Journal's Personal Journal section, How to Protect Your Plastic, focused on recent debit card skimming incidents. 

What can a financial institution do to counteract the negative press?

1. Educate customers on their limited liability

2. Provide clear and understandable zero-liability fraud protection guarantees

3. Provide tools for monitoring checking accounts, such as transaction and security alerts

But once you have those "best practices" in place, you can still boost usage, and differentiate your debit card and checking accounts by integrating actionable text-message alerts (see ClairMail example above). 

While the industry-standard email alerts are helpful, the phishing epidemic, spam filling up the in-box, and  the time lag for reading and responding to bank emails, make them less and less effective for time-sensitive communications such as fraud alerts.

Enter the mobile phone. Most banking customers now keep a mobile device with "three rings" of their person much of the day, and almost always when out of the house. Therefore, a real-time text message each and every time a debit cards is used, will go a long way towards making users comfortable that their card has not been comprised. And in the event their is a fraudulent transaction, a quick text message back to the issuer can lock the debit card down, avoiding any additional unauthorized transactions.

This is about as win-win as you can get in banking. The user is happier with his debit card leading to increased loyalty and more debit transactions, boosting both short- and long-term revenues for the bank, credit union, or card issuer.

For more information see our latest Online Banking Report, Mobile Banking & Payments 2.0 (OBR 138/139).

Once again (previous post here), Chase used a three-quarter page color ad in the front section of the New York Times (p. 17, National Edition) to showcase its alert services (see partial screenshot right). The ad shows a man relaxing in the stands at some type of sporting event, Yankee Stadium perhaps.

The camera looks over his shoulder, focusing in on the image displayed on his Treo smartphone, which says "SECURITY ALERT" in large white letters on a light-blue background.

You had to feel for this poor guy, jarred from his leisure time with an urgent missive from the bank. Within a few seconds, three things likely crossed his mind: 

1. What the (expletive deleted)? Pretty poor timing to be interrupted at a baseball game with a security alert from the bank (which, these days is 99.9% likely to be a false positive, or a phishing attempt, see number 2).

2. Is this even from Chase? How do I know it's not a new kind of mobile phishing attach (mishing?). Should I ignore it? Does my liability go up if I don't respond immediately?

3. Now what? Can I click the message and find out if this was just a notification that I'd used my debit card to buy beer at a Yankees game, something I'd never done before, or has someone just transferred my 401k to a numbered account in the Jersey Islands? Or will I have to excuse myself and make a voice call, spending the 6th and even part of the 7th inning, talking to a Chase CSR, who may not even have enough info to explain why I got the alert? 

Analysis 
The ad demonstrates the pitfalls of using a very negative attribute, security breaches, in marketing your brand. But despite the uncomfortable thoughts that come to mind, we think it's an effective ad because it grabs attention and positions Chase as caring for the financial security of its customers. However, given that Chase's actual alerts look nothing like this, it's a bit of a stretch. I suppose they're allowed a bit of creative license; it's advertising after all. 

We'll give it an A-

Looking for the ultimate in frustration? Try this sometime. Go to all of your bank, brokerage and credit card accounts and enter the correct username, then make up passwords and hit enter until you are locked out of your account. 

For research on a previous report in our Online Banking Report (here), I locked myself out of more than a dozen accounts. That was almost four years ago, and I have no plans to do that again, ever. However, yesterday, through a bit of miscommunication with my wife (note 1), we found ourselves locked out of our account at US Bank.

Due to this inadvertent bit of research, I found out that US Bank has added a "lock-out alert" (one step forward) to its messaging services, but fails to tell users what is going on and how to resolve it (two steps backwards). Here's what the alert looks like (see notes 2 & 3):

Recommendations:

• The alert (above) needs to tell users EXACTLY what to do next. US Bank correctly tells the 1% of users what to do if the failed login was not imitated by them (call the bank), but the bank fails to explain to the other 99%, who simply forgot their password, what they should do.
• The screen displayed after lockout (see below) also must tell users EXACTLY what to do. US Bank's message to frustrated users: "Internet Banking is unable to verify the information you've entered. Please confirm your Personal ID and password." At the very least the bank should empathize with the user and explain the possible causes of the problem and link them to the password reset screen.  
• Don't lock out users after only three or four attempts: US Bank locked my wife out after 3 or 4 trys, more stringent that the six allowed in our test four years ago. That is just too few. Most users who make a mistake (attempt 1), will retype the exact same info (attempt 2), then try once more paying very close attention to their typing (attempt 3), before trying a different password (attempt 4). So at minimum you must allow four tries. Even better is 5 or 6 or up to ten. The cost in customer service for locking out at 3 or 4 attempts is far more than any fraud that will be prevented with such strict measures.
• Help users remember they created a new password: In our case, if the on-screen error message had said, "You recently changed your password, are you using the new one?", the whole episode could have been avoided. Instead, US Bank gives no information to its customers (see screenshot below). It doesn't even explicitly tell them they entered the wrong username/password. It just drops them onto this blank page that has a vague message about logging in.
• Warn users before lockout: Tell users they are about to be locked out, with a warning, "One more incorrect attempt will lock you out of your account. If you've forgotten your username or password, click here." 
• Let users back in after lockout: The last time we tested, US Bank allowed users to log back in 24 hours after lockout if they remember their username and password (note 4). That's a good policy, but why 24 hours? Why not 12 hours, or 3 hours, or 1. If you have the correct username and password, why should you not be allowed back into your account after a relatively short period of time? 

Enough with the rant. I know these policies are in place to discourage unauthorized entry. But you also shouldn't run up your customer service costs, not to mention irritating customers, with arbitrary lockout parameters.

Notes:

1. Anyone with a joint checking account can probably recognize that "a bit of a miscommunication," is a euphemism for, "I forgot to tell her I changed the password."

2. An alert is generated for each failed attempt. We receive three identical messages. The email address has been erased from the screenshot.

3. Note the email is generated from the URL, cs.usbank-email.com, which cannot be verified through direct navigation (it results in an error message). That's phishy looking. Emails should carry the normal, user-recognizable URL, in this case, usbank.com. If that's not practical, at least post a page at the email URL verifying that the URL is genuine.

4. It's been about 16 hours since lockout, and we still cannot get back into the account.

I hate phishing. Not only has it cost the world's financial institutions tens of millions in fraud losses, it's just about killed the email channel in terms of getting your customer's attention in a timely fashion, and it's diverted management's attention from much-needed online marketing improvements. That's much worse than the actual fraud losses. 

Like most people with widely published email addresses, I get a half-dozen phishing messages every day (note 1). I rarely give them a second look unless they purport to be from my bank. Almost all of them are placed in the junk folder by Outlook, one of the nicer services of Microsoft Office.

Phishers have to be much more creative these days. The time has past when a few paragraphs of broken English and the bank's logo could net the fraudsters a few extra coins. Now I get fake emails asking me to verify my security settings, authorize account changes, or claim a sweepstakes prize.

For example, today I received a fake credit card authorization request from Wells Fargo (see inset). I'm not sure why it prompted a blog entry. Maybe because I use a Wells card or maybe because I've been talking to mobile banking execs about this very subject. But the fake was good enough to force me to take a closer look. The biggest clue is the wrong format for the USD charge, using a "comma" instead of a decimal point between the dollars and sense. But otherwise it's pretty good, and may even net a few card numbers before its taken down.

Analysis
I am optimistic that email can still be effective if financial institutions clearly personalize their messages (see samples here and here). However, gaining customer trust back, especially for security-related messages, is a long-term project. That's why we are telling financial institutions to invest in RSS/XML feeds (Online Banking Report #135/136) and/or mobile banking (Online Banking Report #138/139) in order to reach their customers in a way that is less prone to fraud, at least for now.

Notes:

1. A great online repository of phishing examples is housed at MillerSmiles.co.uk

2. There's a whole book on phishing, click on cover above to go to Amazon's description of the title.