One perk of working for a large company is being recognized, or winning prizes, for contributing useful suggestions. While employees can be pretty cynical about the whole process, overall, it's good for employee relations to solicit and reward suggestions. Employees appreciate the opportunity to voice their ideas to senior management and do their part in making the company/products better. And if they win a free dinner, it's all that much better. 

The same concept can work even better with customers where you don't have to worry about favoritism and corporate politics. But how do you solicit meaningful suggestions without getting bogged down in an expensive and time-consuming evaluation process? And more important, how do you prevent the really innovative ides from getting killed in the marketing/customer service/IT department, where the not-invented-here bias rules?

Interactive suggestion box from Starbucks
Amidst a sweeping round of innovations announced at its annual shareholders meeting today (see note 1; press release here), Starbucks provided a glimpse of the future of customer feedback with its MyStarbucksIdea, a user-generated discussion forum revolving around product and service suggestions (see screenshot below).

By involving users every step of the way, the system helps remove the inherent bias that plagues most company-run programs. The key is allowing registered users the power to vote on each idea, the best rise DIGG-like to the top, where other customers, along with the Starbucks top-brass, are likely to see them. Other than light moderating of the forum, Starbucks only has to process the very best ideas.

To provide the all-important company feedback to the community, the Starbucks site (note 2) has an area that will showcase the ideas that are actually implemented. The site says there are no monetary rewards, but I would expect that wining ideas will receive some small token of the company's appreciation such as a $50 Starbucks card or t-shirt. You don't want the incentives to be too high, or the system will be gamed and its appeal damaged. 

The most popular idea at Starbucks has to do with providing discounts...no surprise there. But the company has wisely introduced a dozen idea categories to help spur discussion in other areas. For instance, in "Other Product" section (second screenshot below), I found two that I voted for: microwave ovens to re-heat coffee and providing small stickers to keep the coffee from sloshing out the drinking hole while driving.

Implications for financial institutions
I believe that every financial institutions should have some type of suggestion program even if it's just an email address (suggestions@yourbank.com). And I think the open Starbucks approach could work very well. However, if there are no ground rules, most banks and credit unions will be innundated with "ideas" to lower fees, raise savings rates, and so on. As much as you don't want to stifle discussion, you may have to restrict or even forbid suggestions about pricing. Most people will understand that your pricing decisions are not made via the consensus of a public user forum no matter how many votes "interest-free loans" receive. 

To help spur ideas outside the usual complaints, create a list of categories such as online banking, wire transfers, checking accounts, branches, and so on to generate ideas for your different product lines.

MyStarbucksIdea homepage (19 March 2008)

Top ideas in "Other Products" category

Notes:

1. Starbucks also announced a set of rewards for users of its prepaid card including free premium drink upgrades such as soy milk, free beverages with the purchase of coffee beans, and the big one for the WiFi set, 2 hours of free Internet access with a purchase.

2. Interestingly, Starbucks new app is built on the Force.com platform from SalesForce.com.

Tomorrow, Wells Fargo is expected to launch a user-generated video contest that will place the winning entry into a 30-sec commercial that plays during January's Rose Bowl, with an audience of 35 million or more. The winner will be chosen by public voting on the contest website. Entries are due by Nov. 26.

Although, this type of contest has been done before including last year's Super Bowl (see previous coverage of Intuit's TaxRap here and Lending Club here), it's the first time a major U.S. bank has launched such a high-profile effort. It should provide Wells with excellent publicity while supporting its social media and branding efforts.

The whole effort is first class, from the Center Stage website, to the pre-taped audio tracks in various genres, and the contest rules and prizes. And while the sample video's are cute, don't listen to them at bedtime. Trust me, you don't want "The Wells Fargo Wagon" running through your head as you try to get to sleep. 

Playing into the summertime digital photo frenzy, Boeing Employees Credit Union <becu.org> is asking members to send a photo and short story for posting on the Seattle-based CU's homepage <becu.org> (see below for an example).

Photographs can be uploaded through the website, emailed in, or for those not into digital photography, a 4x6 or larger print can be mailed in. Either way, every person in the photograph must sign a release, also available on the website.

Here's how it looks on the homepage (click for larger version):

Click on the continuation link below to see the landing page for the promotion and the upload form.

--JB

Notes:
The landing page (accessible through link from lower portion of homepage, see above):

Here's the uploading form:

Using our live test accounts, we changed passwords then subsequently “forgot” the new one to test how major financial institutions handle the situation. Overall, most received good marks, although everyone has room for improvement.  

Table 1

Password Scorecard

Source: Online Banking Report, 4/03
*We believe users should have at least 5 login attempts, with clear instructions before and after lockout

Testing process

1. Login with existing username and password

2. Change password or username

3. Logout

4. Use online password reset if available

5. Attempt to log back in 10 times with an incorrect password

American Express

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) Browser AutoComplete function not disabled
(2) No email confirmation of password change
(3) Account lockout too quickly, after third login try

Password structure: User defined, 6 to 8 characters with at least 1 letter and 1 number

Username structure: 5 to 20 characters with
at least 1 letter

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Email confirmation of password change/reset: No

Online password reset: Yes, with card number, 4-digit card ID (on face of card), work phone number, last 4 digits of soc, and 5-digit zip code

Account lockout with excessive login attempts: Yes, after third attempt; red warning issued after attempt two

Online username retrieval: Depends, certain accounts can retrieve their username online, others must call; we were in the latter group so could not test this feature

AutoComplete is not disabled on the login screen.

User friendly: American Express warns users after their second unsuccessful login that they will be locked out after one more attempt.

Password reset, step 1: Enter userid, card number, and 4-digit code from back.

Password reset, step 2:
Enter personal info for authentication.

Bank of America Credit Card

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 9 to 20 numbers

Password structure: 4 to 7 characters; cannot repeat 4 or more in same sequence as username; cannot be same character repeated

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 4 attempts; help section carries clear warning

Online username retrieval: No

BofA provides a helpful popup screen with each unsuccessful password attempt.

Centura Bank

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) No warning of account lockout
(3) No customer service link or HELP available from login screen

Username structure: Social security number (with dashes)

Password structure: 6 to 15 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Password change: Online with old password; but neglected to provide an on-screen confirmation that the change occurred, an annoying usability flaw

Online password reset: No, must call; password sent via postal mail

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after sixth unsuccessful attempt; no prior warning

Online username retrieval: Unnecessary (SSN)

Centura had the best login screen “security look and feel.” It also provides a link to disclosures, but not a single mention of customer service or online help, even after making an unsuccessful login attempt. Evidently the bank’s lawyers have been through the site, but where’s customer service?

Charter One Bank

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change
(3) No warning prior to account lockout
(4) No message after account lockout

(5) A bit too easy to gain read-only account access for new users; requires account number and social security number. However there is a crucial safeguard for bill payment which requires mother’s maiden name, date of birth, home phone number, and a 2-day waiting period.

Username structure: Social security number

Password structure: Must be at least 6 characters

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password

Online password reset: No, must call

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, not sure when it happens, sometime before the tenth attempt; the bank does not provide a warning of impending lockout, nor does it let you know after you’ve been locked out, you only receive a cryptic
error message.

Online username retrieval: Unnecessary (SSN)

AutoComplete has not been disabled
at account login.

New users enroll with social security number and account number. Note the excellent use of security graphics during enrollment.

Chase Bank

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) No warning of upcoming account lockout
(3) No message after account lockout

Username structure: User defined, must include one number

Password structure: 6 to 10 characters, 1 of which must be a number

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with name, account type, account number, social security number, and two user selected challenge questions

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, sometime during the first 10 attempts; no warning message and no indication when account is lockout out, a “try again” message just keeps repeating

Online username retrieval: Yes, displayed online after entering name, account type, account number, social security number

Chase is one of the few banks offering online retrieval of forgotten usernames. After correctly entering name, account number, and social security number, the username is displayed. At that point you can login if you know your password. If not, you can retrieve your password online by answering two previously selected challenge questions. This is great from a usability standpoint, but the bank should send a confirmation via email and/or snail mail.

To reset the password, users answer two
previously established challenge questions. 

DeepGreen Bank

Password Scorecard

Grade: Needs improvement

Weaknesses:

(1) Browser AutoComplete not disabled

(2) No email confirmation of password change

(3) No minimum password length, can be a single letter or the same as the username
(4) No warning before account lockout
(5) No message after account locked out

Username structure: User defined, can be all alpha

Password structure: 1 to 14 characters, can be the same as the username or a single character

Second password/challenge: No

IE 6 AutoComplete disabled: No

Online password change: Yes, with old password and mother’s maiden name

Online password reset: Yes, with social security number and mother’s maiden name

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, but not sure when because the lockout is not disclosed until the user attempts to login with correct username/password.

Online username retrieval: No, must call, then wait
7 to 10 days to receive in the mail

A common security vulnerability: Failure to disable IE 6’s AutoComplete function.

Everbank

Password Scorecard

Grade: Needs improvement

Weaknesses:
(1) AutoComplete not disabled
(2) No email confirmation of password reset, even though it can be reset with info available to an identity thief, SSN and mother’s maiden name
(3) No email or on-screen confirmation of p/w change
(4) No warning before account lockout
(5) No help on login screen for the memory challenged

Username structure: Initially set as social security # (with dashes); can be changed online one time; 8 to 24 characters, not similar to current username, not same as password, not offensive, at least 2 numbers and 2 alphas

Password structure: 8 to 16 characters with at least one number and one letter, not similar to username, not similar to prior password, not the same reading backward and forward

Second password/challenge: No

IE 6 AutoComplete disabled: No

Password change: Online with old password; no confirmation of the change provided on-screen

Email confirmation of password change/reset: No

Online password reset: No, must call; new temp password given over the phone after providing SSN, name, address, date of birth, and mother’s maiden name

Account lockout with excessive login attempts:
Yes, after fifth attempt, must call to reactivate; no warning prior to lockout

Online username retrieval: No, must call

Everbank provides no help at login for users that forget username or password, just a lengthy warning written by the lawyers.

First USA Credit Card (Bank One)

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password/username change or reset; especially important given relative ease of resetting username/password
(2) No warning before account lockout

Username structure: User defined, 7 to 16 characters, case sensitive

Password structure: 7 to 32 characters, case sensitive,  must have at least 1 number, may not use the same letters consecutively, cannot match username or social security number.

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online username change: Yes, with old password

Online password reset: Yes, with credit card #, social security #, signature panel code, and expiration date

Online username reset: Yes, with credit card number, social security number, signature panel code, and expiration date

Email confirmation of password or username change/reset: No

Account lockout with excessive login attempts: Yes, locked out after four attempts, no warning given

First USA is the only financial institution tested which allowed usernames to be reset online; nice for usability but a confirmation of the reset should be emailed and/or mailed to the cardholder.

Harris Direct (brokerage)

Password Scorecard

Grade: Good

Weakness:
(1) No email confirmation of password change (thought there is for password reset)
(2) Only 3 login attempts allowed before lockout (but can reset online relatively painlessly)

Username structure: User defined, 6 to 15 characters

Password structure: 6 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, a new disguised password is emailed after entering username and birth date; the new password is a created from the account holder’s mother maiden name and social security number but is not disclosed in the email, e.g. the first 2 letter of mother’s maiden name plus last 4 digits of social security number.

Email confirmation of password change: No

Email confirmation of password reset: Yes, confirmation also sent via snail mail

Account lockout with excessive login attempts:
Yes, after third attempt, but can be reset online; no warning before lockout

Online username retrieval: No, must call

HarrisDirect allows online reset after your account has been locked out for excessive login attempts. It was the only company which emails a disguised new password when resetting. For good measure, they also mail an identical confirmation.                    

ING Direct

Password Scorecard

Grade: Excellent

Username structure: Account number

Password structure: 4-digit number (called PIN)

Second password/challenge: Yes, one of 5 user-specified questions asked at login (see below)

IE 6 password remember disabled: Yes

Online password change: Yes, with old password

Email confirmation of password change: Yes; confirmation also sent via postal mail

Online password reset: No, must call

Account lockout with excessive login attempts:
No (not in the first 10 attempts)

Online username retrieval: Unnecessary (acct #)

ING Direct is the only bank we know of using a challenge question at login. In addition to account number and password, one of these five rotating questions must be answered correctly:

•  first 4 digits of social security number

•  zip code of mailing address (first 5 digits)

•  birth year (4 digit)

•  last 3 digits of social security number

•  last 4 digits of social security number

We like the concept, but the implementation is weak. By simply refreshing the browser screen, the would-be thief can select which question to answer, one of which is zip code, which is trivial to ascertain. 

PayPal

Password Scorecard

Grade: Fair

Weakness:
(1) AutoComplete not disabled on the password reset screen (it is disabled on login page)
(2) Username (email address) known to others

Username structure: Email address

Password structure: 8 to 24 characters case sensitive; recommended, but not required that it include upper and lowercase and at least one number or special character

Second password/challenge: No

IE 6 AutoComplete disabled: Varies; yes, on main login screen, no on password reset screen

Online password change: Yes, with old password

Online password reset: Yes, via email; must answer secret question via email link; if unable to access original email account the new password is sent via snail mail

Email confirmation of password change/reset: Yes

Account lockout with excessive login attempts:
Yes, after 10 unsuccessful attempts; a lockout warning appears after the seventh attempt

Online username retrieval: Not necessary since username is equal to email address

PayPal is one of the few financial companies using cookies to automatically insert usernames at login. The company has used this approach since inception, so they must feel that the improved usability more than compensates for the decrease in security.

PayPal’s online password reset process requires the user to have access to the email account registered with the service. If not, users answer one of four authentication questions (top screen) and the password is mailed to a one of the previously confirmed snail mail address (bottom screen).

PayPal explains after the seventh incorrect password attempt that you have 3 more tries before lockout. This is a far more reasonable approach than many banks’ three-strikes-and-you-are-out policy.

Schwab

Password Scorecard

Grade: Fair

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too quickly, after 3 login attempts, but can be reset relatively easily online

Username structure: Account number or social security number

Password structure: 6 to 8 characters including at least one number BETWEEN the first and last characters; cannot match or be a subset of username

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, in one of two ways;
(a) If logging in with account number, you must provide social security number, date of birth, home phone number, and correctly pick a security in your account from a list of 10 choices including “none of the above”
(b) If logging in with a social security number, you must only provide the answer to the secret question.

Can also reset via automated phone system.

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 3 attempts; no warning prior to lockout

Online username retrieval: Not necessary (acct. # or soc. #)

Schwab’s unique password reset process requires the usual social security #, birth date, and telephone, plus users must correctly choose one of ten securities in the portfolio (including “none of the above”).          

US Bank

Password Scorecard

Grade: Good

Weakness: No email confirmation of password change

Username structure: User defined, 8 to 24 characters

Password structure: 8 to 24 characters

Second password/challenge: No

IE AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with ATM card number and ATM PIN; new password displayed online

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 6 attempts; can reset online or wait 24 hours; no prior warning

Online username retrieval: No, must call

Password change screen. Note the prominent placement of what happens next.

Forgotten password can be reset online with
ATM card number and PIN.

Wells Fargo

Password Scorecard

Grade: Good

Weaknesses:
(1) No email confirmation of password change
(2) Account lockout too soon, after 3rd login try

Username structure: Social security number

Password structure: 5 to 8 characters

Second password/challenge: No

IE 6 AutoComplete disabled: Yes

Online password change: Yes, with old password

Online password reset: Yes, with statement account number and ATM PIN; those without an ATM PIN are directed to call customer service.

Email confirmation of password change/reset: No

Account lockout with excessive login attempts:
Yes, after 3 attempts; user redirected to online password reset page; no prior warning

Online username retrieval: Unnecessary (SSN)

Wells offers six options for where to go
immediately after login.

After three unsuccessful login attempts users are directed to reset their password, which can be done online with account number and PIN.    

While often taken for granted, username/password procedures are one of the most fertile areas for improving perceived and actual security.

In general, we are under whelmed with the U.S. banking industry’s approach to password protection. With so much on the line, both with consumer perceptions and actual monetary losses, most financial institutions need more rigorous password protection, especially dealing with new user authentication, password resets, and large bill-pay requests. See the results of our tests at 14 financial institutions.

Part of the challenge is to educate users about effective password strategies. You don’t want the same username/password combo used at the bank and www.Sk8ter.com . But you can’t rely on education alone. Help users protect themselves with appropriate password requirements and fraud-monitoring tools. See Tables below for more ideas.

Banks also need to keep up with the tricks of each new browser release. Of the 14 financial institutions we tested, 5 neglected to disable Internet Explorer 6’s AutoComplete function on login forms, a moderate security flaw. AutoComplete allows the browser to remember usernames and/or passwords for each site.¹ Offering this choice is like giving customers the option of inscribing their PIN on their ATM card.

Security Flaw: Charter One failed to disable Internet Explorer’s AutoComplete function on its login page.

¹Note: Internet Explorer on your office PC may have been pre-configured with AutoComplete disabled for all forms, so you may have to use Internet Options to enable AutoComplete prior to testing your forms.

Table 1

Username/Password Vulnerabilities

Source: Online Banking Report, 4/03  *See defenses  in Table 10 below

Table 2

Security Defenses

A.       Require additional password or static challenge question to move money out of the account

B.       Disable IE AutoComplete

C.      Send new password via email or snail mail

D.      Require ATM card number and PIN for reset

E.       Geolocation screening (only works if thief is in a different geographic area than victim)

F.       Rotating challenge questions to move money out of the bank

G.      Require unusual characters to be used in username or password

H.      Require the username or password contain bank-specific info or social security number; have bank assign username and/or password

I.         Manually authorize all new bill pay merchants with a minimum 48-hour wait period for first payment; for new ACH accounts, require proof of ownership by sending two debits to the account, then having user report back with the amount of the debits

J.        Lockout after 10 unsuccessful login attempts

Source: Online Ban king Report, 3/03

Table 3

Making Passwords/Usernames Harder to Crack

• Require at least one number and one alpha
• Require a special character such as # or !
• Require a number between the alphas
• Use social security number as username*
• Do not allow passwords to match or be a subset of usernames or other personal info such as soc number, date of birth, name, etc.
• Recommend that passwords be unique and not used at other Web sites, especially less secure non-banking sites
• Require passwords to be changed periodically
• Do not allow one-step password resets either online or over the phone; insist that the new password be sent via email or snail mail (no exceptions!)
• To foil a thief with physical or remote access to the user’s machine and/or email; when resetting, disguise the new password sent via email, e.g., your temp password is the last four digits of your soc number plus the two letters of your mother’s maiden name

Source: Online Banking Report, 3/03

*May be discouraged or not allowed by regulators

Although the online banking industry has been lucky to have had relatively few online thefts, it’s only a matter of time before every financial institution experiences online banking fraud, probably a lot of it. Just this month, PayPal was again hit with a large-scale email fraud, the same type of attack experienced by Bank of America last year. No word on monetary losses, but unless the hackers were just showing off, they likely scored thousands of dollars. See the back page for more information.

To protect yourself, and make users feel more comfortable, we recommend an additional password or challenge question(s) to move money outside the bank, via bill payments, money orders, foreign exchange, wire transfers, and ACH transfers. To improve ease-of-use, dollar thresholds could be established, even controlled by users, so that the additional password was required only above certain dollar thresholds (e.g., $500 in a 24-hour period).

Another way to defeat fraudulent bill payments and transfers is to use authorization algorithms similar to credit cards. Unusual transactions would be challenged online or held pending authorization from the account holder. Following is a simple two-dimensional matrix to illustrate the concept:

Table 4

Bill Pay Transaction Authorization

extra authentication for various transaction amounts

Source: Online Banking Report, 3/03

Legend:                    Description

Defunct CompuBank (purchased by NetBank in 2001) was the first bank we’d seen with an additional password (dubbed Fed Wire PIN) in front of outbound monetary transfers including ACH, wire, and bill payment. Recently, we noticed Hibernia has adopted a similar process (screenshot below).

 Even from within its password-protected Web banking area, Hibernia requires a “transaction password” to move money out of the bank.

Table 5

Beyond the Password

Additional authentication techniques for high value transactions, account changes, new payees, etc.

• Extra password
• Secret “challenge” question
• Email/VRU confirmation
• IP check: Additional authentication required if access attempted from out-of-area or unknown IP address
• Previous access check: Additional authentication required if access attempted from a new machine (cookies track known locations)
• Delayed access to online bill pay: New users must wait several days for access to online bill pay; during that time a letter would be sent to the customer confirming the request (Charter One
  uses this approach)

Source: Online Banking Report, 3/03

The problem with more robust password schemes is they inevitably make your Web banking program harder to use and can increase customer-support costs, especially at first. The challenge is striking the right balance, something each financial institution must determine based on their customer-service resources, risk aversion to fraud, and how tolerant/paranoid their customers are. Another possibility is requiring stronger security for accounts with higher balances. Table 14, right, provides a qualitative rating of various password schemes.

Regardless of how easy or difficult you make your password requirements, people will forget, often. PayPal provides some useful hints when an incorrect password is entered.

Table 6

Password Ease-of-Use Scorecard

Source: Online Banking Report, 3/03

*May be discouraged or not allowed by regulators

The main drawback of more rigorous password protection is the added cost, both in dollars and aggravation. This can be mitigated with automated online reset procedures that make it relatively painless for users to retrieve forgotten passwords. But reset security must rely on a shared secret, NOT the social security number. For banks, we like resets with ATM card number and PIN which are easy to use and secure.

One online banking irony, luckily something we’ve not seen in the popular press, is the added vulnerability of the 60% to 80% of customers not using online banking. Consumers usually cite security concerns when explaining why they don’t bank online. What they don’t realize is that they are often more vulnerable to online theft by not using the system. Why? At many banks, identity thieves can sign up for online access by knowing the customer’s name, address, checking account number, and social security number (SSN). Except for the SSN, all this info is on most paper checks. And the SSN is readily available on the black market.

You should take every precaution against this type of attack. It’s a potential PR nightmare which could result in your conservative, high-deposit-balance customers questioning the safety and soundness of your entire operation. You can virtually eliminate this type of fraud by sending initial usernames through the mail or requiring ATM card number and PIN for initial authentication. To foil a determined thief who may be stealing snail mail, send a followup letter a few days later confirming the new online access.

Another technique is to allow non-users to “lock” their account against online access. Any application for online access would be denied pending contact with the customer to verify the request to “unlock” their account.

As mentioned above, new accounts are your biggest authentication vulnerability. But these new users are also the least likely to understand why you’re torturing them with authentication procedures. But good security and ease of use don’t have to be mutually exclusive.

For example, Charter One uses a process similar to that outlined in Table 16 at right. New users get immediate read-only access to their data using their ATM card number and PIN. Those wishing to move money out of the bank via bill payment are required to pass a more exhaustive authentication and wait a few days for activation.

Table 7

Behind-the-Scenes Safeguards

• Third-party technology/security audits of vendors
• Good internal controls for authenticating new users and requests for password resets
• Staff education on the perils of identity theft
• Zero tolerance for insider fraud (you will go to jail!)
• Damage-control plan for your first publicized online fraud occurrence (it WILL happen)
• Bill-pay requests authorized like credit card charges based on size of transaction, time of day, IP location, size/type of transaction, type of merchant address (P.O. box or PMB number), recent changes in merchant address, recent change in consumer address, user history, etc.
• Customers contacted regarding unusual activity
• New payees verified, especially those receiving large payments
• Monitor new accounts and those with recent address changes for suspicious activity
• Rigorous authentication of change-of-address requests, even those received from someone claiming to be a bank employee
• Scrutinize new or little-used bill-pay merchants suddenly receiving payments from multiple users (could be sign of internal theft)

Source: Online Banking Report, 3/03

Table 8

Secure Quick-Start Online Access

1.       Existing ATM customers can look at their data online (read-only) immediately by logging in with account number and ATM PIN (personal identification number).

2.       User has the option to change username
and/or PIN

3.       Bank sends snail mail confirmation with a bank-generated password to access transactional functions, such as bill pay and funds transfer.

4.       Upon receipt, users log in with username, PIN, and bank-generated password.

5.       After the initial login, the extra password requirement could be eliminated or kept with the user given the option of changing the bank-generated password to something easy to remember.

6.       If users forget their username/password, they could revert back to read-only access by following steps 1 to 5

Source: Online Banking Report, 3/03