Bank of America presents its $0 liability guarantee as an agreement, in which the bank will cover losses as long as customers keep their end of the bargain-namely, by reviewing their account statements regularly, protecting their online ID and pass code, and not leaving the computer unattended during an online banking session. While the liability protections are probably the same as at other banks, it's a friendlier and more straightforward way of presenting things. The consumer does and should have those responsibilities.

The website also has a lot of information about steps consumers can take to protect themselves from identity theft, including the use of antivirus software and personal firewalls. Bank of America also has partnered with EarthLink to provide a free toolbar that helps consumers identify phishing websites. While I got the feeling that Citibank's marketing people like to hang out with attorneys, the marketing folks at Bank of America may actually be on good terms with the security team. In my book, that can't be a bad thing.

Chase
Bank number three also presents its liability policy as a short and sweet guarantee: Chase will cover "100% of any unauthorized online use of your consumer deposit account if you tell us within two days of your discovery of the usage." The but: "Chase cannot cover the below items under the 100% guarantee, because they are beyond our control: Failing to completely exit the service when you're done with your session or away from your computer; Your negligent handling of your User ID and Password." Again, this is a fair policy, presented in a straightforward manner.

Otherwise, however, the information I found about security at Chase's website was thin at best. The Security Center was so difficult to navigate that I gave up. It made much of the fact that Chase uses "Secure Socket Layer (SSL) technology to encrypt your personal information," while revealing little else-even the standard kind of language about the fact that most online banking sites log out users after a certain period of inactivity. The site also attempted to make a distinction between when e-mail to Chase is or is not encrypted, and when you would or wouldn't send Social Security numbers or account numbers via e-mail. I'd much rather hear that the bank is simply not going to ask for my Social Security number through e-mail, period.

Overall, I felt like I was being lectured by the kind of person who uses a lot of inscrutable words to intimidate others into thinking that they must be smart. Despite this, however, I couldn't find anything about strong authentication. I imagine Chase is doing a lot more than it lets on; it's just too bad it couldn't find a way to let customers know.