Two-Factor Too Scarce at Consumer Banks

A search for strong authentication in online banking comes up short.

Every time I turn around, there's a bank trying to sell me on online banking. They pitch online bill paying as a convenience, which I guess it would be, but let's face it—the real convenience is to the banks, because of the money they could save on processing fees and tellers. Thing is, some of us simply don't want it to be that easy to transfer funds out of our checking and savings accounts. We want it to be harder.

That's why for years I've been saying that I won't sign up for online banking until a bank offers me strong authentication. Keep your $50 new-customer incentive or the low-end iPod, I say. Instead, I want an RSA token that generates a security code that I punch into a website, in addition to my user name and password. Or a keyfob that I stick into the USB slot of my desktop computer whenever I move funds. Heck, I'd even proffer a fingerprint if the bank would send me the biometrics reader. And I know I'm not alone. Larry Freed, president of the research group ForeSee Results, says that security concerns are slowing the growth of online banking. "People that are not using online banking are very concerned with security," says Freed, a former banking CTO.

In October 2005, it looked like my wish might finally come true. The U.S. Federal Financial Institutions Examination Council, or FFIEC, issued a requirement that banks strengthen the way they authenticate online transactions. (See "Second Thoughts on Second Factors" for my colleague Scott Berinato's rich analysis of what the FFIEC called its "guidance.") The FFIEC move was widely interpreted as a mandate that would push more banks to two-factor authentication. Hip, hip, hurrah!

Now-just six months until the FFIEC's end-of-year deadline-seemed like a good moment to take stock of the current consumer offerings for online banking. I spent several hours looking at what Fortune 100 banks tell prospective online banking customers about security, liability and authentication. This wasn't a scientific study, mind you. I didn't set out to get an insider view of which banks are the most secure or have the best anti-fraud defenses, nor do I have any way of gauging how well banks actually keep the promises they make. I simply looked at what the websites and marketing materials say about each bank's online practices. Unfortunately, it appears that we still have a long way to go before most online banking sites are "hard" enough for me to use.

Citibank

According to the website for the country's largest bank, all someone needs to set up online banking and bill paying for the first time is a Citibank ATM card, the associated PIN used at the ATM and the number for one of the associated accounts. Anyone with a deposit account also automatically gets a free online fraud protection service called SafeWeb(r) (note the trademark), which entitles them to full coverage for certain types of unauthorized transactions but does "NOT cover losses arising directly or indirectly from the voluntary surrender of your password or Personal Identification Number (PIN)."

This would be fair enough, if only the language about what is and is not covered weren't so convoluted. What constitutes "voluntary surrender," for instance? And could someone please explain this sentence to me? If you learn that your Password or PIN is lost or stolen and don't contact us within two business days, you could be responsible for up to $500 worth of unauthorized online transactions that occur beginning on the third business day and the time you actually notify us (if the transactions could have been prevented by your notifying us.)

I also find it somewhat disconcerting that merely by having a Citibank account, which I do, all of this language seems to apply to me, even though I've never set up online banking.

The only mention of extra authentication I found was that, for "extra security," I could choose to be prompted for my ATM PIN whenever I logged on. That seems to me to make an ATM card less secure, not to make online banking more secure. In all, it's a disappointment, given that Citibank's brilliant ID theft ad campaign gave it such a head start in inspiring customer confidence.

Bank of America

Of the big three, Bank of America seems to have the most going on, security-wise. It's gotten a fair amount of attention for SiteKey, which is sort of a two-factor alternative. If Bank of America recognizes an online banking customer's computer, it displays a picture that helps the customer know he or she is at the right spot, not a spoofed site. If Bank of America doesn't recognize the computer (based on things like IP address), it asks an extra security question. SiteKey was announced a year ago, and the bank is still in the process of rolling it out. The site does a good job of describing how the technology works, although on my computer, an explanatory video wouldn't play through Firefox, only Internet Explorer.

Bank of America presents its $0 liability guarantee as an agreement, in which the bank will cover losses as long as customers keep their end of the bargain-namely, by reviewing their account statements regularly, protecting their online ID and pass code, and not leaving the computer unattended during an online banking session. While the liability protections are probably the same as at other banks, it's a friendlier and more straightforward way of presenting things. The consumer does and should have those responsibilities.

The website also has a lot of information about steps consumers can take to protect themselves from identity theft, including the use of antivirus software and personal firewalls. Bank of America also has partnered with EarthLink to provide a free toolbar that helps consumers identify phishing websites. While I got the feeling that Citibank's marketing people like to hang out with attorneys, the marketing folks at Bank of America may actually be on good terms with the security team. In my book, that can't be a bad thing.

Chase

Bank number three also presents its liability policy as a short and sweet guarantee: Chase will cover "100% of any unauthorized online use of your consumer deposit account if you tell us within two days of your discovery of the usage." The but: "Chase cannot cover the below items under the 100% guarantee, because they are beyond our control: Failing to completely exit the service when you're done with your session or away from your computer; Your negligent handling of your User ID and Password." Again, this is a fair policy, presented in a straightforward manner.

Otherwise, however, the information I found about security at Chase's website was thin at best. The Security Center was so difficult to navigate that I gave up. It made much of the fact that Chase uses "Secure Socket Layer (SSL) technology to encrypt your personal information," while revealing little else-even the standard kind of language about the fact that most online banking sites log out users after a certain period of inactivity. The site also attempted to make a distinction between when e-mail to Chase is or is not encrypted, and when you would or wouldn't send Social Security numbers or account numbers via e-mail. I'd much rather hear that the bank is simply not going to ask for my Social Security number through e-mail, period.

Overall, I felt like I was being lectured by the kind of person who uses a lot of inscrutable words to intimidate others into thinking that they must be smart. Despite this, however, I couldn't find anything about strong authentication. I imagine Chase is doing a lot more than it lets on; it's just too bad it couldn't find a way to let customers know.

Still Waiting

I'd like to say that a search deeper into the Fortune 100 yielded more promising results, but it didn't. Neither Wells-Fargo nor Wachovia, the fourth and fifth largest banks in the country, mentioned strong authentication on their websites, at least that I could find. It was just more of the same, with Wells-Fargo even boasting that it "now allows you to select your own, personal username to sign on, instead of your Social Security number."

The fact is, there is-or could be-a compelling case that online banking is more secure than the old-fashioned kind. Keeping things like monthly statements out of snail mail has its advantages. E-mail alerts can help people spot problems with fraud early on. And having customers engaged with online banking sites creates brand affinity that the banks could profit from.

Unfortunately, at this point, it looks like banks are still focusing on convenience and free offers, not on making customers more confident that their accounts won't be misused. The supposed liability protections for fraudulent transactions seem to have been created not to increase customer protection, but to explicitly state that the financial burden for being duped by a phishing scam falls on the customer. Meanwhile, regardless of the looming FFIEC deadline, none of the banks I studied is offering true two-factor authentication to the masses.

It all adds up to a missed opportunity for banks. Sure, strengthening authentication costs money, but banks stand to make money by attracting new customers and increasing efficiency. Freed attributes the lack of progress to a follow-not-lead mentality on the part of the banking industry. Unfortunately, he says, right now, banks are following the wrong types of companies.

"I think they look very hard at the online retail industry to see what's going on there, but it's a very different transaction when you're dealing with your credit card than when you're talking about savings accounts, checking accounts and brokerage accounts. One bank is going to have to step out and take the lead, and it will probably be a smaller bank." So I guess we're still waiting. Honey, if you're reading, can you please pick up more stamps? I need to mail some bills.

Related:

Copyright © 2006 IDG Communications, Inc.

7 secrets of successful remote IT teams