Join the Community

20,823

Expert opinions

43,682

Total members

385

New members (last 30 days)

165

New opinions (last 30 days)

28,189

Total comments

Join Sign in

Online banking security: an opportunity to stand out

30 September 2009 1 comment

Retired member

Some of Britain’s biggest banks appear to be leaving their customers’ online accounts vulnerable to fraud because of poor security, according to Which? Computing.

Research conducted by the consumer watchdog compares log-in procedures, visible security measures and money transfer procedures of banks including Abbey, First Direct, Halifax, HSBC, Barlclays, LloydsTSB, Alliance & Leicester, RBS and Natwest and gives some interesting results.

In terms of log-in procedures, Abbey and Halifax were both criticised for requiring 3 pieces of information to be entered in full at log-in, making the information vulnerable to a simple keylogger. Barclays on the other hand, were highlighted as an example of best practise for asking users to verify themselves using a card reader when logging in.

With flaws having been apparent at each stage of the research, Abbey and Halifax were judged as having "poor" consumer-facing security. Only Barclays was praised for its "excellent" measures, while First Direct, Lloyds TSB, Nationwide, NatWest and RBS all graded as "good" and HSBC and Alliance & Leicester described as "average".

This research really highlights the very real differences that exist between the security levels used by online banking providers and it is clear that some banks still have a lot of work to do in this area.

It is worth noting however, that compared to other forms of online money transaction, the progress made in online banking over recent years has been significant. The introduction of two-factor authentication has been a particularly effective measure and when Barclays rolled out this system last year, customers using it for online banking experienced no fraud whatsoever. This is reflected in the findings given here, with Barclays being praised for "excellent" measures.

In response to the research, a Halifax spokesman told Sky News that the vast majority of its online security is not visible to customers and that this is to make it as easy as possible to use its site. However, two-factor authentication, a procedure whereby customers must pass a second layer of identity verification by, for example, using a card reader, prevents keyloggers from phishing for details online. More than that, as a customer facing measure, users can see the security in place and thus have real confidence in their online account.

It is interesting to note that all three of the UK banks (Barclays, Nationwide and RBS/NatWest) who have introduced CAP 2-factor card reader authentication were rated as excellent or good. With consumer awareness of the importance of security growing and customer loyalty decreasing, introducing CAP card readers for logon and to verify transactions looks like an obvious way to improve visible security as part of a bank’s customer attraction and retention strategy.

This content has been created by the Finextra editorial team with inputs from subject matter experts at the funding sponsor.

5142

Report

Channels

/security

Comments: (4)

A Finextra member

30 September 2009

Steve I do agree there's an opportunity (a very big one) but I don't believe that anything you mentioned really achieves the objective.

In fact nothing out there that you may have seen yet does provide any real protection for customers. They are, as are the banks, literally behind the 8-ball in the security stakes.

See finextra

Report

Bo Harald Chairman/Founding member, board member at Transmeri, Demos, Real Time Economy Program,MyData

01 October 2009

Agree that 2-factor is a must - should have been from the beginning. Our launch in -82 at Union Bank of Finland (now Nordea Bank) was with 7-9 digit customer number and one-time code based on printed list mailed to customers. In late 80s the necessary promptdriven confirmation code at log-out after payment or trading was added. No security problems experienced.

Various card readers, calculators and mobile phone solutions for producing the one-time-code have been considered by banks in Finland - but so far the very marginal improvements have not been deemed sufficient in relation to the cost and inconvenience incurred. Phishing is not an issue any more as media made such a fuss about a very limited case that customers learned not to send OTCs in e-mail to anybody. Sometimes media can after all do good - even if it was not their intention.

Report

A Finextra member

02 October 2009

Steve, there are a growing number of financial institutions deploying solutions to protect the customer transaction such as Trusteer and TrustDefender in various parts of the globe. Each with a little difference on protecting the customer transaction. These solutions are designed to secure the customers computer before the customer begins typing in their ID, Password or OTP and importantly focus on always allowing the customer to log in securely regardless of the potential threat.

The real challenge is for security solutions to be added, not just authentication deployed at the customer desktop but to be able to alert a financial institution in real-time the security health of the customer computer before the customer begins typing their ID and passwords while ensuring the transaction is secure for the period. Further, if the financial institutions must be able to apply policies and rules based on the potential security threat, thus protecting the customer’s confidential details. In return the customer is informed their computer is safe or can simply click to fix but can always login securely.

However the real challenge is that we need to see visible security combining authentication, while integrating the customer with their financial institution to ensure we have strong countermeasures against the growing sophistication of today and future malware.

The financial institution marketing departments should also not be afraid to make their customers aware there is a potential threat if one is detected as consumers are only human and as most customers are not security experts they should be informed. This is if we are going to fix this problem. We all have a built in mechanism to protect ourselves from threats meaning the consumer will fix the problem if alerted. If not immediately, then on the second or third login. The outcome is the customer can see their financial institution is actively helping them protect themselves and thus the customer will gain a greater trust in their financial institution, online transactions and will be improving their online security practices.

It is about a mindset change to online banking and trading practices.

Report

A Finextra member

05 October 2009

The key here is that CAP or other two-factor approaches are about security, but are also about *visible* security. This is perhaps one reason why banks using CAP were rated highly in the recent Which? report. And there is an impact on fraud, as referenced in the original blog post concerning Barclays roll-out. As Bo Harald says, there are also alternative two-factor approaches to CAP, including arguably more convenient mobile phone based tokens, which have now been rolled out for real by some leading banks.

Two-factor is not the only security that should be deployed, but it is a measure that in a world where customers want to see that the bank they choose is secure, banks can clearly demonstrate to them that they are actively protecting their accounts.

Report