Saturday, October 17, 2009

Online Banking Requires Separate PC! (or a HomeATM)

Earlier, the American Bankers Association, in a press release, stated that a new "ABA SURVEY: shows that "CONSUMERS PREFER ONLINE BANKING"  



But before the online banking community starts popping their champagne, (online banking is more profitable) I thought now might be
an opportune time to segue to the results of another study, conducted by ACI Worldwide:




49% of Consumers Worldwide Would Switch Banks if Victim of Card Fraud




"49% of consumers across eight countries would consider switching or definitely switch banks if they (or someone they knew) was hit by card fraud"




49 PERCENT!  That's an extremely high number...Yes?  And it wouldn't even have to happen to them.   Just to somebody they "knew of." 




I'd surmise that banks might want to consider doing something to decrease the likelihood of that happening, such as, the elimination of username/password and the implementation of a stronger authentication procedure.  I have an idea.  Maybe they could choose one that both they AND consumers ALREADY trust...one already required to dispense cash out of ATM's.  They could protect their customers (thus retain them) by telling them to 1. "Swipe their bank issued card" and 2. "Enter their bank issued PIN" 3. with their brand new "bank issued HomeATM." 



Otherwise banks risk losing an awfully high percentage of customers. 
For example,  Clampi,  ( malware) steals bank details when people log into online banking sites, and transfers money out of their accounts.  





HomeATM's device can prevent online banking customers from being caught out by the Clampi Trojan horseWhen you don't type in your bank details, you put he clamp on the threat.   Otherwise... "The best strategy to defend against Clampi is to use separate machines for Web surfing and funds transfer" - Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks. "Using Windows, it's too dangerous to do transactions on the same machine you do for Web surfing," he says. "You can't have any crossover between them."  Editor's Advice: Our Device is obviously a helluva lot cheaper than a buying another PC for online banking... :-)




Of course, an online banking institution which provided stronger authentication, would probably be much more likely to enjoy a higher number of customer acquistions.  (would you agree that if a customer leaves Bank A because of poor authentication, it only makes sense that they would go to Bank B where the security is stronger?)



In the midst of a bad economy, I would think that "customer retention" and "customer acquisition" might be two factors deemed imperatively important.  As it so happens, this provides another perfect segue, this one a September 21st study by eMarketer. 






Customer Acquisition and Retention Top Priorities



Marketers’ top priorities for 2010 will be customer acquisition and retention
, followed by thought leadership, according to a survey by virtual events provider Unisfair.

Six in 10 marketers polled said Acquiring (A) new customers would be critical in 2010, while 48% would focus on Retaining (R) current customers—a particularly important effort in the recession.  (Editor's Note:  Let's do the math:  60% say Acquiring  and 48% say Retaining new customers is critical.  Total R&A:  108%!  So I would think banks would want to give 110% of their marketing efforts when it comes to putting together an R&A plan.




So, let's review:  Online banking is now the preferred by consumers according to the ABA, but according to ACI Worldwide, 49% would blow that pop-stand if they or someone they knew were victims of fraud, yet according to eMarketer, 2010 is the year to focus on customer "R&A."




Now, for fun...lets see if we can combine all three of these variables and connect the dots to create a marketing plan for these banks.  But first...there is one more important element in this equation.







Court Allows Suit Against Bank Based on Poor Online Banking Log-In

The plaintiffs claim that by only requiring user names and passwords to authenticate customers at log in, Citizens failed to maintain state-of-the-art security standards. 



"At the beginning of this month, a US District Judge refused to grant summary judgement in favour of the financial institution, clearing the way for the court case to take place, stating in her judgement:



"In light of Citizens’ apparent delay in complying with FFIEC Security Standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access”


An FFIEC report entitled Authentication in an Internet Banking Environment, dated 2005 states; “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”



Okay, I connected all the dots and here's what I came up with...



The current system benefits ONLY the bad guys.




It's time for banks to ditch the obviously obsolete username/password/20 questions game...and time to start "genuinely" authenticating online banking sessions...by requiring users to swipe their card and enter their PIN.  Identical to the way their customers access their cash at an ATM.



Banks cannot continue on their current path. Asking questions such as: 



What's your mother's maiden name...
What's the make of your first car...
What town were you born in... 
What is the First Letter of the Middle Initial of your Second dog...



All that kinda stuff, is not secure...it is fluff!   The answers to those questions are either accessible at social networking sites  or available by simple keylogging schemes, and it puts both banks and their customers at risk for fraud, identity theft and...now...lawsuits.



Converting customers to Swiping vs. Typing, that's genuine authentication.  That's the name of the game.



Especially considering a 3DES DUKPT E2EE (see related articles below for an explanation of what that it) PCI 2.x Certified encryption of the cardholder data. 



Financial institutions would enhance their image by providing their customers with an encryption enabled online banking log-in, thus retain the ones they have and acquire the ones their competitors lose because they didn't switch to swiping over typing. 



It's not a coincidence that Barclays bank was recently rated #1 for providing the most secure online banking application in the U.K. Why? Because they require their online banking customers to use their PINSentry device for two-factor authentication.
See: Online Banking Insecure...Only 1 Bank Rated Excellent





"Barclays was the only one of the 10 banks surveyed to get a rating of 'excellent'. The company requires all its online customers to use a "two-factor authentication" (2FA) system involving a PINsentry device which generates a one-time password for each session".





"HomeATM is far more useful than the PINSentry device.  It not only provides two-factor authenticated log-in, but it does it without generating a one-time password (OTP) which have been recently exposed as hackable. Once the PINSentry device authenticates the user, it's usefulness is done until the next time the user logs in...whereas with HomeATM's device, logging in is only the beginning of what it enables the consumer to do...including



1. Person to Person Funds Transfer (sending and receiving)

2. Account to Account Funds Transfer (checking to savings/savings to checking, one bank to another bank)

3. Person to Business Funds Transfer

4. Online Bill Payments in "Real Time"

5. Secure Online Credit Card Transactions

6. Secure Online Debit Card Transactions




So should banks convert to HomeATM's 2FA 3DES E2EE PCI 2.x Certified Device?  In a word...YES! 



Oh, in closing, remember that the HomeATM would also eliminate phishing entirely (what would the bad guys phish phor?  Nothing is entered/typed)  It would also eliminate the threats posed by DNS Hijacking, Cloned Bank Websites and malware such as the dreaded Clampi.  (what information would the malware derive if typing was eliminated and your credit/debit numbers were never stored anywhere on your PC?) 

















Reblog this post [with Zemanta]

Disqus for ePayment News