Alarmed

What Banks Tell Customers About Their Online Security

Six months after the FFIEC's rules for strong authentication took effect, we test what the country's three biggest banks tell their customers about online security. It's not very encouraging.

By Sarah D. Scalet

Page 2

We had a language barrier, he and I. The call-center rep, in India, was not a native English speaker. The call went poorly, and I have no way of knowing whether this was because of our communications barrier or simply because Citibank hadn't instructed him how to answer questions about security. I repeated my question a couple times, and he finally said, "Let me look into that, ma'am." I waited on hold more than a minute, and when he came back, he told me I could go online and read all about online banking. "All the information is there, ma'am," he said politely.

I kept prodding. I asked if Citibank offered tokens or did device recognition of some sort, and he told me I could log on with a user name and password.

"At any computer where I punch in my user name and password, Ill have full access to my account?" I asked.

"Yes, ma'am, anyplace you have Internet access," he answered. He finally did say that in certain situations I would be asked extra security questions, but he wouldn't or couldn't explain when that happened or why. I asked if it was unusual for him to field calls about security, and he said yes. I finally ended the call in frustration.

pagebreak >

Chase

Next I called Chase. This time I got a woman in Michigan, who at least didn't try to shunt me off onto the Internetwell, at least right away. But she seemed to interpret my every question about security as one about how, precisely, I could sign up for online banking. In fact, the first thing she did was congratulate me on being interested in the service.

When I asked how I could be assured that my transactions would be secure and private, she said that when I signed up, I would select a user name and password. "Once you're enrolled, as long as you're not giving out your user ID and password, you should be safe," she said. At least she said should and not will.

Then I asked if Chase would do any authentication beyond user name and password, like identifying my computer or giving me a one-time password device. She seemed to think that I was worried about the log-on process being burdensome or confusingand proceeded to make the process even more burdensome and confusing, with a convoluted answer about speeding up the telephone verification process. At one point, she had me so utterly baffled that she asked, "Are you O.K.?"

online banking security

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors