Home » Identity & Access » Access Control

What Banks Tell Customers About Their Online Security

Six months after the FFIEC's rules for strong authentication took effect, we test what the country's three biggest banks tell their customers about online security. It's not very encouraging.

One thing I did manage to gleanI thinkis that there would be some kind of activation code involved if tried to log on at a library or a friend's house. Her explanation: "It's called an activation code because it's like a reset," she said. "That is for security purposes." She said this code could be sent by e-mail or text message, or that I could call in to get it. But she wouldn't or couldn't explain its purpose.

It wasn't until 10 minutes into the call that she mentioned that I might have to answer extra security questions on occasion, and again, she couldn't or didn't explain what these questions were for, or even reassure me that the measures were there to protect me. When I asked what would happen if someone else transferred money out of my account, she said, "That's not going to happen, ma'am, unless you give that information out to somebody." Then she warned me to be careful about giving out my informationto merchants, of all places.

Credit her with being a diligent salesperson, though. Throughout the process, she kept trying to get me to establish an online account, right then and there, so that the first time I went onto Chase.com, all I'd need would be that precious user name and password.

pagebreak>

Bank of America

My call with Bank of America also got off to a rocky start. I wanted to record all three phone calls. (Why not? The banks do it for "quality assurance purposes".) Both the Citibank and Chase representatives agreed to this without hesitation. The Bank of America rep, however, put me on hold for more than seven minutes, before coming back and saying I couldn't record the callsomething something the bank only records calls for training purposes something something. Oh well. It didn't seem worth arguing.

Things got better after that. When I asked how I could be assured that my online transactions would be private and secure, the call center rep seemed to understand exactly what I was asking. First, she said that I should look for the lock at the bottom of my browser window, indicating a secure site, and noted that the encryption that Bank of America uses is "one of the highest." (Neither of these are perfect indicators of security, of course, but it's a logical place to start the conversation.) Then, she told me that, usually, the only time my account wouldn't be secure is if I gave out my user name and password, or "answered a spam e-mail" where I clicked a link and entered my user name and password. This made her the only rep to actually warn about phishing attacks; she gets extra points for not using the silly term phishing.