What Banks Tell Customers About Their Online Security

Six months after the FFIEC's rules for strong authentication took effect, we test what the country's three biggest banks tell their customers about online security. It's not very encouraging.

By Sarah D. Scalet

May 29, 2007 — CSO — By the end of 2006, U.S. banks were supposed to have implemented "strong authentication" for online bankingin other words, they needed to put something besides a user name and password in between any old Internet user and all the money in a customer's banking account.

The most obvious way to meet the guidance, issued by the U.S. Federal Financial Institutions Examination Council (FFIEC), would have been to issue one-time password devices or set up another form of two-factor authentication. But last summer, when I did a preliminary evaluation of security offerings at the country's largest banks, I was pretty unimpressed. (See Two-Factor Too Scarce at Consumer Banks.)

Since then, I've given up on getting a one-time-password device, and have accepted the fact that banks are instead moving toward what might diplomatically be called "creative" authentication. (See Strong Authentication: Success Factors.) Given that man-in-the-middle attacks can circumvent two-factor authentication, a combination of device authentication, additional security questions and extra fraud controls doesn't seem like a bad approach.

But, I wondered, almost six months past the FFIEC deadline, what are banks telling customers about online security? As the chief financial officer of Chateau Scaletand as a working mother about to have baby No. 2I wanted to know if any of them could offer me enough assurance that I would take the online banking plunge as a way to simplify my life. I decided it was time to update my research from last year.

I called the call centers at each of the top three banks, identified myself as a customer with a checking and savings account, and told them I was interested in online banking but concerned about security. The point, yes, was to see what type of security each bank had in place. More than that, however, I wanted to see how well each bank was able to communicate about security through its call center. After all, what good is good security if you can't explain it to your customers? Here's what I learned.

pagebreak >

Citibank

My first call was to Citibank. I started with my standard question: "How can I be assured that my online banking transactions are secure and private?" The call center rep said that Citibank uses 128-bit encryption, which "verifies that you have a maximum level of security." End of answer. Pause. I asked what kinds of protections Citibank had in place for making sure that it would really be me logging onto my account. "I'm sorry," he said, "but I dont understand your question."

We had a language barrier, he and I. The call-center rep, in India, was not a native English speaker. The call went poorly, and I have no way of knowing whether this was because of our communications barrier or simply because Citibank hadn't instructed him how to answer questions about security. I repeated my question a couple times, and he finally said, "Let me look into that, ma'am." I waited on hold more than a minute, and when he came back, he told me I could go online and read all about online banking. "All the information is there, ma'am," he said politely.

I kept prodding. I asked if Citibank offered tokens or did device recognition of some sort, and he told me I could log on with a user name and password.

"At any computer where I punch in my user name and password, Ill have full access to my account?" I asked.

"Yes, ma'am, anyplace you have Internet access," he answered. He finally did say that in certain situations I would be asked extra security questions, but he wouldn't or couldn't explain when that happened or why. I asked if it was unusual for him to field calls about security, and he said yes. I finally ended the call in frustration.

pagebreak >

Chase

• Print