Observations on the differences between US and European banks I may be living in Europe now, but I still keep a practiced eye on the news coming out of the States. Last fall, between Britney’s divorce and the midterm elections, I couldn’t help but notice a little newsbyte that several American online trading companies had been hacked. Yikes! Luckily, when I logged on to my accounts held with U.S. financial institutions, I found that my balances had not mysteriously vanished down a cyberdrain, but the episode did give me pause. The fact is, I’ve found stark differences in the practices at my American and European banks, and all evidence points to Europe being much more security-conscious. I first noticed this with the different password requirements by American and British subsidiaries of the same bank. When I lived in the United States, this bank--which shall remain unnamed--allowed me to establish any eight-character password for online banking. If I wanted, I could use my cat’s nickname as my password. However, when I later did business with the bank’s subsidiary in the United Kingdom, the password was chosen for me and sent to my home address. This password was also eight characters long, but it was an incomprehensible amalgam of special characters, numbers and letters in both upper- and lowercase. The result, of course, is that I knew I would never remember it. I tore out the password and tucked it inside my wallet. Yes, Mother, I know I’m not supposed to do that. But let’s be honest. If given the choice between doing this and forgetting the difficult password, calling the help desk, being put on hold for 30 minutes, and then requesting a new password only to be told that you’ll receive it in five working days, which would you choose? Besides, isn’t a strong password tucked in my wallet better than the password “kitty”? Anyway, I happened to be friends with the global head of information security at this bank, so I rang him up to ask about the difference. He explained that the bank’s American and British subsidiaries are run under the philosophy of “each tub on its own bottom.” They made and implemented their own security models for online banking based upon the “cultural and regulatory differences” in the regions. It seems the American subsidiary is more attuned to customer friendliness, while the U.K. subsidiary is more attuned to security. Another big difference is in the use of stored-value cards. Here, I bank with an internationally known Dutch bank. When I first set up my account, I was given a smart card that functions the same as a debit card in the States but with added functionality: A chip on the smart card can be used to store electronic money. The idea is that you can transfer funds from your checking account to the chip, then use that money for small transactions such as paying for parking, purchasing train tickets and making incidental purchases at stores. The advantage from a security standpoint is that the parking meter, ticket machine or what have you doesn’t have to authenticate you back to the bank; it’s enough that you’re holding the card. The disadvantage is that if you lose the card, you also lose the stored money--but I solve that by not keeping more than 20 euros on the card. As an added benefit, the smart card provides greater security for online banking. When I got the smart card, the bank also issued me a portable smart-card reader. Here’s how it works: When I log on, I enter the smart-card number into the bank’s website and am prompted to insert my card and type my PIN into the reader. The webpage provides me with a number that I input into the reader. The smart-card reader comes back with another number, which I then type into the webpage to be authenticated. It sounds complicated, but the entire process takes less than 30 seconds. The only drawback is that I need to be in possession of the smart-card reader (and the smart card) in order to perform online banking. But then, so would a crook. So why don’t American banks do this? It all boils down to economics, really. Smart cards are widely employed throughout Europe and thus the infrastructure for them already exists. Americans, by contrast, still rely primarily on magnetic stripe cards, and the infrastructure is geared toward this technology. Smart cards would be much more expensive to deploy than a magnetic stripe card. Once again, Americans tend to view any losses due to security as simply the price of doing business. Paul Raines is CISO of a nonprofit group in The Hague, Netherlands. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe