Concern over identity theft and the safety of personal information is on the rise. A recent high-profile spate of online banking scams in Australia, followed by similar e-mail hoaxes at Wachovia and Bank of America, have done little to calm consumer fears about the security of Internet banking.
Apprehension surrounding Internet security is still the number-one roadblock to mass consumer adoption of online banking in the US. Although publicized breaches of online banking security are few and far between, any publicity serves to erode consumer confidence even further. While few banks will publicly disclose information or statistics regarding online banking security breaches, the banking industry must confront consumers' e-security concerns head-on if consumers are to continue their mass adoption of Internet banking.
During 2002, the Internet Fraud Complaint Center (IFCC) referred 48,252 complaints of fraud to law enforcement agencies on behalf of the filing individuals. This represents nearly a threefold increase over the 16,775 complaints referred in 2001. While online banking fraud is not directly tracked by the IFCC, the growth in Internet fraud certainly increases consumers' trepidation about conducting financial transactions via the Internet.
TowerGroup's primary market research has confirmed that a persistent inhibitor of consumer adoption of online banking is concern about security. Among consumers who have Internet access, the top three reasons for not using online banking revolve around security and a general lack of comfort with banking online.
TowerGroup research also indicates that 85 percent of all active Internet banking customers (defined as those who used Internet banking within one month of the survey) also used a branch in that same timeframe (compared to 92 percent of all customers). These statistics indicate an enduring bond and sense of security between consumers and physical branches/human contact. Breaking through these entrenched behaviors will be a formidable task for banks, especially in light of recently publicized security breaches.
The infamous bank-robber Willie Sutton once explained that the reason he robbed banks was "that's where the money is." Precisely for this reason, financial institutions will always be primary targets for thieves, be they cyber-robbers or branch note-passers. As such, financial institutions have generally been well ahead of other industries in understanding, developing, and implementing IT security enhancements to meet the growing threat of Internet security breaches.
There are several aspects to Internet security that are of concern to financial institutions. Protection against hackers, viruses, and network sabotage is accomplished through various means, including firewalls, intrusion detection systems, traffic analyzers and patch management programs. However, these types of fraudulent activity are generally not what concerns the average customer, as the fraud exists whether or not the customer banks online. Just as customers are not very concerned with bank branch robberies, they are not very concerned with cyber-robberies. Consumers view such crimes as attacks against the institution that do not directly affect their assets in the bank.
A banking customer's primary concern with Internet security is identity fraud. That is, the consumer believes that signing up for online banking may enable someone to gain access to his or her user name and password, and thereby gain access to the account, either by intercepting information during an online banking session or by simply hacking the username and password. Consumers believe that without an online account setup, they are not vulnerable to this type of fraud. They are unaware that thieves can use stolen identification information to establish an online banking account in their names.
One of the most recent online banking scams involved three Australian banks (Westpac, Commonwealth, and ANZ) over a period of four weeks between March and April of this year. The nature of the fraudulent activity was identical in all three incidents. Bank customers received an e-mail with directions to click on an embedded URL to be forwarded to the bank's Web site for one reason or another. The URL actually linked to an imitation site that was set up to capture the customer's log-in information, purportedly to be used by the perpetrators to access the customer's online account. The three banks reported that no fraudulent activity resulted from any compromised user names and passwords.
These incidents prompted the Australian Bankers' Association (ABA) to launch several projects in an effort to combat identity fraud, including developing new industry standards for security and fraud protection, examining whether documents used to validate identity need any extra security measures, and creating an education package on fraud prevention for customers of financial institutions. This proactive, cooperative approach is the exact response required to deal with the threat of Internet fraud.
Other recent and well-publicized online fraud cases that have caught the public's attention include the following instances:
* A fictitious IRS document (a nonexistent "Form W-9095") was sent in April 2003, claiming to be from the customer's bank in an attempt to gather personal information, including: place of birth, account numbers, work history, PINs and passwords.
* In an e-mail scam aimed at PayPal clients in March 2003, the recipients were directed to provide their PayPal account information and bank account numbers using a form in the body of the e-mail message. Similar e-mail scams occurred at Wachovia and Bank of America in May of this year.
Most online banking sites strive to educate consumers about the technologies in place to bolster security, such as 128-bit Secure Sockets Layer (SSL) encryption and firewalls. However, this education is generally too technical and does not get to the heart of the matter: "What does it mean to me, the customer?" Consumers must know what security is in place to protect them (not the bank's network) and what happens -- to them -- if something goes wrong.
While banks continue working behind the scenes to enhance their e-security infrastructure, they must also take a public stand to ensure consumers that online banking is a safe and secure channel. Consumer ignorance of e-security will persist and retard adoption of online banking unless banks proactively educate consumers on the realities of Internet security and the institutions' defenses in-place against fraudulent activity.
A TowerGroup review of the top-10 Internet banking sites indicates a dismal attempt at customer education on the salient points of Internet security, preventive measures against fraud and bank policies regarding security breaches.
Banks should prominently display the following information, both online and offline, to educate consumers and convey an image of a trusted, secure institution in the consumer's mind:
1. Security measures in place to protect customer information and how the measures work.An ongoing challenge for financial institutions is articulating the e-security measures in place at a level that can be easily understood by the average consumer while not oversimplifying the explanation. For example, how are messages that are transmitted via the Internet protected by 128-bit SSL encryption, and what is the likelihood of someone actually intercepting and deciphering a message? How does the bank protect its customers' information from third-party partners and potential hackers?
2. The steps customers must take to protect their personal information. Clearly an area of vulnerability, and one that is less under the banks' control, is what customers do to protect their own personal information and how they respond to online scams. Banks must continually remind their customers of their communication policies and how to determine if an e-mail from the bank is authentic. For example, will the bank ever ask the customer to reset passwords or log into their account via an e-mail? What authentication processes are in place, and do any public key infrastructure (PKI) options exist? What should customers do to protect themselves from keyboard sniffers, Trojan horses, viruses, etc.?
3. The bank's indemnification policy for any unauthorized activity. One glaring omission of most online banking providers is a clearly articulated indemnification policy for fraudulent online activities. Federal regulation indicates that consumers may be liable for up to $50 if they notify the bank of a stolen password within two business days and up to $500 thereafter (if any fraudulent transactions could have been prevented by earlier notification). However, most banks do not share this information with consumers. Fewer yet take the bold step of completely indemnifying consumers against fraudulent activity. If the bank will not stand behind its online banking service, why should consumers trust it?
The most notable indemnification policy is Bank of America's "$0 Liability" guarantee, which is prominently and unabashedly highlighted on the company's Web site. While Wells Fargo and Citibank also commendably offer a 100 percent coverage guarantee, it is not as prominently displayed on their Web sites. All institutions should take Bank of America's lead and stick a $0 Liability policy in their prospects' faces and proclaim, "Online banking is safe and secure and we'll stand behind it 100 percent!"
Financial services companies are at the forefront of industry in both understanding and implementing e-security technologies and procedures. Many consumers, however, are still hesitant about using online banking, mainly due to their lack of understanding of e-security technologies and their banks' policies surrounding online fraud. Banks must take on the responsibility of educating consumers on e-security matters and indemnifying consumers against e-security breaches. Banks that take these steps and then boldly market their positions will outpace their competitors and be at the forefront of the next wave of online banking adoption.
George Tubin is senior analyst, retail banking, at TowerGroup, a Needham, Mass.-based research and advisory firm, www.towergroup.com.