http://www.zdnet.com.au/news/security/soa/Customers-vote-with-feet-over-security-survey/0,130061744,339281185,00.htm
By Brett Winterford
ZDNet Australia
15 August 2007
Users of online banking services are willing to change banks if
competitors offer better security options, according to a new
Datamonitor survey.
The survey, conducted across several Asia-Pacific markets by analyst
group Datamonitor and commissioned by security vendor RSA, found that
some 90 percent of Australian online banking users desire a stronger
authentication system to protect their transactions.
Between 70 and 80 percent of online banking users in the wider
Asia-Pacific region who were after stronger security options said they
would migrate to a new bank in order to get it.
The research paper concludes that there is a "direct link between the
level of trust customers have in their bank, the loyalty to the bank,
and the use of the bank's online services".
Even among those respondents who said they had high trust in their bank,
over half (57 percent) said they would stop using that institution in
the event of a single privacy breach.
Few Australian banks provide additional levels of protection to their
customers, sais Geoff Noble, head of banking and finance at security
vendor RSA.
Most initiatives around providing multi-factor authentication in
Australia to date have been focused on the corporate sector. Only
Suncorp, Bendigo Bank and Bankwest, and to a lesser degree the CBA have
offered similar services to consumers, Noble said.
Suncorp, for example, offers its customers the option of buying
hardware-based tokens for AU$20.
"This research says strongly -- any message around security is good
marketing for the bank," said Noble. "The messages from banks so far
haven't been that overt -- you won't see them on blimps or on the back
of buses."
Noble said we should expect to see more financial institutions use their
investments in additional security measures as a means of
differentiating their online banking services from their competitors.
"The vast majority of the banks can't make a business case for
additional security measures around fraud losses alone," he said. "They
might need to supplement that investment with marketing around the
security of their services."
Noble said that the ANZ's television campaigns based around its
trademarked "Falcon" credit card transaction monitoring services is a
great example of a bank "using a security message as a marketing lead".
"The banking community was once averse to mentioning security, as it was
always assumed that they were secure in the first place," Noble said.
"They have had to re-evaluate."
Multi-factor options
Noble said there are several options available to banks to increase the
security of online banking.
One is One-Time-Password technology -- an ever-refreshing password
delivered to users via either a hardware token or SMS notification. It
not only secures the transaction, but gives the user one less password
to remember.
"Most businesses have moved that way in terms of their corporate
customers," Noble said.
The Datamonitor survey however, found that many customers are reluctant
to carry a bulky token, for fear of losing or misplacing it.
Another option is to provide authentication not just at the point of
log-in but also at the point of transaction.
Rich Mogull, research vice president for analyst group Gartner's
security and risk advisory describes this solution as an easy and
essential method for banks to prevent such online fraud as "backdoor
Trojans" or "man in the browser" attacks.
This occurs when a user logs-in to online banking to make a transaction
while an attacker has remote access to their computer. While the session
is open, the attacker can make their own transactions using the user's
account, transparent to the user -- as only the log-in page was
encrypted.
"What if for transactions over a certain dollar volume, there was a
mechanism that closed that transaction -- like, I get a phone call if
it's over AU$10,000? Mogull suggests. "Or I get an e-mail listing all
the transactions that I just performed? It is easy for the bank to do
that."
"You have to authenticate the transaction, not just the session," Mogull
said. "That alone would significantly reduce certain kinds of online
banking fraud. Yet many of the banks havent invested in that."
Noble said that some banks are nervous about the instant gratification
expected by their consumer customers.
"[Transaction authentication] is absolutely a good idea, but the keying
in of an extra password is seen by some banks as enough to turn
customers away."
Received on Wed Aug 15 01:10:33 2007