Thursday, July 12, 2007

Online Financial Institutions & Security

Many of us, myself included, manage our financial lives online. I use Quicken as well as financial institutions' websites to conduct much of my financial affairs, from paying bills to managing our portfolio. An ever present trade-off in the world of online finance is the level of security provided to users vs. the hassle that is imposed on users to achieve that security.

Many financial institutions are now moving towards two factor identification of users. Previously, all you needed to log into your account was your trusty user name and password. These days many institutions require another element to ensure that you are who you say you are. Some financial outfits are able to provide this extra layer of security elegantly and gracefully, while others seem on a mission to make life as difficult as possible for their customers.

One institution that does a phenomenal job of increasing security without creating a hassle, is Bank of America. Bank of America uses what it calls a SiteKey to help you verify that the website you are visiting is indeed their corporate website. The idea is as simple as it is elegant. When you sign up for BoA's online account access, you are asked to select a personalized picture from a long list. When you get to the BoA log-in page you are asked to enter your user name. On the next page, there is a copy of the personalized picture you selected, as well as a place to enter your password. Since only BoA knows which picture you originally selected, if that picture is not displayed, you know that something fishy (or physhy... ) is going on. In addition, if you log into your bank account from your regular computer, you are only asked for your password. If you are using a computer that you did not previously designate as authorized, you are also asked a simple security question, to verify your identity.

In this way, security is improved dramatically without sacrificing ease of use. I don't say this often, but Bank of America deserves serious kudos for this approach.

On the flip side, there are those financial institutions that appear intent on annoying their customers. For example, I pulled the vast majority of our money from ING, because of their annoying security features. Log-in required me to provide my account number - a long list of digits - instead of an easy to memorize user name. In addition to my password, they also required me to enter a security code using an on-screen virtual key board. As if that was not enough, they kept shifting the location of letters on this keyboard, seemingly for the sole purpose of confusing me further. Why was all that necessary?

Ironically, I shifted our money from ING into HSBC, which adopted very similar and annoying security measures only a few months after I opened an account with them.

Interestingly most of our financial institutions have not changed their security and log-in procedures. Our credit card companies, online broker, 401k providers etc. all require a simple user name and password for log-in. Quite frankly, this simpler approach is perfectly fine with me. I feel just as secure with those basic measures as I do with those more elaborate and cumbersome ones.

Do you have similar examples? What's you opinion of the trend towards tighter and more cumbersome security measures?


beth said...

I'm not an expert, but the changing letters of the keyboard, if I understand correctly, is so there can be no spyware that tracks your keystrokes, thus finding your password.

I do wish I could use a username rather than my account number. I can't remember numbers. My math skills are pretty good, and I can estimate fairly well. I just can't remember a number. I have to write it down. (I also hate passwords that have rules. I have to write those down so I remember them. It was much more secure when they let me pick my own password, because I remembered it.)

Anonymous said...

Personally, I don't have a problem with ING. I don't find it troublesome at all, but that's just me I guess. It really troubles me that my account with Fidelity doesn't have more security with login though. I told the customer service there also that I would like the option of disabling online account transfers out of the account. I don't plan to take money out of my retirement account for years, so I'd prefer that they disable that ability from the account as a security measure. I don't care if someone is able to transfer money into the account, but I sure don't want anyone to be able to transfer money out of it online. It doesn't seem like they've listened to my suggestion though. Too bad.

SouthernBread said...

I work for a bank (in IT Security ironically). You are correct. The keyboard is looking for keyloggers, click-loggers. Some spyware can replicate log in and clicks.

The feature you are referring to with BoA is a nifty feature. If you notice, like the keyboard, your picture should be in a different location every time.

This is a new requirement of banks to provide some form of MFA (multifactor) so that someone giving their password to a pisher can't "give away the bank" so to speak.

Others have added "trust factors". They look at things such as your computer name, internet explorer version, ip address, geographic location, time of day, and other factors to create a trust value for you. If you use the same pc as usual from the same place, then you should get a trust of say 100%, but if you are in an internet cafe in Nigeria, you might get a 0%. In which case, you will be asked additional questions to validate you.

Still others are using RSA tokens and such. :)

Armchair Fiduciary said...

I think online security is very important, but I think that financial instututions should just hurry up and issue one of those dumb RSA security number generator tokens and have us log in with those.
I agree that the account number is totally stupid. Doesn't that mean you have to have it handy somewhere to log in which is a security risk in and of itself?