Customers vote with feet over security: survey

Users of online banking services are willing to change banks if competitors offer better security options, according to a new Datamonitor survey.

Users of online banking services are willing to change banks if competitors offer better security options, according to a new Datamonitor survey.

The survey, conducted across several Asia-Pacific markets by analyst group Datamonitor and commissioned by security vendor RSA, found that some 90 percent of Australian online banking users desire a stronger authentication system to protect their transactions.

Between 70 and 80 percent of online banking users in the wider Asia-Pacific region who were after stronger security options said they would migrate to a new bank in order to get it.

The research paper concludes that there is a "direct link between the level of trust customers have in their bank, the loyalty to the bank, and the use of the bank's online services".

Even among those respondents who said they had high trust in their bank, over half (57 percent) said they would stop using that institution in the event of a single privacy breach.

Few Australian banks provide additional levels of protection to their customers, sais Geoff Noble, head of banking and finance at security vendor RSA.

Most initiatives around providing multi-factor authentication in Australia to date have been focused on the corporate sector. Only Suncorp, Bendigo Bank and Bankwest, and to a lesser degree the CBA have offered similar services to consumers, Noble said.

Suncorp, for example, offers its customers the option of buying hardware-based tokens for AU$20.

"This research says strongly -- any message around security is good marketing for the bank," said Noble. "The messages from banks so far haven't been that overt -- you won't see them on blimps or on the back of buses."

Noble said we should expect to see more financial institutions use their investments in additional security measures as a means of differentiating their online banking services from their competitors.

"The vast majority of the banks can't make a business case for additional security measures around fraud losses alone," he said. "They might need to supplement that investment with marketing around the security of their services."

Noble said that the ANZ's television campaigns based around the trademarked "Falcon" credit card transaction monitoring services is a great example of a bank "using a security message as a marketing lead".

"The banking community was once averse to mentioning security, as it was always assumed that they were secure in the first place," Noble said. "They have had to re-evaluate."

Multi-factor options
Noble said there are several options available to banks to increase the security of online banking.

One is One-Time-Password technology -- an ever-refreshing password delivered to users via either a hardware token or SMS notification. It not only secures the transaction, but gives the user one less password to remember.

"Most businesses have moved that way in terms of their corporate customers," Noble said.

The Datamonitor survey however, found that many customers are reluctant to carry a bulky token, for fear of losing or misplacing it.

Another option is to provide authentication not just at the point of log-in but also at the point of transaction.

Rich Mogull, research vice president for analyst group Gartner's security and risk advisory describes this solution as an easy and essential method for banks to prevent such online fraud as "backdoor Trojans" or "man in the browser" attacks.

This occurs when a user logs-in to online banking to make a transaction while an attacker has remote access to their computer. While the session is open, the attacker can make their own transactions using the user's account, transparent to the user -- as only the log-in page was encrypted.

"What if for transactions over a certain dollar volume, there was a mechanism that closed that transaction -- like, I get a phone call if it's over AU$10,000?" Mogull suggests. "Or I get an e-mail listing all the transactions that I just performed? It is easy for the bank to do that."

"You have to authenticate the transaction, not just the session," Mogull said. "That alone would significantly reduce certain kinds of online banking fraud. Yet many of the banks haven't invested in that."

Noble said that some banks are nervous about the instant gratification expected by their consumer customers.

"[Transaction authentication] is absolutely a good idea, but the keying in of an extra password is seen by some banks as enough to turn customers away."