Online banking: What's security got to do with it?

It is more important for online banking to make customers feel secure than make those customers actually secure, according to the head of technology at Commonwealth Bank's New Zealand subsidiary, Auckland Savings Bank (ASB).
Written by Liam Tung, Contributing Writer

It is more important for online banking to make customers feel secure than make those customers actually secure, according to the head of technology at Commonwealth Bank's New Zealand subsidiary, Auckland Savings Bank (ASB).

ASB recently ditched standard secure socket layer (SSL) certificates in favour of Verisign's extended validation (EV SSL) certificates, said Peter Muggleston, acting head of technology for the bank.

ASB pays "twice as much" for its EV SSL certificates compared to SSL certificates. The key benefit of the upgraded product is that the URL turns a green colour when the connection is safe and the browser will display details about the certificate's owner.

Muggleston said the "perceived security" makes the additional expenditure worthwhile because it will result in increased use of the bank's online services.

"A lot of online security today is about customers feeling safe. If customers don't feel safe, it doesn't matter how safe it is in reality, it just won't ring true [with them]. The reality is that if the customer feels safe they're going to use the product more, enjoy it more, have a better experience and do more on it," Muggleston told ZDNet.com.au.

SSL certificates are used to secure and authenticate communications between a browser and a server. Like standard SSL, EV SSL uses a lock symbol to indicate the session is encrypted but they also colour the URL field green to show the site's authenticity. In addition, EV SSL highlights the Web site owner's name and the issuer of the SSL certificate in a separate panel.

"The single biggest thing is visibility for the customer," said Muggleston. "The idea that the customer looks for a green bar is simple. It's easy to use to communicate a simple, clear and concise message to increase awareness about security," he said.

However, Chris Gatford, senior security consultant for penetration testing firm, Pure Hacking, told ZDNet.com.au that convenience — and not the feeling of security — has a greater influence over consumer's use of technology.

"Customers will use products regardless if they feel secure because at the end of the day, convenience wins out. The onus is always on banks to really prevent fraud," said Gatford.

Gatford also highlighted recent changes in the NZ banking code, which seems to put the responsibility for staying secure on the customer.

"There have been recent changes to New Zealand's banking code of practice to put some onus back onto the customer. That may be a contributing factor to users only doing things where they 'feel comfortable'," said Gatford.

ASB's Muggleston said the new banking code of practice hasn't changed anything for the consumer. Media reports at the time of the change said banks would hold customer's liable for online fraud, but Muggleston claims this is incorrect.

"The message got caught up in terms of 'Are [banks] going to pay people back if they are victims of fraud?' But the message was that customers should take precaution whenever they're on the Internet," he said.

"We've always maintained that [online banking] should be a shared responsibility and we expect [customers] to look after their piece. The reality is that we have always reimbursed customers but we need to ensure that there are enough controls so that when fraudsters do get in there, they can be gone after," said Muggleston.

More effort has gone into chasing down money mules who claim they are victims of crime, according to Muggleston.

"One thing that always comes through is mules claiming they are innocent victims. The single biggest thing we can do, for a vast majority of fraud, is to get the message through that people that claim they are taking a job to forward money to Estonia for 10 percent of the transaction value is a criminal.

People are choosing to believe that it is above board but if you stop and thought about it, even for a second, it's obviously dodgy... The reality is we will prosecute mules," he said.

New Zealand: a phish-free, tech hungry nation
Although SSL certificates help protect customers from submitting information to spoofed Web sites, phishing does not seem to be a big problem in New Zealand.

"It's fair to say phishing is nowhere near as much a problem as it is in Australia but I think that's because a lot of banks have moved faster in New Zealand to introduce additional tools like two-factor authentication," said Muggleston.

"There are plenty of phishing e-mails and spam around. Certainly we have had two attempted phishing attacks in the last month against ASB but we've lost nothing. Some banks are being hit more often but the reality is it's not a big problem here," he said.

In 2003, ASB was the first bank in New Zealand to roll out SMS two-factor authentication, which was years ahead of Australian deployments of the technology, according to Pure Hacking's Gatford.

Gatford, originally from New Zealand, said the country is "extremely keen" to adopt new technologies. Evidence of this is that New Zealand has the highest number of payment systems per capita in the world, he said.

New Zealand's banks are also ahead in mobile banking offerings. ANZ was the first Australian bank to release a mobile phone banking platform earlier this year, however New Zealand's largest banks, which are all owned by Australia's largest banks, have offered it for years.

ASB's customers are able to use SMS to transfer funds within their own accounts, do Internet banking on PDAs or smartphones, and even send cash using pago to an e-mail account or another mobile phone.

Security isn't a problem for these new banking channels, said Muggelston: "If you introduce it for appropriate uses, there are very few threats."

"Rather than make everything 100 percent bullet-proof, you need to apply functions that are suitable to the platform. Rather than saying 'I can't make this safe', you say, 'It is only safe for these transactions'," he said.

Editorial standards