Wednesday, April 12, 2006
Financial Web Site Security. The Best Defense Is In the Details.
Larger corporations have been making strides in providing secure access beyond the primitive username password combination. At the same time, smaller financial institutions have not. At least that seems to be the case with financial institutions I use. Although, I will admit my credit card companies seem to be falling behind in that area as well. Bank of America seems to be the only one that has taken a few extra steps to protect me. I haven't seen anything from Chase, Citi, American Express, and MBNA yet. Well, I thought it'd be interesting to take a look at a few of the systems in place. ING (Security Page): Three field security, using a customer number, PIN, and a personal question. In my opinion this is the best security system. It's a good combination of convenience and security. I do with they would increase the question pool though. HSBCDirect (Security Page): HSBC uses a 2 tier system, and combination of the username/password, but then a second password for bank to bank transfers that can only be entered using your mouse. Convenient? NO. Secure? Not bad. I like this system, but it's not really that secure. In essence the safe is locked tight, but the entrance to the bank is left wide open. Also, the buttons could be a little larger. Bank of America (Security Page): BofA uses a typical username/password combination with a twist known as a "Sitekey." You enter your username, and then you are presented with a Sitekey. The Sitekey is an image that will be displayed if you are looking at the authentic BofA website. This image is one you choose. If you don't see your sitekey, then that means you shouldn't be entering your password. I like the concept. However, I don't like the implementation. It's a little too clunky, and I think it's acceptance is going to be harder because of it. Summary: Overall, I believe if they combined BofA's Sitekey security with ING's personal question system with multiple questions (the larger the pool, the better), the system would be highly secure. A system like BofA's will help confirm to the user that you are at the right place, then the personal question will confirm your identity. The 2 tier system is an improvement from the username/password security system, but criminals could have access to your preliminary information, which is not good, so I would not support this system as the de facto standard. The worst security scheme I can think of? Login with your account number and a simple password. WRITE YOUR BANK NOW! Seriously, tell them to fix it or take your banking somewhere else. Action to take: It's always a good idea to be aware of the sites you are entering your personal information! Just take an extra second to glance at the bottom right corner for the little lockpad and the proper URL in the address box. These two steps alone can help prevent giving away valuable information. Also, don't enter personal information at public workstations, no matter how much you need to do so. Anyone and everyone can use the system, and you don't know what sort of spy apps are running in the background. The security hack could even be as primitive as someone standing over your shoulder! Finally, if your financial instituion does not have anything but the username/password security system, WRITE them and let them know you want something more secure. It's way too easy to break in. Do you have any other interesting security measures you've seen? Of course there are biometrics, but I'm not a big fan of that either. I like security systems that depend on information stored in my brain, it seems like the most secure location to keep security info. :)