[ISN] Customers vote with feet over security: survey

From: InfoSec News (alerts@private)
Date: Tue Aug 14 2007 - 23:10:33 PDT


http://www.zdnet.com.au/news/security/soa/Customers-vote-with-feet-over-security-survey/0,130061744,339281185,00.htm

By Brett Winterford
ZDNet Australia
15 August 2007

Users of online banking services are willing to change banks if 
competitors offer better security options, according to a new 
Datamonitor survey.

The survey, conducted across several Asia-Pacific markets by analyst 
group Datamonitor and commissioned by security vendor RSA, found that 
some 90 percent of Australian online banking users desire a stronger 
authentication system to protect their transactions.

Between 70 and 80 percent of online banking users in the wider 
Asia-Pacific region who were after stronger security options said they 
would migrate to a new bank in order to get it.

The research paper concludes that there is a "direct link between the 
level of trust customers have in their bank, the loyalty to the bank, 
and the use of the bank's online services".

Even among those respondents who said they had high trust in their bank, 
over half (57 percent) said they would stop using that institution in 
the event of a single privacy breach.

Few Australian banks provide additional levels of protection to their 
customers, sais Geoff Noble, head of banking and finance at security 
vendor RSA.

Most initiatives around providing multi-factor authentication in 
Australia to date have been focused on the corporate sector. Only 
Suncorp, Bendigo Bank and Bankwest, and to a lesser degree the CBA have 
offered similar services to consumers, Noble said.

Suncorp, for example, offers its customers the option of buying 
hardware-based tokens for AU$20.

"This research says strongly -- any message around security is good 
marketing for the bank," said Noble. "The messages from banks so far 
haven't been that overt -- you won't see them on blimps or on the back 
of buses."

Noble said we should expect to see more financial institutions use their 
investments in additional security measures as a means of 
differentiating their online banking services from their competitors.

"The vast majority of the banks can't make a business case for 
additional security measures around fraud losses alone," he said. "They 
might need to supplement that investment with marketing around the 
security of their services."

Noble said that the ANZ's television campaigns based around its 
trademarked "Falcon" credit card transaction monitoring services is a 
great example of a bank "using a security message as a marketing lead".

"The banking community was once averse to mentioning security, as it was 
always assumed that they were secure in the first place," Noble said. 
"They have had to re-evaluate."


Multi-factor options

Noble said there are several options available to banks to increase the 
security of online banking.

One is One-Time-Password technology -- an ever-refreshing password 
delivered to users via either a hardware token or SMS notification. It 
not only secures the transaction, but gives the user one less password 
to remember.

"Most businesses have moved that way in terms of their corporate 
customers," Noble said.

The Datamonitor survey however, found that many customers are reluctant 
to carry a bulky token, for fear of losing or misplacing it.

Another option is to provide authentication not just at the point of 
log-in but also at the point of transaction.

Rich Mogull, research vice president for analyst group Gartner's 
security and risk advisory describes this solution as an easy and 
essential method for banks to prevent such online fraud as "backdoor 
Trojans" or "man in the browser" attacks.

This occurs when a user logs-in to online banking to make a transaction 
while an attacker has remote access to their computer. While the session 
is open, the attacker can make their own transactions using the user's 
account, transparent to the user -- as only the log-in page was 
encrypted.

"What if for transactions over a certain dollar volume, there was a 
mechanism that closed that transaction -- like, I get a phone call if 
it's over AU$10,000? Mogull suggests. "Or I get an e-mail listing all 
the transactions that I just performed? It is easy for the bank to do 
that."

"You have to authenticate the transaction, not just the session," Mogull 
said. "That alone would significantly reduce certain kinds of online 
banking fraud. Yet many of the banks havent invested in that."

Noble said that some banks are nervous about the instant gratification 
expected by their consumer customers.

"[Transaction authentication] is absolutely a good idea, but the keying 
in of an extra password is seen by some banks as enough to turn 
customers away."


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 14 2007 - 23:29:15 PDT