Banks are waking up to the need to earn the trust of their online
customers. Nick Huber reports on their chequered history, and how
they are tackling issues of security
In the late 1990s the high street banks woke up to the potential of
offering services online. Banking over the Web was the future,
customers were told, and the banks played down public fears about
the security of managing their finances online.
Banks emphasised their venerable credentials - hundreds of years of
experience in handling the public's finances, as opposed to
fly-by-night dotcoms. The basic message was, "Trust us - we are a
bank."
But in the first few years of online banking, as services were hit
by a series of high-profile security glitches, this trust appeared
to be misplaced. Flaws in software displayed customer account
details on Web sites to other visitors, exposing customers to the
risk of fraud. Industry experts accused the banking industry of
being complacent about Internet security and ignoring basic IT
safeguards, a claim strongly refuted by the banks.
Five years on, however, and almost all of the leading banks and
building societies offer their customers online financial services,
ranging from the basic account transaction displays to the more
sophisticated share dealing services. And despite the constant
threat of global computer viruses and increasingly resourceful
hackers, public demand for online financial services has remained
solid. The trust is still there.
So how have the banks managed to overcome early teething problems
of IT security and keep customers sweet? Have they really learned
their lessons and introduced new security procedures?
Simon Rouse, head of channel management for e-channels at Barclays,
is responsible for an online service with about three million
customers. He argues that the problems it had with its online
banking service in 2000 were not caused by a flaw in its security
measures. "It is important to draw a distinction between security
and our incident in the summer of 2000, which was caused by
software problems," he says. "It was the result of a fault in a
piece of software. It was not an external threat to our security
systems."
Barclays took firm action after it had rectified the online
security scare. It introduced an online banking fraud guarantee
which compensates customers who are victims of fraud through no
fault of their own when banking online with Barclays.
Alongside the usual security safeguards for Web banking services -
passwords, unique customer numbers - Barclays has also attempted to
educate its customers in online security issues. For a while it
even issued free antivirus software to customers.
"Every new member for online banking gets a pack with online
banking safety tips, for example making sure that you clean your
cache on your computer after every session and have up-to-date
anti-virus software," says Rouse.
Barclays also has the standard security infrastructure you would
expect from a large corporation - firewalls, intrusion detection
technology and consultants to probe the security with penetration
testing exercises.
Another pioneer of online banking, Internet bank Egg, has also been
left red-faced in the past after software glitches caused potential
security headaches for some of its services. It, too, has expanded
its online services and now has more than two million
customers.
Egg, like Barclays, offers customers an anti-fraud guarantee to
compensate them for monetary loss under certain circumstances.
Alongside heavy-duty encryption and layered security questions Egg
also stresses that it does not store any personal information on
its Web servers - keeping it instead on separate machines that
cannot be accessed directly by the public.
Peter Marsden, IT director at Egg, says the majority of customers
do all their transactions with Egg over the Web, while across the
UK consumers are getting used to organising their finances
online.
"Recent research conducted by Egg and polling organisation Mori
revealed that about 10 million UK adults - that is almost half of
all [UK] Internet users, have either bought or serviced a financial
product over the Internet," he says.
But are the banks justified in sounding so confident about the
security of their online services? They appear to have learnt from
previous software glitches and errors, says Graham Titterington,
senior analyst at Ovum.
He adds, however, that the security of online financial services is
particularly vulnerable when a number of concurrent processes come
together in order to execute a transaction - for instance
displaying a customer's account details.
New, stronger technology is emerging, however. Titterington points
to user authentication software from supplier RSA Security that
allows servers to issue one-time and one-minute only personal
identification numbers (Pins) that can be sent directly to the
customer's mobile phone, by their bank.
This type of technology could be particularly useful for paying
bills online and other relatively high-value payment
transfers.
Security standards to safeguard credit card payments are also
emerging.
Visa has launched an online payment authentication service, which
it hopes will be widely adopted by retailers and banks.
Meanwhile the banks and retailers are committed to rolling out a
multibillion pound smartcard initiative to combat rising levels of
debit and credit card fraud.
The UK chip-and-Pin initiative uses debit and credit cards with
embedded microchips. It aims to cut fraud losses by more than half.
It will require customers to prove their identities by entering a
four-digit Pin at a checkout terminal instead of signing a slip. It
is due to be launched nationwide by the end of 2004.
With banks offering customers the chance to conduct increasingly
complex and high-value transactions online, whether its share
dealing or arranging a mortgage, the stakes are raised if security
breaches occur.
Banks are keen to reassure customers that they have learnt from
past mistakes, and their IT security record over the past few years
certainly appears to have improved. But that is what the IT and
business world expects from the banking sector.
As Titterington says, "The banks are generally accepted to be at
the forefront of IT security, with the exception of one or two
military organisations. So if you say that banks are making a pigs
ear of security its pretty safe to say that the rest of the world
is."
Online banking industry gaffes
Egg, 1999
The newly-formed online bank is left red-faced after it sent a
customer a series of e-mails with her credit card number in the
subject line and in the text. After investigating the problem the
bank says that the confidential details in the e-mails were sent by
mistake. Egg insists that such an incident could not happen again
as all outbound messages to customers would be checked by
supervisors.
In a separate incident Egg fails to properly implement the log-off
function of its online credit card service, potentially exposing
customers details. Egg repairs the log-off problem and insists that
no security breaches occurred.
Barclays, Summer 2000
The high street bank is forced to
temporarily shut down its online banking service after a handful of
customers found that they were able to view other customers'
account details on the Web site. Barclays blames the security
glitch on a software code error in the upgraded site.
Credit Suisse, 2000
Roger Moore, the actor who played
British secret agent James Bond in the 1970s and 1980s, has his
Swiss bank account details displayed on the Web after an error by
Credit Suisse. Moore and other customers have their Swiss bank
account numbers and residential addresses broadcast on the Web,
following money transfers. Credit Suisse shut down the Web site
while investigating the problem, which is thought to lie with the
transfer by an agency of confidential data to test one of its IT
systems.