Security: Banking on trust

Banks are waking up to the need to earn the trust of their online customers. Nick Huber reports on their chequered history, and...

Banks are waking up to the need to earn the trust of their online customers. Nick Huber reports on their chequered history, and how they are tackling issues of security

In the late 1990s the high street banks woke up to the potential of offering services online. Banking over the Web was the future, customers were told, and the banks played down public fears about the security of managing their finances online.

Banks emphasised their venerable credentials - hundreds of years of experience in handling the public's finances, as opposed to fly-by-night dotcoms. The basic message was, "Trust us - we are a bank."

But in the first few years of online banking, as services were hit by a series of high-profile security glitches, this trust appeared to be misplaced. Flaws in software displayed customer account details on Web sites to other visitors, exposing customers to the risk of fraud. Industry experts accused the banking industry of being complacent about Internet security and ignoring basic IT safeguards, a claim strongly refuted by the banks.

Five years on, however, and almost all of the leading banks and building societies offer their customers online financial services, ranging from the basic account transaction displays to the more sophisticated share dealing services. And despite the constant threat of global computer viruses and increasingly resourceful hackers, public demand for online financial services has remained solid. The trust is still there.

So how have the banks managed to overcome early teething problems of IT security and keep customers sweet? Have they really learned their lessons and introduced new security procedures?

Simon Rouse, head of channel management for e-channels at Barclays, is responsible for an online service with about three million customers. He argues that the problems it had with its online banking service in 2000 were not caused by a flaw in its security measures. "It is important to draw a distinction between security and our incident in the summer of 2000, which was caused by software problems," he says. "It was the result of a fault in a piece of software. It was not an external threat to our security systems."

Barclays took firm action after it had rectified the online security scare. It introduced an online banking fraud guarantee which compensates customers who are victims of fraud through no fault of their own when banking online with Barclays.

Alongside the usual security safeguards for Web banking services - passwords, unique customer numbers - Barclays has also attempted to educate its customers in online security issues. For a while it even issued free antivirus software to customers.

"Every new member for online banking gets a pack with online banking safety tips, for example making sure that you clean your cache on your computer after every session and have up-to-date anti-virus software," says Rouse.

Barclays also has the standard security infrastructure you would expect from a large corporation - firewalls, intrusion detection technology and consultants to probe the security with penetration testing exercises.

Another pioneer of online banking, Internet bank Egg, has also been left red-faced in the past after software glitches caused potential security headaches for some of its services. It, too, has expanded its online services and now has more than two million customers.

Egg, like Barclays, offers customers an anti-fraud guarantee to compensate them for monetary loss under certain circumstances. Alongside heavy-duty encryption and layered security questions Egg also stresses that it does not store any personal information on its Web servers - keeping it instead on separate machines that cannot be accessed directly by the public.

Peter Marsden, IT director at Egg, says the majority of customers do all their transactions with Egg over the Web, while across the UK consumers are getting used to organising their finances online.

"Recent research conducted by Egg and polling organisation Mori revealed that about 10 million UK adults - that is almost half of all [UK] Internet users, have either bought or serviced a financial product over the Internet," he says.

But are the banks justified in sounding so confident about the security of their online services? They appear to have learnt from previous software glitches and errors, says Graham Titterington, senior analyst at Ovum.

He adds, however, that the security of online financial services is particularly vulnerable when a number of concurrent processes come together in order to execute a transaction - for instance displaying a customer's account details.

New, stronger technology is emerging, however. Titterington points to user authentication software from supplier RSA Security that allows servers to issue one-time and one-minute only personal identification numbers (Pins) that can be sent directly to the customer's mobile phone, by their bank.

This type of technology could be particularly useful for paying bills online and other relatively high-value payment transfers.

Security standards to safeguard credit card payments are also emerging.

Visa has launched an online payment authentication service, which it hopes will be widely adopted by retailers and banks.

Meanwhile the banks and retailers are committed to rolling out a multibillion pound smartcard initiative to combat rising levels of debit and credit card fraud.

The UK chip-and-Pin initiative uses debit and credit cards with embedded microchips. It aims to cut fraud losses by more than half. It will require customers to prove their identities by entering a four-digit Pin at a checkout terminal instead of signing a slip. It is due to be launched nationwide by the end of 2004.

With banks offering customers the chance to conduct increasingly complex and high-value transactions online, whether its share dealing or arranging a mortgage, the stakes are raised if security breaches occur.

Banks are keen to reassure customers that they have learnt from past mistakes, and their IT security record over the past few years certainly appears to have improved. But that is what the IT and business world expects from the banking sector.

As Titterington says, "The banks are generally accepted to be at the forefront of IT security, with the exception of one or two military organisations. So if you say that banks are making a pigs ear of security its pretty safe to say that the rest of the world is."

Online banking industry gaffes
Egg, 1999

The newly-formed online bank is left red-faced after it sent a customer a series of e-mails with her credit card number in the subject line and in the text. After investigating the problem the bank says that the confidential details in the e-mails were sent by mistake. Egg insists that such an incident could not happen again as all outbound messages to customers would be checked by supervisors.

In a separate incident Egg fails to properly implement the log-off function of its online credit card service, potentially exposing customers details. Egg repairs the log-off problem and insists that no security breaches occurred.

Barclays, Summer 2000
The high street bank is forced to temporarily shut down its online banking service after a handful of customers found that they were able to view other customers' account details on the Web site. Barclays blames the security glitch on a software code error in the upgraded site.

Credit Suisse, 2000
Roger Moore, the actor who played British secret agent James Bond in the 1970s and 1980s, has his Swiss bank account details displayed on the Web after an error by Credit Suisse. Moore and other customers have their Swiss bank account numbers and residential addresses broadcast on the Web, following money transfers. Credit Suisse shut down the Web site while investigating the problem, which is thought to lie with the transfer by an agency of confidential data to test one of its IT systems.

Read more on IT risk management