Online banking security – no easy answers
Two events prompted me this month to look again at online banking security: the first a survey by Which? magazine of UK banks’ security approaches; the second the arrival of my new HSBC Secure Key device – as seen on TV!
For many years I’ve been a champion of Remote Chip Authentication (RCA) as an online banking and payment security solution. This involves using an EMV chip and PIN payment card in a personal card reader to generate a one-time-password (see May Bulletin) and has now been adopted by several UK banks including Barclays, RBS/Nat West, Nationwide and the Co-op. It was therefore gratifying to note that these same banks came top of the Which? survey’s league table.
The HSBC device is a simple hardware security token which uses cryptography within the device itself rather than a card to generate the one-time-password. Personally, of course, I would have preferred to see full RCA. But the HSBC device uses the same RCA principles of strong, two-factor authentication, and is therefore highly secure, with powerful protection against phishing and malware attacks. I also found it easy to set up and use, and it’s free!
So what’s not to like? Well plenty, according to HSBC customers, who have taken to blog sites across the web in an extraordinary outpouring of vitriol and loathing directed at HSBC and its device.
What to make of this? On the one hand it’s tempting to dismiss this as the ravings of a lunatic fringe. Certainly the level of ignorance and misunderstanding can be quite shocking. I have yet to see an acknowledgement that the level of UK online banking fraud of £60 million in 2009 is a serious social problem (think organised crime), nor that the efforts of the banks and the Payments Council in promoting RCA and other security measures led to a drop of over 20% in 2010. Tragically, many of the disaffected HSBC customers are threatening to switch their accounts to precisely those banks at the bottom of the Which? survey’s league table. If it’s any comfort to HSBC, although a very similar reaction greeted Barclays’ launch of its PIN Sentry RCA device a few years ago, it now seems that very few customers actually switched accounts, and the majority are now quite happy with the device.
On the other hand, it is clear that banks still have a lot more work to do, especially in terms of communicating with the public. Online banking inevitably involves a trade-off between security and convenience, and while good progress has been made on the security side of the equation, lack of convenience remains a major problem for large numbers of people. But there are no easy answers here, not least because convenience means different things to different people. For example, from the blogs, it would appear that whereas some people (like me) always do their online banking at home from the same PC, others value the freedom to also log on at the office, or indeed anywhere. HSBC have made an effort to address this requirement: the Secure Key is much smaller than a typical RCA reader, about the size of a credit card, and designed to be carried in a wallet or attached to a key ring. But this means that the keypad is too small for some users. Others complain that it is too easy to lose, whereupon access to online banking is denied (at least with RCA you have the option of using your card in someone else’s reader). And so on …
What this has brought home to me is that the online banking security story is far from over. This is a uniquely difficult area combining the technical complexity of information security with the vagaries of consumer behaviour. The banking and payments industry needs to do more to understand and address the needs of consumers and then communicate with them more effectively.
Banking Automation Bulletin Opinion Article, October 2011, by Nick Collin