What do we want and what do we get from security?

Inspired, in part, by a comment posted in response to my blog a few weeks ago, this month I want to explore some of the security solutions that are deployed for access control security. It's fair to say that if a consumer has multiple online accounts they will be faced with an array of security techniques. This isn't a criticism, it's simply how the services have been designed, built and implemented by different retail financial institutions, writes Mark Waghorne

Inspired, in part, by a comment posted in response to my blog a few weeks ago, this month I want to explore some of the security solutions that are deployed for access control security.It’s fair to say that if a consumer has multiple online accounts they will be faced with an array of security techniques. This isn’t a criticism, it’s simply how the services have been designed, built and implemented by different retail financial institutions, writes Mark Waghorne

Yet, as I said a few weeks back, ease of use seems to trump most things. Even among security savvy consumers who know that ‘security is a good thing’, there is a desire to avoid being encumbered with security tokens that have to be carried with PCs, laptops or mobile devices.

With this in mind, it is worth understanding what is out there now to aid security and what might be coming in the future.

Many Internet banking solutions currently use the fairly traditional ‘User ID and password’ approach to manage access to their systems. Some of these involve a first stage of entering personal identifiers before the institution responds with an image pre-selected by the customer. It’s a useful means for customers to verify to a certain level whether they are really connected to their bank. After all, if the image is wrong or missing the mantra they should automatically follow is ‘proceed with caution’. Of course, if the first level personal identifier has been entered incorrectly, customers are likely to end up with the same result so caution should also apply to the way data is entered.

Other services, to avoid relying on static text, provide their customers with PIN pads to generate passwords. Good security, maybe, but the ease of use angle comes in – if you don’t have your PIN pad then you might not be able to transact your business.

Another common security tweak is using a further level of access control if, for some reason, the banking services doesn’t recognise the PC being used. This typically means a one-off answer to another previously set security question. It’s a good approach, but does bring with it the need to remember, or store somewhere, even more information to be able to log on.

And with the continued growth of social media questions are being asked around how far we are from banking by Facebook? With the multitude of access control mechanisms hinted at above, the answer must be possibly some way off. However, some institutions are more innovative than others. A recent article in ‘American Banker’ gives some indication of where we may be heading. ING Direct is letting customers who opt in to view account balances, history and pending transactions and receive real-time account alerts within Facebook, in read-only mode. The solution gives the customer the impression that they are still on Facebook when they are, in fact, entering the bank’s website.

To add another security layer to its mobile banking apps, ING is also piloting facial and voice recognition technology with a small number of employees and customers. This would complete the traditional security desire for access: something you have (the mobile device), something you know (a PIN), and something you are (your face or your voice). Perhaps somewhere you are — geolocation — may come later.

A closing word of caution, online financial services continue to be a major target for organised criminals and so consumers as well as their bank service providers need to exercise care. There is a quite sophisticated piece of malware used to target financial services, called ‘shylock’, and whilst it isn’t new, it does have a few tricks up its sleeve. So it’s an old mantra, but consumers need to make sure their PCs and other devices they use for online banking have the latest malware protection installed. If your bank also provides a malware protection tool to download, it might just be worth seriously considering making use of it.