It appears the world of phishing and account takeover has reached online investing.  It was only a matter of time, and this is is first instance I recall.  “This week, a pair of Canadian brokerages, including BMO InvestorLine, discovered that someone had gained unauthorized access to a handful of client accounts, and then liquidated the portfolios. The money was used to place orders for securities listed on the OTC Bulletin Board and the Nasdaq pink sheets, apparently with the intention of manipulating these stock prices, according to the Investment Dealers Association of Canada.” Source: “Canadian Banks & Insurance – Mozilla Firefox” The story … Continue reading "Canadian online brokers are phished"

 From this press release, Wells indicate they are have adopted Bharosa, and this is taken from their site. “Tracker is a comprehensive anti-fraud software solution which works behind the scenes by verifying a host of factors used to confirm identity – from the computer/mobile device used to login, to a user’s location and behavioral profiles. Based on these factors, Tracker scores risk and alerts the organization in real time to potential fraud. Tracker can also trigger numerous follow-up actions, such as challenging the user. As a stand-alone solution, Tracker offers strong, multifactor authentication security that can be implemented without requiring … Continue reading "Wells Fargo adopt Bharosa Authenticator for two factor authentication"

Thanks to David for this story, referenced here: Web Deposits: New Players, New Brands in American Banker. Flushing Financial Corporation Reports 2006 Second Quarter and First Half Results: Financial News – Yahoo! Finance … we are planning the introduction of an internet banking division to capitalize on the growing use of the internet. We anticipate that this initiative will allow us to further reduce our reliance on wholesale borrowings. From what I gather the American Banker story makes the point that many smaller FI’s in the US are looking at this as a low cost approach to gather deposits. David … Continue reading Flushing financial plan new internet banking division to capture deposits

Nice review from PEW with good data from history.

Pew Research Center: Surfing to the Bank

Way back in 1994, when few Americans had even heard of the internet, most people still walked to their bank’s nearest branch to do whatever check cashing or bill paying they couldn’t do at the corner store or by mail. When a survey by the Pew Research Center for the People & the Press asked the principal bill-payer in each household, “Do you ever do ‘electronic banking’ from home – that is, use a computer or the telephone to pay bills or move money from one account to another?” fewer than one in ten (9%) among this group said yes, they had done such a transaction. By 1995, that figure had risen to 13% of bill-payers. In 1998, when the Pew Research Center switched to asking all internet users if they ever paid bills or banked online, 13% of this larger group, or about 10 million American adults, said yes.

By 2000 the numbers had approximately doubled.

By 2000, when the Pew Internet & American Life Project fielded our first survey, the proportion of internet users who said they ever did any banking online had risen to 17% or about 16 million Americans. Over the next few years, internet users ramped up a range of online financial and transactional activities, trusting more and more of their personal financial information to the Web. Among categories of activities, online banking and online auctions grew the most rapidly, especially among men, home broadband users, and internet users under the age of 50.

And been joined by bill payment ….

Other forms of financial housework joined banking as popular online activities. In January 2005, 38% of internet users reported paying bills online. In December of that year a study fielded by Harris Interactive found that 35% of bills were paid online, up from 25% the year before.² By comparison, 37.5% of bills are paid by paper check and 27.5% are paid some other way, such as in cash or by debit card

…. and general financial interest

Ever larger numbers of internet users also turn to the web to seek financial advice and information. While the proportion of internet users who say they go online to get financial information such as stock quotes or interest rates has stayed constant at 44% since we began polling in 2000, the internet population base has risen steadily.⁴⁵ In addition, a group of online magazines and websites, such as Motley Fool, contribute content to the larger information providers both print and online. 

By April 2006, according to comScore Media Metrix, four websites that combined money-management content with financial services ranked among the 20 most popular in the Business/Finance category: AOL Money & Finance, MSN Money, Yahoo! Finance, and CNN Money.

But growth has not maintained the same level as general internet growth, with even the broadband users trailing.

Our December 2005 poll confirmed that online banking is holding steady as a mainstream internet activity, growing along with internet use generally, though not accelerating as have some other forms of online activities. Fully 43% of internet users, or about 63 million American adults, bank online.

Home broadband users continue to lead the way, with 55% of these internet users banking online, compared with 35% of home dial-up users. Online banking is equally common among all age groups under the age of 65. Forty-two percent of internet users age 18-29, 47% of internet users age 30-49, and 42% of internet users age 50-64 bank online. However, only 27% of internet users age 65 and older use their internet hookups for online banking. Also, we now find that men and women are equally likely to bank online.

The reason -trust, in the forms of security, & privacy.

One reason why online banking has not outpaced growth in internet use generally may be what industry analysts dub the “trust gap.” Trust is a big factor in choosing to bank online and then sticking with it despite news headlines about identity theft and phishing. Some industry analysts predict that online banking sites will have trouble attracting new customers because of the “trust gap” between internet users who are experienced with online financial transactions and those who are not.⁷ A 2005 report by Consumer WebWatch found that internet users who have used an e-commerce or financial management site are more trusting of online banking sites, automatic bill pay sites, credit history sites, and others. And internet users who have bought items online are more likely to say they have a lot of trust in online banking sites.

Continue reading “PEW: Online banking historic data and current state – US”

CIO Today asks the right question for today here.  Intrusion – How Much Is Customer Trust Worth? Imagine how your customers, who value their personal information and privacy, would feel if they realized their data were being sold to the highest bidder and that your company does not have a foolproof data privacy and protection plan. Imagine the negative “word of mouth” that could instantly spread in a blog about your company. It goes on to say that a strategic shift is required in how firms think about information. What is the impact of data theft to your company, your … Continue reading How Much Is Customer Trust Worth?

Now that its here, this document is less than clear about two factor authentication. ffiec_frequently-asked-questions.pdf Finextra: analysis – Online banking security FAQs The Federal Financial Institutions Examination Council (FFIEC) has released a frequently asked questions document (FAQs) to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005The authentication guidance, which applies to both retail and commercial customers, specifically addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services. The FAQs are designed to assist financial institutions and … Continue reading FFIEC releases its FAQ finally, but still unclear

A well crafted and reasoned view on the ‘man in the middle attack’ on Citibank tokens, from Improving.  This provides good balance to my earlier post. Improving New Account Opening: Citibank Hardware Tokens Defeated – but don’t blame the tokens – Solving complex business problems with financial services technology Physical tokens are not dead. But as the Citibank example has shown, without providing additional layers of protection to users to help them avoid phishing, a well crafted, realtime scam can defeat even this two factor authentication. Continue reading Citibank Hardware Tokens Defeated – but don’t blame the tokens

In a rather timely fashion, after yesterdays story on Barclays card readers for security, here are clearer details on the Citibank ‘man in the middle’ attack, that defeated hardware tokens. Citibank Hardware Tokens Defeated: The Beginning of the End – AllPayNews: Payment and fraud news, blog, jobs and discussions A long-predicted vulnerability of hardware-token based multi-factor authentication has now been successfully exploited against Citibank, marking the beginning of the end for the small security devices.….. In a textbook example of a “man-in-the-middle” attack, Citibank business customers were lured to dozens of counterfeit websites located in Russia where they were prompted … Continue reading Citibank Hardware Tokens Defeated: The Beginning of the End

A rather unusually sepcific ciriticism of HSBC’s online banking system.  Researchers claim that criminals can get in within 5 – 9 attempts.  Most systems refuse you after 3 +/- attempts, so if true, this is a significant problem, but probably manageable by implementing some restrictions.  Lets see how HSBC react. Finextra: Researchers warn of HSBC Web banking security flaw Researchers at Cardiff University have uncovered a flaw in HSBC’s online banking system that has left the accounts of 3.1 million UK customers exposed to hackers for at least two years. According to a report by UK newspaper The Guardian the … Continue reading Researchers at Cardiff University have uncovered a flaw in HSBC’s online banking system