Blog article
See all stories »

An article relating to this blog post on Finextra:

Bank of the West app lets users check balances without login

Bank of the West has revamped its mobile app to let customers check their balances with just the slide of a finger, without logging into their accounts.


See article

Balance Check without login - do we need such innovation?

The news that Bank of the West has introduced a new feature to help customers check account balance without login left me a bit amused and a bit scared. The first thought that comes to my mind is, Are banks encouraging risky behaviour among their customers in the name of innovation?

We have seen a spate of security incidents involving bank accounts in the recent
past. Banks have found themselves on the wrong side in many legal battles and are trying to implement more robust authentication mechanisms. They are doing what they can (forced in some cases by the regulators) to reduce risk of exposure of critical data. Importance of educating customers on the importance of security – either password security or security of gadgets used for multi-factor
authentication is being stressed by security professionals. Courts are trying to figure out who is at fault when a security breach happens.

In this background, how prudent it is for a bank to offer to their customers a feature that would need them to check “remember me” box in the name of a big innovation? To be fair, the bank says on its website (in small print, of course): “IMPORTANT NOTE: When the Quick Balance feature is active (on), anyone who has access to your device can view the balances displayed in the Quick Balance feature”. So, they have done their bit, disclosing the risk of enabling this feature to their customers.

What next? Someone will say transfer funds by a swipe of your finger? And warn their customer (in small print, again) that anyone who has access to their devise can potentially empty their accounts?

We need innovation in banking, yes. The question is, do we really need such risky features? What if the box gets checked thanks to fat fingers? Will the disclosures be sufficient to protect the bank if the customer goes to court?

Such options may make the customers happy in the short run and get more finger swipes in their mobile banking application. That would make the banks happy too. However, considering the risks involved in such options, do we really need such innovation?

6556

Comments: (11)

Daniel Smith
Daniel Smith - CHOICE Financial Solutions - New York 05 April, 2013, 07:52Be the first to give this comment the thumbs up 0 likes

I couldn't agree more.

Banks, particularly in the US, often cite the incredibly high amount of fraud and losses they suffer with cards and online transactions.

Yet, having worked with a number of US banks I continue to be amazed at how few have any sort of simple two factor authentication on transaction execution - even a simple coordinates card etc.

Many new payment and channel features are being driven by the argument that customers want "convenience", particularly younger generation segments.

This then becomes a guiding rule in design. If it's not quick and easy and convenient, it's not good.

Which of course means - small print... and often little or no basic security or protection.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 05 April, 2013, 20:05Be the first to give this comment the thumbs up 0 likes

We absolutely require more innovation of this nature. Like I'd commented on the article, "May this open the floodgates for other password-less features on mobile banking such as forex rates, last 3 transactions, credit card due amount, etc." Banks invest a lot of time and money in developing and marketing mobile banking apps and they're perfectly justified in expecting high adoption rates for them. If a few innocuous things like displaying account balances without password increases convenience and results in higher adoption rates - which it will, I'm sure - why should banks hold back on doing them?  

Data doesn't support many of this article's assertions:

  • According to this article and my comment therein, banks are faring quite well on all these lawsuits, with the tally reading 3:2 in favor of banks. Interestingly, in the latest lawsuit, the court found in favor of the bank because the bank offered 2FA and 2PA on Internet Banking and the corporate declined it.  
  • According to this article, fraud as a percentage of transaction value is actually going down.
  • Emptying bank accounts from a mobile app is simply not possible as my comments here explain.

When startups like Mint and BillGuard, to name a few, lure customers to hand over their Internet Banking credentials lock-stock-and-barrel to them, we laud them for their innovativeness and claim that they'd disintermediate banks from financial services. On the other hand, when banks wake up and finally do something about reducing friction from their online / mobile transactions, we chastise them. Down with this double standard!

Chandrashekar Gopalarao
Chandrashekar Gopalarao - Infosys Technologies Ltd - Bangalore 11 April, 2013, 06:12Be the first to give this comment the thumbs up 0 likes

Ketharaman,

We certainly need innovation but not at the cost of basic security. How many people really appreciate the risk involved in being "always logged in" to their bank accounts?

A system that does not provide the feature of automatic logoff will never get through system security audit. All major banks recommend that their customers logoff once they are through with what they want to do in their mobile banking application. They also log you out automatically if you don’t use the application for more than a few minutes.

It is not just what the security professionals recommend. Let me quote two specific regulations.

The FFIEC guidelines clearly say that “. . . an institution’s layered security program will contain the following two elements at a minimum (emphasis mine) . . . . Initial login and authentication of customers requesting access to the institution’s electronic banking system and initiation of electronic transactions involving transfer of funds to other parties”

Information Security Guidelines of RBI says “An online session would need to be automatically terminated after a fixed period of time unless the customer is re-authenticated for the existing session to be maintained”

HIPAA, ISACA, Sarbanes Oxley all recommend automatic logoff as an essential security policy.

If you think all this is over reaction by regulators and security professionals, I would merely say that you are entitled to your views. But when something is regulatory, ones views don’t really count in the courtroom.

And you make a curious comment on “innocuous information”. Volumes have been written about what a social engineer can do with seemingly trivial information and so I don’t want to say much here. But I recommend that you read The art of deception by Kevin Mitnick, an excellent book on the ways of social engineers. There is even a chapter titled When Innocuous Information Isn’t.

A better innovation in my view is to make login much easier and safer than typing one’s password rather than ask people to be logged in all the time.

I would rather spend a few seconds to open the lock rather than keep the front door open all the time and allow a stranger to walk in and take a look, even if there is nothing much that he can steal. Ditto for my bank account.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 11 April, 2013, 10:30Be the first to give this comment the thumbs up 0 likes

@ChandrashekarG:

Knowing how slowly banks introduce new features, I'm sure this bank has thought about the audit angle before introducing this feature but, even it hasn't, (a) As a customer, I'm only interested in the feature I get (b) When I trust my bank with my money, I'll easily trust that, if the said feature failed audit, my bank would withdraw it. 

Interesting that you mention FFIEC. This body mandated 2FA for Internet Banking transactions for US banks in 2005, issued a revised guideline last year, but there are still so many banks in USA that have not yet implemented 2FA as is evident from Mint, BillGuard and other startups being able to access over 10M people's bank accounts using only a username and password. Eight years later, I'm not aware of a single bank being taken to court over this (The 3:2 tally of courtroom verdicts I'd referred to in my previous comment was for lawsuits arising from fraudulent fund transfers, not non-conformance with FFIEC). So, let's forget about regulation and courtrooms - all this regulatory bogey is coming from third-party security pundits. In any case, I'm sure that banks know how to deal with regulation.

Convenience versus friction is a matter of personal choice. I'd rather not go thru' the hassle of entering a password while on a smartphone if I simply wanted to access my account balance - or forex rates or last few transactions or credit card outstanding amount. Since the smartphone is in my possession, the analogy of open door is flawed. If my smartphone falls into the wrong hands, someone getting to see my bank balance will be the least of my worries and, I can imagine, lowest on that someone's to-do list either. I don't need to read any article or book to know this. As a bank customer, I'll always opt for convenience and only deal with entities who I trust know enough about how to provide it without compromising security.

Daniel Smith
Daniel Smith - CHOICE Financial Solutions - New York 11 April, 2013, 10:51Be the first to give this comment the thumbs up 0 likes

The comments about baseline regulatory and fundamental security considerations to me make total sense.

Customers presumably should sign / confirm some form of basic disclaimer accepting the risks of using this type of feature with no timeout etc. - I'd like to see what type of disclaimer is being used, because there theoretically should be a very clear and transparent notification of all potential risks if the bank wishes to protect itself.

This idea of disclaimers and potential litigation in the US reminds me of the pharmaceutical advertisements in the US - which are culturally so different to say European countries. In the US, the advertisement will often spend 15 seconds talking about the product, and another 20 seconds about all of the possible side effects - enough to scare you to death about the product...!

As for Two Factor Autentication - it is absolutely true and mind boggling that US banks still have close to zero adoption of this simple concept that can be very easily implemented through multiple mechanisms and alternatives - despite regulatory insistence around the same.

However, the examples of MINT and others as people who benefit from the lack of 2FA are I believe flawed. These service providers do not need - and to my mind should not need - 2FA to pull simple inquiry type data for their analytics. A user ID and password should be sufficient, and assumes their custodianship of this information is supposed to be bullet proof.

2FA instead is something that should be used to confirm a financial transaction, or change of account / customer details etc.

 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 11 April, 2013, 11:23Be the first to give this comment the thumbs up 0 likes

@DanielS:

Just as I'd insist on 2FA for carrying out high-risk transactions like the ones mentioned by you, I'd be comfortable with 0FA or 1FA for account balances and the few other transactions I've mentioned earlier. 

Many people - including me - hardly bother to read EULAs and TOCs appearing on our PC or smartphone screens before we click / tap the "I Agree" button while installing an app. Banks shouldn't have any problem in burying any amount of CYA fineprint while activating such features.

While on this subject, I just did a quick test: I fired up my Mobile Banking app on my smartphone, supplied my login credentials and surfed the app. While I was still logged on, I tried accessing the same bank's Internet Banking website. Once I submitted my credentials and clicked the Submit button, I was blocked from going further with a message saying that another session was already on and I couldn't get into Internet Banking until the other session was closed. Therefore, while the mobile app "remembers me", it's possible to ensure that no one else - not even me - can access my account from anywhere else. This validates my previous point about the risk of access being limited to my smartphone in my possession.

Daniel Smith
Daniel Smith - CHOICE Financial Solutions - New York 11 April, 2013, 11:47Be the first to give this comment the thumbs up 0 likes

I agree about CYA fine print that we don't read.

Your experiment with multiple sessions is interesting.

I wonder if Bank of the West customers who also use services like Mint, or Yodlee, etc. for their PFM and data aggregation services are suddenly going to find that their service starts to fail because it cannot connect... since their phone is permanently connected

:-)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 11 April, 2013, 12:58Be the first to give this comment the thumbs up 0 likes

While I can't talk of the specific app from Bank of the West, "Remember me" doesn't necessarily mean "permanently connected" in the context of a generic mobile app. I know from mobile apps developed by my company that it's possible to use mobile OS-specific technology (absent on PCs) to move information like account balance only "on demand" i.e. without the need for the frontend and the backend to be connected with each other all the time. Therefore, if done right, Mint / BillGuard / Yodlee will continue to work fine even if this feature is activated.

Zite is a popular mobile app that seems to use such technology because it's able to serve news articles customized for each user on demand. In fact, it doesn't even need registration, let alone temporary or permanent logon.

In a larger context, this harkens back to my oft-expressed view that mobile banking shouldn't be seen as an extension of Internet Banking and that it will achieve mainstream adoption only if it's designed to support features that use GPS, camera, accelerometer and other features found on smartphones but not on PCs.

A Finextra member
A Finextra member 12 April, 2013, 09:20Be the first to give this comment the thumbs up 0 likes

I have been used several years txt-service form my bank, where it sends my balance to mobile phone as text message without any log on credentials.

It works in a way where I register my mobile phone to online bank and banks sends me confirmation code to accept that number belongs to me. After that I only send a txt-message to bank and as response it sends me balance.

But what if that would be app? Without logging with two factor challenge card info but simple with static password/fingerprint would let me know my balances.  

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 12 April, 2013, 11:05Be the first to give this comment the thumbs up 0 likes

Good point @AnttiL. As I'd highlighted in my 3-part blog post How Banks Can Differentiate By Going The Extra Mile, banks in India have been providing SMS alerts for checking account balance and card transactions for several years. As long as this feature is implemented correctly using currently available mobile OS technologies, using a mobile app to display account balance - even without a password for each request - is arguably more secure than sending it in the clear text via SMS and certainly more convenient since it provides the info on-demand instead of SMS alerts that are only sent once a week. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 29 April, 2013, 14:04Be the first to give this comment the thumbs up 0 likes

A midsize private sector bank in India has recently launched a mobile banking app that can display account balance - and forex rates and a few other pieces of information - without logon. It has left the decision on whether balance should be displayed with or without password to the customer. Very smart move, IMO. Interestingly, although the bank's core banking vendor has a mobile banking solution, the bank chose to go with a pure-play mobile banking vendor. Apparently, the bank's decision was influenced largely by the latter's greater sensitivity to customer preferences and its ability to come up with a suitable architecture that achieved the required tradeoff between convenience and security.