Blog article
See all stories ยป

Extra security reduces trust in Web banking, study shows

A study by researchers at New Zealand's Massey University has found that customers lose faith in the security of online banking systems as the number of authentication checks they have to go through increases. 

Researchers Hokyoung Ryu and Kansi Zhang found that although enhanced security measures for Web banking may make the process "technically safer", the more identity-checking steps that are required by a customer, the less "trusting" they feel.

The study involved customers using four mock registration pages similar to those used for online banking transactions. The first required participants to complete two identity-checking steps, while the others required four, six and eight separate steps.

The researchers say that although most New Zealand banks currently require two security steps, banks in China, Japan and Korea commonly require customers to go through as many as eight security checks before accessing accounts.

They cite one participant in the study who had to complete six steps to access a Chinese online banking system, compared with the two steps commonly required for New Zealand banks. The extra steps required for the Chinese system made him more suspicious that the bank was susceptible to security risks, the researchers say.

Ryu says people also resent the time that the extra security takes and also struggle to recall the numerous pin numbers, passwords and answers to security questions.

The results of the study suggest that there is a danger that too many cumbersome seucirty measures will put customers off using online services.

Like New Zealand, most banks in the UK require customers to complete two authentication steps, although this is changing with the roll out by some banks - such as Royal Bank of Scotland and Nationwide - of handheld card readers that generate a one-time-password for Web banking.

My own bank requires me to answer a security question and enter selected numbers from my PIN code before accessing accounts. But I have been locked out of the service on a number of occassions because I have forgotten the answer I gave to security question.

The situation was made worse when, after finding a virus on a machine I used, I had to call the bank and change the answers to all of the security questions. Now, when asked about the last school I went to, my favourite colour etc, I can never remember the answer required, because I had to change the correct one. The addition of more security - such as a card reader - is likely to make the whole process even more troublesome and take even longer.

UK bank HSBC has opted out of providing two-factor authentication devices to customers because it says existing monitoring procedures and customer education initiatives are already effective in detecting and preventing fraud.

HSBC spokesman Tim Pie told Finextra last year that transaction monitoring, anti-fraud education programmes and the availablilty of discounted security software for customers had resulted in HSBC recording lower incidents of Internet fraud.

Pie did say however that the bank may consider supplying devices to retail customers "if they are shown to be effective or if customers want them".

Do customers want them?

The Massey University study implies that customers are already fazed by passwords and PIN codes etc and are suspicious of banks that require more and more security checks. However, a US study released by US by Javelin Strategy & Research last year found that Internet users are more concerned with getting identity safeguards for online banking than being reimbursed for losses.


Comments: (4)

A Finextra member
A Finextra member 31 January, 2008, 17:10Be the first to give this comment the thumbs up 0 likes Some of the security questions can be problematic. My own bank asks for the name of your first and last school. Last time I was in a branch (2006 I think) I encountered an elderly customer struggling with this as she had only ever attended one school. "Make one up" was the helpful suggestion.
A Finextra member
A Finextra member 01 February, 2008, 10:01Be the first to give this comment the thumbs up 0 likes

I agree that the number of PINs, passwords & security questions is getting out of hand.  Eight seems quite overboard when a screen scrape or key log attack will compromise them all.  It also points to a more basic problem with the application of multiple PINs & Pa55w0rds within the authentication process.  The human factor in authentication requires a strong yet simple means of confirming ID.  The best I have yet seen is GrIDsure. 

I believe the way out of this intricate & unappealing series of fixed responses is to be more inventive and to (dare I say it) spend some money on security.  We have technologies which can create OTP & protect from Man in the Middle, like the CAP reader for example.  There are two problems with them, however: the hardware and the user experience.  I'm sure we have all read Chris Skinner's blogs about both Chip & PIN and CAP readers, so I'll not repeat them.  The main article also indicates that users will not find them to be assuring, rather the opposite.  Therefore we require something simple, strong & appealing.

Each of the problems with CAP & OTP tokens can be solved.  We don't need to use a token to create OTP.  A new kind of shared secret can allow the user to easily create OTP, without the additional hardware.  It's simple enough for children, but is also capable of digital signature.  Take a look at

I suggest that we all look hard at the real benefits of the security provided by PIN & passwords.  They are no longer a real defence to an organised attack.



A Finextra member
A Finextra member 08 February, 2008, 12:19Be the first to give this comment the thumbs up 0 likes

Hear, Hear, Michael!

I have seen customers driven to tears in shops because they cannot remember the PIN on their card. Not a sight that retailers want to see.

Merchants had EMV forced on them a couple of years ago, and now the stringent audits for PCI Compliance. However, retailers have a long and winding path to follow before we can get the banks to accept that once a transaction has been authorised,  we do not necessarily want to hold the card details any more, not for settlement, for which a one-time authorisation code would be a better substitute, nor for transaction dispute, where the merchant and transaction IDs would be sufficient.

In terms of problems with PIN entry devices and man-in-the-middle attacks, I fail to understand why more use is not made of the device that most people carry (even my 77 year old mother) viz a Mobile Phone. These already have programmable chips, tend to remain in peoples' possession, and could not only provide safer, private, storage for biometric algorithms but also a secondary confirmation for random security checks (simply ring the number and ask one of the security questions, where the question list is set by the user not forced by the bank).

Oh, and Gridsure? When it first came out I sent a copy to my mother ; always a good usability test! Her reaction was along the lines of "they tested it on a bunch of 18 year old students with good eyesight and non-arthritic fingers, didn't they!"

From a personal perspective, I have already given up on one early  internet based credit card when I got into a catch 22 situation with a forgotten password. "You have to change it via the website" "but I've forgotten the password, can I cancel the account?" ... you can guess the letter in response...

Peter Gullberg
Peter Gullberg - Todos AB - a Gemalto company - GOTHENBURG 28 April, 2008, 20:38Be the first to give this comment the thumbs up 0 likes

Research can show many thing, I don't think the number of questions asked is the real issue, instead, it's the relation between the number of questions asked and the customer perception of the risk in the transaction...

I have asked many people (bankers/non-bankers), in all areas I have been travelling, if they would feel comfortable transferring a large amount of money abroad to an unknown account without any questions asked, and most people said that they would feel uncomfortable if there was no/too few...

The solution should be somewhere in the middle, number of questions should be based on customer perception (=risk).

Now hiring