A study by researchers at New Zealand's
Massey University has found that customers lose faith in the security of online banking systems as the number of authentication checks they have to go through increases.
Researchers Hokyoung Ryu and Kansi Zhang found that although enhanced security measures for Web banking may make the process "technically safer", the more identity-checking steps that are required by a customer, the less "trusting" they feel.
The study involved customers using four mock registration pages similar to those used for online banking transactions. The first required participants to complete two identity-checking steps, while the others required four, six and eight separate steps.
The researchers say that although most New Zealand banks currently require two security steps, banks in China, Japan and Korea commonly require customers to go through as many as eight security checks before accessing accounts.
They cite one participant in the study who had to complete six steps to access a Chinese online banking system, compared with the two steps commonly required for New Zealand banks. The extra steps required for the Chinese system made him more suspicious
that the bank was susceptible to security risks, the researchers say.
Ryu says people also resent the time that the extra security takes and also struggle to recall the numerous pin numbers, passwords and answers to security questions.
The results of the study suggest that there is a danger that too many cumbersome seucirty measures will put customers off using online services.
Like New Zealand, most banks in the UK require customers to complete two authentication steps, although this is changing with the roll out by some banks - such as
Royal Bank of Scotland and
Nationwide - of handheld card readers that generate a one-time-password for Web banking.
My own bank requires me to answer a security question and enter selected numbers from my PIN code before accessing accounts. But I have been locked out of the service on a number of occassions because I have forgotten the answer I gave to security question.
The situation was made worse when, after finding a virus on a machine I used, I had to call the bank and change the answers to all of the security questions. Now, when asked about the last school I went to, my favourite colour etc, I can never remember the
answer required, because I had to change the correct one. The addition of more security - such as a card reader - is likely to make the whole process even more troublesome and take even longer.
UK bank HSBC has opted out of providing two-factor authentication devices to customers because it says existing monitoring procedures and customer education initiatives are already effective in detecting and preventing
fraud.
HSBC spokesman Tim Pie told Finextra last year that transaction monitoring, anti-fraud education programmes and the availablilty of discounted security software for customers had resulted in HSBC recording lower incidents of Internet fraud.
Pie did say however that the bank may consider supplying devices to retail customers "if they are shown to be effective or if customers want them".
Do customers want them?
The Massey University study implies that customers are already fazed by passwords and PIN codes etc and are suspicious of banks that require more and more security checks. However, a US study released by US by Javelin Strategy & Research last year found
that Internet users are more concerned with getting identity safeguards for online banking than being reimbursed for losses.