Is it me or does there seem to be a lack of convergence on the subject of security in internet banking these days?  From a user perspective I have accounts with ING, Nationwide and Barclays to name but three.  I also work with many banks in their back offices trying to make operations both more secure and more efficient (tough job to do both at once).  When I look at the different methodologies being tried to improve security I see two disturbing things.  First a lack of convergence i.e. agreement as to what constitutes a good security and second a rather overwhelming failure to connect the methodology with the psychology of its use.  After all, you can implement a really excellent security system but if its a real pain to use, you'll lose customers who can't be bothered to go through all the faff.  The challenge for the industry is NOT to come up with an unbreakable security system, its to come up with one that works AND that is usable in its environment.  

The competitive instinct in the financial services world seems to be doing more harm than good at the moment in an industry whose satisfaction and trust rating with customers is only slightly higher than estate agent (realtor for our US friends).  So, I took a quick look at some of the more bizarre ideas out there to try and exemplify my point.  The issue here is not just what the idea is but how different the idea is from the others. so...

Please keep another piece of technology in your pocket... 

Recently I got a letter from Barclays telling me that they were implementing PINSentry and giving me a grace period (undisclosed to me at the time) during which I'd be able to access their web site normally but that once I got the card reader in the post, I'd only be able to access the account by using the piece of kit to create an "on the fly" 8-digit access code.  Apart from the usual nightmare of customer services (I was in New York when the grace period ran out, had to get it extended, then pay for a second card reader because the first one didn't turn up - another blog?) what struck me as odd was that the security methodology I am seeing in the wholesale banking industry is going the other direction.  There are over 8,000 banks that are members of SWIFT and who use SWIFT to make billions of secure transactions between client accounts every year.  They have been using card readers to authenticate users for years....and they're on track to replace the card readers with software based authentication systems!  So why is one part of our industry getting rid of card readers and another just adopting them?  They can't both be right (and only one has the experience with them to know the answers).

Please tell us the name of your third daughter's boyfriend... 

Recent press covered one on-line provider asking for the answers to 25 questions as part of its identification/verification methodology.  the problem reported at the time, from consumers, was that for many the questions asked are completely irrelevant so they have to make up answers.  Psychologically of course there is now no link between the question and the answer that helps the user remember what the answer is...so they have to write it down. Duh! 

Please copy these letters... 

I've also seen the little box with a squiggly image of letters or numbers that I'm supposed to de-cipher and re-enter into a system in order to gain access.  These are great EXCEPT that the way in which the data is presented is, of necessity, not always easy to read, so I get it wrong, and I presume older less able people get it wrong even more often or at best find it extremely frustrating to use. 

It seems to me that we've now had some reasonable time to figure out what works and what doesn't.  Its certainly a dichotomy.  The reality is that "whatever science can invent, science can circumvent" so we'll always be trying to stay one step ahead.  But we seem, as an industry, to be doing this in a very haphazard way.  What seems to be missing is any research that benchmarks the relative strengths of the various security methodologies used and importantly measures these against the downside, usually psychological, issues which they give us.

Trust the government!

The recent debacle with government departments "losing" our information highlights one of the most serious flaws in what we're doing at the moment - one dimensional thinking.  Its one thing to have a super sophisticated system which verifies your identity, but whats the point if, behind the scenes, the same degree of control is not exercised over safekeeping.  The two are not separate issues, they are the same issue.  There's a lack of a holistic view here.  We spend billions a year coming up with ever more frustrating ways to slow down our use of technology in order to balance it with security...so that some oik in the mail room can... lose all our records in transit...sell all our data on a street corner in Mumbai...get the data wrong so we all end up with bad credit scores...use it to go on a spending spree...go live in Panama for five years...or, god forbid, sell it to a telesales company.

I think there needs to be a re-balancing of strategy, but whats missing is research that compares the different methodologies based on their ease of use, impact on customers as well as a scientific benchmarks of the performance of each method in terms of its absolute and relative "strength".

At least that way, I might end up with just one way to access my accounts and have comfort that the method doesn't make it so difficult to use that I lose the benefit of the internet and that the company that has my data has spent a proportionate amount throughout its business protecting what I've given it.