Author: Steven Hope, CEO of Winfrasoft

Whenever there is talk about security in retail banking, it is often argued that there needs to be a trade-off between the level of protection that is offered and the user experience. Earlier this week the consumer group Which? published a report looking at the security of the top online banks and ranked HSBC in third place. However, when it launched its secure keyii back in August 2011 customers were not happy about the added layer of complexity.

Customers want to be assured that they are safe when banking online, but lock systems down too tightly and the risk of driving them away to a welcoming competitor increases. However, there really is no need for compromise between protection and convenience. It is possible to have very high levels of security running alongside a convenient customer-centric experience.

There are a plethora of transactions which can be done via Internet (and increasingly mobile) banking, some are high risk like adding a payee and others are low risk like checking a balance. Each of these things are also used with different frequency, e.g. adding a payee may only be done once a month, whereas checking a balance could be every other day. Banks need to take these real world scenarios into account and not tar everything with the same cumbersome brush, blaming the inconvenience on security.

Some banks such as NatWest and RBS do offer varying levels of login which is a good thing; although isn’t quite enough. Meanwhile, other banks (HSBC and others) need a hardware tokens just to check a balance which is just crazy. I personally switched banks to get away from using a hardware token just so I could check my balance; I’m sure I’m not the first and will not be last to do it (especially given the new account switching services introduced earlier this month). I do have accounts with various banks and I can attest to some being very easy to use from a layout and usability point of view, and others are terrible. Much comes down to personal preference I suspect, so each is entitled to their own opinion on this one.

The current “token” technology used by banks to prove who you are and securely log in has proven to fail time and time again – Operation High Roller, Euro Grabber, the list goes on… What’s worse is that they still rely on a password or PIN underneath the token which is a very low security bar and a high pain point for users too.

Banks need to use a simple system for people to prove who they are. It mustn’t rely on customers being expected to carry around some plastic lump issued by the bank and it mustn’t rely on me having a mobile phone signal. It must provide an adequate level of security for the task at hand to make it convenient and easy to get things done. Yes – systems that do all this are available today!