Analysis Papers Addressing consumers concerns about online security: A conceptual and empirical analysis of banks actions

Received: 25th November, 2005

Dan Sarel*
is an associate professor of Marketing at the University of Miami (Florida) specialising in marketing strategy and implementation in the nancial services industry. Dr Sarel has over 25 years of consulting experience in the services marketing eld, branding and trademark research. As a prolic researcher, his publications have appeared in a range of journals including the Journal of Marketing, Journal of the Academy of Marketing Science and California Management Review.

Howard Marmorstein
is an associate professor of Marketing at the University of Miami (Florida). His research focuses on consumers response to marketing communications. He has received two National Awards for his research on consumer behaviour and has worked as a consultant in the areas of eminent domain, trademark infringement and deceptive advertising. His publications have appeared in a range of journals including the Journal of Marketing Research, Journal of Consumer Research and the Journal of Business and Psychology.

Abstract Online security is a major problem for nancial institutions worldwide. Account hijacking and online fraud are on the rise. Financial losses in the banking industry due to attacks have been estimated in 2003 to be about US $1.2 billion in the US alone. Studies also indicate that security concerns are a major issue for an increasing number of consumers. The rapid growth in phishing attacks threatens the future of online banking. In the absence of an adequate response, banks are likely to incur even greater costs and experience a signicant decline in consumer trust. Thus, the ght against these serious problems entails the management of perceived, as well as actual, security. This paper examines how banks are responding to these challenges. First, assessments of the actual and consumer perceived threats along with the available technical solutions are provided. Second, a conceptual approach to dealing with the issues is proposed. Essential among the recommendations is the need to involve the consumer in managing security concerns. Third, an empirical study examines the actual response of the 200 largest US banks. The ndings indicate that many banks are not meeting these challenges and that signicant opportunities for improvement exist. Smaller banks, in particular, are failing to take the necessary actions. Specic recommendations to help improve actual security and increase consumer trust in the system are proposed. Journal of Financial Services Marketing (2006) 11, 99115. doi:10.1057/palgrave.fsm.4760025 Keywords consumer security perceptions, online banking security, online fraud, online banking

INTRODUCTION The security of online banking is a major issue for an increasing number of consumers.
*Correspondence: School of Business Administration, University of Miami, Coral Gables, FL, USA. e-mail: sarel@miami.edu

A 2004 Gartner survey shows that online consumers in the US are growing frustrated with the apparent lack of sufcient security provided by banks.1 In the UK, a 2005 study concluded that UK banks are failing to offer their customers secure online facilities,

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Vol. 11, 2 99115

Journal of Financial Services Marketing

99

www.palgrave-journals.com/fsm

Sarel and Marmorstein

despite the ongoing threat of cybercrime.2 Media reports from around the world about identity theft, phishing attacks, and other fraudulent activities have been steadily growing.35 Financial losses in the banking industry due to these attacks have been estimated in 2003 to be about US $ 1.2 billion in the US alone.6 Its quite clear that online security is a major issue for banks. It involves actual security as well as consumer perceptions about the systems security. The future of online banking requires nancial institutions to ensure that the system is secure and that consumers are convinced of that. Consumer trust is the foundation of any future growth for online banking. How can banks accomplish these goals? The challenge calls for technical solutions as well as consumer perception and behaviour management. Interestingly, a review of the technical solutions available reveals that many solutions require consumer involvement in detecting and avoiding fraud as well as a willingness to modify behaviour. Thus, development and adoption of a consumer perspective to managing online security is essential. How well are banks meeting these challenges? The purpose of this paper is to begin exploring these issues. First, we provide a brief review of the threats that banks are facing (both actual and consumer perceived). Second, we examine the technical solutions that have been proposed, highlighting the relevance of consumer involvement in making the technical solutions work. Third, we discuss the management of consumer perception and behaviour issues. Fourth, a new empirical study assessing US banks efforts to date is reported. Finally, specic recommendations for improvement are provided. ONLINE BANKING SECURITY THREATS Consumer perceived threats Consumer security concerns about online banking are well documented in the

literature.719 From the introductory stage onward, studies have shown that security and privacy issues were major barriers to adoption. Many non-adopters have long indicated that the risks involved in accessing their accounts online were perceived to be too high.18 Non-adopters revealed that the benets that could be derived from online banking were not worth taking the risks associated with adoption. Online bill payments and transfers, in particular, were viewed by many as very risky activities. Continuous negative publicity about identity theft, unauthorised access to accounts, phishing attacks, and other fraudulent activities have heightened consumer awareness of the potential risks. Increased consumer concerns could dramatically retard the rate of consumer adoption. These concerns may affect not only non-adopters but also current users. Many registered consumers can be viewed as light users.18 They are primarily using online access for informational rather than transactional activities. These activities are undertaken infrequently and are less likely to change consumer behaviour and less likely to create a real commitment to the online channel. Studies have shown that the greater the use, the greater the satisfaction and the greater the long-term commitment to the online channel.18 Banks have always hoped that the online channel will reduce the pressure on traditional channels (branches, phone, ATMs) and will translate into an overall lower cost. The reality for most banks, however, has been just the opposite. Most banks are currently spending more on all channels.19 To achieve any future savings, banks need to persuade more consumers to use online more actively and more frequently. Online usage also presents banks with great opportunities to increase revenues as well as to reduce costs.19,20 The opportunities from experimenting with relationship building activities, promotional campaigns, and crossselling efforts are very promising. Banks, however, are unlikely to achieve much of this

100

Journal of Financial Services Marketing

Vol. 11, 2 99115

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Addressing consumers concerns about online security

potential if consumers remain highly concerned about security and privacy issues. Its quite clear that the potential negative impact on banks could be very signicant if this trend continues. Thus, improving actual security in online banking and managing consumer perceptions ought to become very high priorities for banks. Actual threats A recent FDIC study indicates that identity theft leading to account hijacking is one of the fastest growing types of consumer fraud in the US.21 The Federal Trade Commission (FTC) has estimated that during 2003 almost ten million Americans discovered they were victims of identity theft, with a total cost to business and consumers approaching US $50 billion. Account hijacking that involves unauthorised access to checking accounts is the fastest growing form of identity theft. The FTC has estimated that almost 2 million US adult internet users experienced this fraud during the 12 months period ending April 2004.21 Of those, 70 per cent were banking or paying bills online. Over half of those consumers believed they received a phishing email (see discussion below). Losses due to phishing attacks have been estimated last year at about US $ 1.2 billion.5 Expansion of electronic payment systems plays an important part in account hijacking. An increasing number of consumers now have access to electronic banking and bill-pay services, making the potential for fraud much greater. The increasing numbers of access points, coupled with the potential for anonymity, facilitates electronic banking fraud. The FDIC study concludes that while the actual number of account hijackings is still relatively small, it is a serious issue for consumers and nancial institutions.21 The study reports that many experts believe that account hijacking will have the effect of slowing the growth of online banking and e-commerce. Similar concerns have been voiced in many countries indicating that this

is a global issue. Some of the countries where phishing attacks against banks have been reported in 2004 include Australia, Germany, Malaysia, New Zealand, UK, and the US.3 A report by British police estimated phishing scams cost UK banks an estimated US $110 million in 2004.4 Another recent study concluded that UK banks have low standards in online security and are failing the security challenge.2 The study recommended the FSA (Financial Services Authority) should use its regulatory power to mandate improved authentication mechanisms. Identity theft in banking: The role of phishing The Identity Theft and Assumption Act of 1998 (US) dened for the rst time the nature of the Identity Theft crime and made it a stand-alone crime.21 According to the act it is a crime to: Knowingly transfer or use, without lawful authority, a means of identication of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal Law, or that constitutes a felony under any applicable State or local law. In the nancial services industry, this denition can be applied to credit card and non-credit card asset accounts, as well as to accessing existing accounts or opening new accounts under fraudulent information. The primary problem facing online banking, however, involves the unauthorised access and misuse of existing asset accounts. The primary mechanism for illegally obtaining the ID information is through phishing (pronounced shing). We discuss this phenomenon next. Phishing is dened as the act of harvesting personal, bank and credit information by way of forged emails and fake websites. Consumers are lured by fraudulent emails to provide relevant personal information. In some cases, phishing is accomplished by directing consumers to a fraudulent website that appears to be a

2006 Palgrave Macmillan Ltd 1363-0539 $30.00 Vol. 11, 2 99115

Journal of Financial Services Marketing

101

Sarel and Marmorstein

legitimate site. The site includes instructions that allow the scammer to obtain bank account information, addresses, and Social Security numbers. The Anti-Phishing Working Group (APWG) estimates that the volume of phishing emails is growing at a rate of over 30 per cent a month. In a response to the FDIC study, the APWG acknowledged that phishing is a major and growing problem.22 The APWG estimates that some 75 to 150 million phishing emails are sent every day on the internet. Attacks are becoming more sophisticated. Attackers leverage vulnerabilities in client software (mail user agents and browsers), design vulnerabilities in targeted websites applications, and consumer ignorance. According to the APWG, in addition to emails, perpetrators are increasingly using other tools such as Instant Messaging, exploited websites, P2P networks, and search engines. The threat of online fraud is a major issue for nancial institutions. The nancial costs of this fraud include direct losses that nancial institutions must absorb, as well as indirect costs. Gartner Research estimated the direct costs to be about US $ 1.2 billion in 2003.3 Additional indirect costs include higher customer service and support costs that can increase dramatically as a result of the ood of service centre calls received from concerned customers. Those customers include those whose accounts have been compromised as well as customers who are trying to verify the legitimacy of emails they have received. The cost estimates should also consider the potential erosion in banks long-term brand equity resulting from negative publicity. In sum, its clear that banks need to vigorously respond to these challenges by improving actual security as well as perceived security. In the next sections we examine these issues. IMPROVING ONLINE BANKING SECURITY Improving online banking security may involve multiple approaches. The following

discussion provides a framework to examine the options available. Our emphasis is upon the general approaches rather than the technical details. The technical aspects of the discussion are based on a recent FDIC report that provides a comprehensive review of the literature and makes specic recommendations for the banking industry.21 Internal bank security: Creating barriers The rst line of defense is prevention. It involves technical efforts behind the scene that are invisible to consumers. Most banks have realised the severity of the potential problem and have increased their IT investments to improve security. More sophisticated encryption programs, rewalls, and detection software have been introduced. Most of these technical efforts are focused inwardly to protect against unauthorised intruders who might be trying to illegally penetrate banks internal systems. These efforts, however, dont protect against intruders who were able to deceive customers (via phishing attacks for example) and obtain real ID information to access bank accounts. As long as only simple authentication methods are deployed, they could be stolen and used by fraudsters to illegally access these accounts. Thus, if consumers are deceived, current IT investments in behind-the-scene security systems are not likely to fully solve the problem. It seems that tools that dont involve the consumer can only be part of the solution. Presumptive forensics: Early threat identication Banks can become more proactively involved in early detection of upcoming problems and alerting consumers to specic threats. Specialised scanning software programs have been developed to search for potential threats.21 The software continuously scans the internet for occurrences of the institutions

102

Journal of Financial Services Marketing

Vol. 11, 2 99115

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Addressing consumers concerns about online security

name, brands, trademarks, and slogans. The software also surveys internet domain name servers for like names that match specic alert patterns. The FDIC report rates the effectiveness of such software as moderate. It indicates that the scanning software is helpful but isnt foolproof. Even if fraudulent sites are found, banks still need to alert their customers to the potential threat.21 This is a delicate issue because many banks are reluctant to actively engage the customer. These issues are discussed later in the management of consumer perception section. In addition to internet scanning, banks can deploy ServerLog Analysis software. The main idea is to analyse on a daily basis the activities of the banks computer network. This might help the bank detect suspicious activity that may reveal a phishing attack. The FDIC report rates this software as highly effective in the ghting against phishing and reducing, although not preventing, the damage. Industry cooperation: Sharing information Successful frauds tend to be replicated until they are no longer effective. Cooperative initiatives by nancial institutions can contribute to an early identication of specic attacks. The key idea is the sharing of early warning information and alerting the industry and consumers to existing threats. Currently, in the US, several efforts have been put into place to accomplish the sharing of information. These efforts are sponsored by Financial Services Information Sharing and Analysis Center (FS-ISAC), the Anti-Phishing Working Group (APWG), the Identity Theft Assistance Corporation (ITAC), and by the FBIs Infragard program. According to FDIC report, these efforts by the nancial services industry are a helpful step in reducing identity theft and mitigating its consequences.21 These efforts, however, are taking place after an attack takes place and thus contribute mainly to reducing its rapid spread, rather than to preventing it from taking place.

User authentication: The two-factor solutions Authentication is dened as the means of verifying the identity of a person or an entity. The most commonly used authentication in online banking relies on a single password (used in conjunction with a user ID). Reliance on a single-factor authentication is viewed by experts as quite weak. The main problem is that passwords are often easy to guess, steal, or crack. Once a password is compromised, the account is unprotected and it may take some time for the legitimate owner to even recognise the break in. The FDIC views single-factor authentication as a major problem for nancial institutions and strongly recommends upgrading to a two-factor authentication systems.21 Two-factor authentication is currently used by most ATMs. The authentication requires an ATM card (something a person has) and a password or PIN (something a person knows). Having or knowing only one of the two factors is insufcient. The experts at the FDIC believe that a two-factor authentication can signicantly reduce account hijacking.21 Currently, the available two-factor authentication systems rely on one of the following methods: Shared Secrets Unique questions are asked during the authentication process, the answers to which a fraudster would be unlikely to know. Alternatively, the user and the bank agree on a secret (eg a photo) that the bank needs to display when the user accesses the site. If the secret isnt displayed, the user will know that the site is fake. Generally, a good approach though overtime hackers are more likely to obtain or guess answers or shared secrets. USB Token A device that plugs directly into a computers USB port and doesnt require installation. It contains a microprocessor to encrypt the transmitted

2006 Palgrave Macmillan Ltd 1363-0539 $30.00 Vol. 11, 2 99115

Journal of Financial Services Marketing

103

Sarel and Marmorstein

data. To obtain access to the account, the USB device needs to be plugged in and a password is used. It is believed to be very effective but a user needs to have the USB token to be able to access account. Makes it more difcult to use on multiple computers at different locations. Password-Generating Token A device that produces a one-time password each time it is used. The token eliminates the need to remember the password. Its highly effective and secure due to the creation of new random passwords that are unlikely to be guessed. Users need to carry the token and the system may be difcult to administer (for nancial institutions). Biometrics A technology that authenticates a person based on a physiological or physical attributes. Biometrics may include recognition of ngerprints, faces, voices, or keystrokes. These systems are complex and expensive to implement. The systems arent error free and may produce false results (allowing an illegitimate person access or denying it to a legitimate person). While systems are likely to improve overtime, in their current form they are probably more appropriate for other security applications (rather than for online banking). The FDIC recognises that no system is perfect and each approach has its strengths and weakness.21 In spite of these imperfections, the FDIC strongly recommends that nancial institutions adopt a two-factor authentication method. Similar recommendations have been made by other experts.2 The adoption of a two-factor authentication system requires consumer cooperation. Attempts to modify consumer practices always present challenges. Some of the systems recommended above are easier to implement, others require much greater effort and change in consumer behaviour. It is clear that the implementation of any change requires a real understanding of consumer perception and behaviour.

Involving consumers in fraud detection: The avoidance approach The methods discussed above are not foolproof and are often complex, expensive, and difcult to implement. In general, they dont directly rely on consumer involvement. Its clear, however, that if consumers could be enlisted to play a greater role in detecting fraud, some of these phishing attacks might be prevented. We examine the two main alternatives that have been suggested to get consumers involved. Education and Early Warnings As discussed above, the large majority of phishing attacks are initiated by sending consumers deceptive emails. The emails often look as if they are from the consumers nancial institution leading consumers to divulge condential information. This deception is made possible because consumers believe that the emails and the corresponding websites are legitimate. A signicant part of the problem can be avoided if consumers become more knowledgeable about the issue. This requires continuous educational efforts by nancial institutions about the problem and about recognising and avoiding an attack. Additionally, it may require banks to inform consumers in a timely fashion of existing threats. Educating and alerting consumers may become a necessary tool in the ght against fraud. However, its a difcult and a sensitive issue. We discuss some of these concerns in the section that deals with managing consumer perception and behaviour. Sender Email Authentication If a method could be devised to help consumers determine whether an email is real or false, it would simplify their detection task and reduce the likelihood of consumer deception. According to the FDIC report, the technology to authenticate emails is available.21

104

Journal of Financial Services Marketing

Vol. 11, 2 99115

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Addressing consumers concerns about online security

Implementing this solution, however, requires the cooperation of multiple entities including software vendors, ISPs, and the Internet Engineering Task Force (IETF). Initiatives are on the way to move in that direction but so far agreement has not been reached. Even when such systems will be implemented, the industry still faces a massive educational effort to teach consumers to use it properly. In sum, several different approaches and technologies are available. Most experts believe that no single option is sufcient. Most recommend a multi-method approach to reduce the potential risk. Many of the recommended approaches involve the consumer in some way. We address the area of consumer involvement and the management of consumer perception and behaviour next. MANAGING CONSUMERS SECURITY PERCEPTIONS AND BEHAVIOR Consumer involvement As indicated above, online security threats are a serious and a challenging issue for nancial institutions. They pose both real and consumer perceived concerns. The review of the technical solutions above shows that systems that are completely invisible to the consumer are unlikely to be sufcient. Some consumer involvement is likely to be needed. If consumers could become more educated about potential threats, more knowledgeable about detection, and more procient at avoiding some of the phishing attacks, security would be signicantly better. If consumers could be persuaded to change their behaviour and adopt more complex but stronger authentication methods, security would be enhanced. Its clear that an informed, alert, and involved consumer can contribute to improved (actual) security.23 The issue that concerns many nancial

institutions is the potential negative effects of such educational efforts on consumer perceptions of security. Banks worry that visible efforts to involve the consumer may backre. They will raise awareness of the potential problem and could contribute to increased risk perceptions. If consumers feel less secure, it could have negative effects on usage and on the future growth of online banking. While these concerns are understandable, it is proposed that banks dont really have a choice but to get consumers involved. Experience in negative publicity and crisis management clearly demonstrates the perils of avoiding discussion and the merits of dealing with threats and risks directly and openly.24 By banks avoiding the issue, they are surrendering the agenda to the negative publicity syndrome. Consumers are more likely to learn about security from fraudulent attacks and negative publicity. Uncontrolled rumours are likely to dominate the news and the cumulative effect is likely to be negative. Moreover, as discussed above, efforts that are visible to the consumer are not sufcient to protect the system. The lack of consumer involvement can only contribute to a less secure environment.23 Thus, its recommended that banks ought to involve consumers in the process. By controlling the agenda, banks could better manage the process and monitor consumer perceptions and behaviour. By carefully analysing consumer issues, banks can gradually get consumers more informed, more involved and even feeling more secure. Rather than avoiding the issue, banks ought to study it more carefully and experiment adaptively with communication efforts that are likely to contribute to the desired effects. We address some of the specic areas next. Consumer education: Risks, detection, and avoidance Uninformed consumers present a major problem but also an opportunity for banks.

2006 Palgrave Macmillan Ltd 1363-0539 $30.00 Vol. 11, 2 99115

Journal of Financial Services Marketing

105

Sarel and Marmorstein

Consumer concerns about security might be greatly exaggerated and are often based on rumours and incomplete information. Many of these consumers are not currently banking online because of these perceptions.18 Unless banks educate these non-users about security, they are unlikely to adopt online services. Similarly, current users might be affected by negative rumours. Stories about fraud, unauthorised access to banking accounts, and nancial losses could have a very negative effect on usage. This situation, however, also presents a great opportunity to turn things around and make consumers feel more secure.23 By focusing on user and non-user education, banks can turn a negative into a positive force. Consumers ought to be educated about the general high level of security that is provided. They ought to understand potential threats and learn how to avoid them. By teaching consumers to detect fraudulent emails, most consumers are likely to feel more empowered and more secure. Such efforts will help consumers realise that by being more informed and more knowledgeable, they are very unlikely to be negatively affected. Two-factor authentication: A consumer perspective The most important immediate recommendation in the FDIC report is the need to move from the current single-factor authentication system into a two-factor system. The FDIC report21 indicates that such a move is going to signicantly improve actual security. In analysing the different two-factor authentication systems available, the report classied all as being easy for consumer to use. The FDIC report doesnt address, however, the process of conversion and consumer education that might be needed. Previous studies on getting consumers to change banking behaviour show that the process may not be so straightforward.20 Depending on the specic system chosen, consumers may need to learn

new behaviour, recall more information, carry tokens when they want to access the account, or plug in special devices. These are all feasible modications, although they require careful listening to consumer concerns.25 With the appropriate conversion strategy and controlled implementation, consumer acceptance is likely to be positive. Selecting a new system without careful attention to consumers could conceivably hinder adoption. Assurance management: Building consumer trust As stated in the introduction, trust is the foundation of banking relationships. Online banking isnt going to ourish without banks establishing and maintaining consumer trust. Assurance management involves the coordinated bank efforts to achieve these goals. Trust can be established over time by rst developing as secure a system as possible. Second, it requires an integrated communication effort to assure consumers that they face no nancial risk when using the system. While several communication tools could be deployed, the most direct and most meaningful tool is a clear and unconditional guarantee. If consumers believe that they cannot be held responsible for any unauthorised break-ins into their account, they are likely to feel more secure. The literature on Unconditional Guarantees has long demonstrated their power in developing and maintaining trust between consumers and service providers.26 The literature also indicates that for guarantees to be really effective they ought to be unconditional, easy to invoke, and treat consumers fairly.27 Federal regulations in the US currently limit consumers nancial exposure to unauthorised account hijacking. Consumers, however, are neither necessarily aware of this limited exposure risk nor knowledgeable about the specic stipulations and conditions involved. Consumers increasing concerns about the potential nancial risks involved in online

106

Journal of Financial Services Marketing

Vol. 11, 2 99115

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Addressing consumers concerns about online security

banking demonstrate that current federal regulations are not well known or are perceived as insufcient. The federally mandated coverage certainly cannot be viewed as an unconditional guarantee. Therefore, from an assurance management perspective, current regulations are incomplete. This creates a great opportunity for banks to close the gap and reduce the perceived risk by offering a truly comprehensive and unconditional guarantee. Assuring consumers that they face no nancial risk can be a major building block in the continuous efforts to build trust. A strong and unconditional guarantee should be the foundation of a comprehensive communication effort aimed at building consumer trust. ASSESSING BANKS RESPONSE: AN EMPIRICAL STUDY Study objectives The conceptual review provided above indicates that internal efforts that are not visible to the consumer are not likely to fully solve the online security issues. To improve actual security, experts have also recommended steps that are visible to consumers and may require consumer cooperation. Most notably, experts recommend a move to a two-factor authentication system and a strong communication campaign to educate consumers and increase their ability to detect and avoid fraud. The discussion above also concluded that getting consumers engaged, informed, and involved is likely to make them feel more empowered and more secure. The provision of an unconditional guarantee was recommended as the strongest and most visible component of a comprehensive assurance management approach. The objective of the empirical study is to evaluate US banks observable performance in meeting these recommendations. Specically, the study examines the response of US banks in the following areas: authentication

procedures, visibility of security information/ discussion, consumer education on security issues and fraud detection, disclosure of responsibility for nancial loss, and the offering of unconditional guarantees. Study methodology Approach To answer the questions raised above, a Content Analysis of banks websites was undertaken. While banks may engage in many communication and security activities, the study questions can be best observed online by analysing the information available to consumers on their websites. Authentication procedures, security discussions, fraud detection education, loss responsibility information, and the offering of an unconditional guarantee are all observable online. Therefore, in order to be able to compare multiple banks on the same dimensions, bank websites provided the best opportunity for analysis. To analyse banks actions a Content Analysis methodology was employed. Content Analysis is a systematic, quantitative technique used to analyse the content of observable communication. Content Analysis attempts to categorise and quantify observable information into meaningful units using carefully applied rules.28 Content Analysis usually includes observations as well as analysis. The unit of analysis can be words, themes, issues, topics, characters, and alike. Content Analysis has been used extensively in marketing research. Studies on the content of advertising messages in print, TV, radio, and other media have been reported.28,29 Design and sample The study design followed the approach and procedures recommended in the literature for Content Analysis studies.28 As suggested in the literature, the study focused on answering specic questions articulated above. To ensure objectivity and reliability, a three-stage design

2006 Palgrave Macmillan Ltd 1363-0539 $30.00 Vol. 11, 2 99115

Journal of Financial Services Marketing

107

Sarel and Marmorstein

was employed. The rst stage was exploratory and was aimed at developing the coding instruments. Researchers examined the information of 22 bank websites. The areas investigated were based on questions generated from the literature review and the framework reported above. The second stage was undertaken to pre-test the coding instruments and rene the training instructions. The pretests covered 32 bank websites. In the third and nal stage, a larger sample of banks was employed. This stage included the 200 largest US banks. The banks were selected from the FDIC database of all US banks as of January 2005. Banks were selected on the basis of total assets held, ranging from US $3.3 billion to over US $800 billion. The wide asset range provides an opportunity to examine the relationship between size and banks actions. Instruments To measure the content of banks actions, observable online information had to be coded and analysed. Based on the literature review and the framework discussed above, the following observable areas were investigated: Authentication procedures, security communication, fraud detection education, loss responsibility, and the unconditional guarantee. For the authentication area, the classication instrument distinguishes between a single-factor and a two-factor authentication process. For all other areas, a coverage and prominence classication was developed. This classication indicates: (a) whether a site provided (dealt with) a specic issue (eg loss responsibility); (b) whether provided information received prominence on the website. Conceptually, this distinction reects the difference between active attempt to promote this information and simply making it available to those who are looking for it. The classication was operationalised using the following denitions:

Prominent: The specic issue/area is available and is posted on the front or the rst relevant page. It includes both a complete discussion and/or a clear link to a discussion deeper in the site. Not prominent: The specic issue/area is available but isnt prominently displayed. It includes all displays of the issue/area that could be found deeper in the site. All information areas that are available on the site but are excluded from the prominent classication are included here. Mute: The specic issue/area is not discussed anywhere on the website. The classication scheme discussed above was applied to four areas: Security communication, fraud detection education, loss responsibility communication, and guarantees. For the area of guarantees, an additional classication was developed. The exploratory research (stage one) found that some banks provide an unconditional, no strings attached guarantee. Others provide a guarantee with various conditions. A third group simply did not discuss the issue at all. The fourth and nal group went in the opposite direction and explicitly denied their responsibility. Since these were meaningful categories that were mutually exclusive and collectively exhaustive, they were included in the study. These four categories are labelled: unconditional guarantee, conditional guarantee, mute, and an explicit denial. The discussion prior to Table 5 in the nding section provides more details on these classications. Data collection and analysis As recommended in the literature, different researchers were used in the different stages of the study.28 Data for the rst (exploratory) and second (pre-testing) stages were collected by a research assistant and by the principle investigators. The nal data for the study were collected by two independent researchers. The researchers were trained by the principle investigators and employed clearly dened coding schemes. Each researcher worked independently. Their coded

108

Journal of Financial Services Marketing

Vol. 11, 2 99115

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Addressing consumers concerns about online security

data were compared and analysed for discrepancies. Interjudge reliability As recommended in the literature a reliability index was developed.28 It measures the coefcient of agreement (the total number of agreements divided by the total number of coding decisions). The coefcient of agreement in this study was 0.971. It implies that in over 97 per cent of the cases the two researchers arrived at the same classications. The remaining discrepancies were resolved by a third independent researcher. The nal data were analysed by the principle investigators. The main ndings of the study are reported next. Findings Authentication The FDICs strongest recommendation has been the need to improve the login authentication process. A two-factor approach was advocated. The empirical study examined whether US banks have moved in that direction. Table 1 reports the results for all banks (n = 200) and by size of banks. Small banks are dened as those having assets up to US $10 billion while large banks have assets over US $10 billion. The table clearly indicates that the vast majority of US banks are still using only a single-factor authentication system. Currently, in most banks, consumers need only one password to access their accounts. In only 4.5 per cent of the cases have banks moved to a more secure, two-factor authentication process. Most of these cases involve a shared
Table 1 Authentication process All banks (n=200) (%) Single factor 95.5 Two factor 4.5 2 (p=0.067) 100 Bank size Small Large (n=104) (%) (n=96) (%) 98.1 1.9 100 92.7 7.3 100

secret, most notably an additional question to which only the legitimate user should know the answer. In terms of bank size, the study indicates a slightly higher propensity among larger banks to adopt a two-factor solution (7.3 vs 1.9 per cent). Yet, even among large banks, over 92 per cent are still using a single-factor authentication process.

Prominence of security communication A fundamental question for all nancial institutions revolves around the issue of how to communicate with consumers about security issues. Some banks may prefer a low-key approach, thereby avoiding the need to remind consumers about threats and minimising their exposure to the issue. Others could take the opposite approach and be more direct and upfront about security. The study examined the general approach that banks took on their website in communicating with consumers about security. As discussed in the methodology section, bank efforts were divided into: Prominent, Not Prominent, and Mute. Prominent is measured as posting a message about security on the front or the rst relevant page. It includes both a complete discussion and/or a clear link to a discussion deeper in the site. Not Prominent implies that the information is available but it isnt prominently displayed. It includes all displays of security issues deeper in the site. In these cases, consumers have to search for the security information. The bank is deciding to make it available but not to display it prominently. Presumably, the idea is to try to satisfy those who are concerned (and thus looking for this information) without sensitising others who might not be thinking about this issue. Finally, the Mute category indicates that security is not discussed anywhere on the website. The ndings in Table 2 show that slightly over half of US banks (54.5 per cent) are recognising consumer anguish and are

2006 Palgrave Macmillan Ltd 1363-0539 $30.00 Vol. 11, 2 99115

Journal of Financial Services Marketing

109

Sarel and Marmorstein

Table 2 Prominence of security communication All banks (n=200) (%) Prominent 54.5 Not prominent 42.0 Mute 3.5 2 (p=0.077) 100 Bank size Small Large (n=104) (%) (n=96) (%) 47.1 48.1 4.8 100 62.5 35.4 2.1 100 Table 3 Prominence of fraud detection education All banks (n=200) (%) Prominent 43.0 Not prominent 42.0 Mute 15.0 2 (p=0.03) 100 Bank size Small (n=104) (%) 34.6 46.2 19.2 100 Large (n=96) (%) 52.1 37.5 10.4 100

discussing security issues upfront. Large banks are more likely to pursue this approach (62.5 vs 47.1 per cent). While this commitment is encouraging, 42 per cent of the banks in this study still prefer a low-key approach to displaying and discussing security issues. These banks decided to make security information available only deeper in the site for consumers who are searching for this information. In some instances, the search was quite difcult and required a real determination on the part of the consumer to actually nd this information. Smaller banks were more likely to follow the Not-Prominent approach (48.1 vs 35.4 per cent for large banks). A small minority of banks (3.5 per cent) were classied as Mute. They provided no information on their website on security issues. Again, the proportion is higher among smaller banks (4.8 vs 2.1 per cent). Consumer fraud prevention education As discussed above, an educated, informed, and alert consumer could play an important role in improving online banking security. If consumers were able to detect and avoid fraud, phishing attacks would be much less likely to lead to account hijacking.23 The study examined bank efforts to educate consumers about fraud detection and prevention. The classication used here is similar to the one on security communication prominence employed in Table 2. The ndings in Table 3 show that 43.0 per cent of the banks investigated are making a deliberate effort to educate the consumer about phishing attacks, how to recognise

them, and how to avoid them. These banks deal with this issue explicitly and prominently. They discuss it on the sites front page or, at minimum, provide a clear link about fraud detection to a deeper page. As observed in the other parts of this study, more of the larger banks are committed to this approach (52.1 vs 34.6 per cent for smaller banks). At the same time, a signicant number of banks (42.0 per cent) still prefer to avoid dealing with this fraud issue explicitly. These banks provided some educational information about fraud detection deeper in the site. These banks are clearly not taking a proactive approach to educating consumers about fraud detection. Its up to the consumer to search for this information. Again, this phenomenon is more prevalent among smaller banks (46.2 vs 37.5 per cent). The most disturbing nding in Table 3 is that 15 per cent of the banks are completely mute on this issue. They are not involved in any online education about fraud detection. This approach was observed among 19.2 per cent of the smaller banks and among 10.4 per cent of the larger banks.

Prominence of loss responsibility communication Consumers rst and primary security concern is about nancial losses. Many consumers are unaware about the extent of loss for which they might be held responsible if a fraudster accessed their account illegally. In this part of the analysis, we examine how banks chose to inform their customers about

110

Journal of Financial Services Marketing

Vol. 11, 2 99115

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Addressing consumers concerns about online security

Table 4 Prominence of loss responsibility communication All banks (n=200) (%) Prominent 2.5 Not prominent 82.0 Mute 15.5 2 (p=0.025) 100 Bank size Small Large (n=104) (%) (n=96) (%) 0.0 80.8 19.2 100 5.2 83.3 11.5 100

this issue. Table 4 employs the same prominence classications used in the earlier tables. Banks can deal with these issues upfront, explicitly, and prominently in an effort to alleviate consumer concerns (classied as Prominent). Others may decide to provide this information deeper in the site for those who are searching for it (NotProminent). Yet, another approach is to ignore this issue completely (Mute). Table 4 demonstrates that very few banks are committed to discussing the loss responsibility issue in a prominent way. Only 2.5 per cent of the banks in the study displayed information or a link to information about loss responsibility on the front (or rst relevant) page. None of the smaller banks have done this and only 5.2 per cent of the larger banks displayed loss responsibility information prominently. The vast majority of all banks (82.0 per cent) provided loss responsibility information deep in the site. The available but not prominent approach is consistent with a strategy that attempts not to increase consumer sensitivity to, or awareness of, this issue. The most disturbing nding in this table is that 15.5 per cent of the banks dont provide any information to consumers about the loss responsibility issue. This approach is especially puzzling. The Mute behaviour was observed among 19.2 per cent of the smaller banks and among 11.5 per cent of the larger banks. Unconditional loss guarantee Consumers concerns about the extent of loss they are responsible for were highlighted

above. Current federal law provides limits to potential loss if specic conditions are met. To reduce consumer concerns about potential nancial loss, the concept of an unconditional guarantee has been advocated. The study examined two issues: Prominence of display and type of guarantee. The analysis indicated that the type of guarantee variable was much more meaningful and thus it is reported below. This measure examines what types of guarantees, if any, banks are offering to customers who bank online. In Table 4, current bank offerings are classied into: Unconditional Guarantee, Conditional Guarantee, Mute, and Explicit Denial. Unconditional Guarantee explicitly indicates that consumers are not responsible for any losses caused by unauthorised access. There are no conditions or loopholes. Consumers are assured a complete peace of mind. Conditional Guarantee follows federal requirements. Consumer exposure is limited if specic conditions and reporting deadlines are met. Mute implies that the bank website is not addressing this issue at all. No information is provided about consumer protection. Finally, Explicit Denial implies that the website clearly stipulates that there are risks involved, the bank may not necessarily be responsible, and consumers might be exposed. Its important to note that while legally all banks have to adhere to federal regulations limiting consumer exposure under specic conditions, some banks dont discuss those issues at all (classied here as Mute). In more extreme cases, banks prefer to explicitly communicate the potential risks and consumer responsibility and omit the discussion of the federal requirements (this is classied as Explicit Denial). This approach is probably guided by legal advice trying to limit bank exposure in case of litigation. Explicit Denial is obviously more concerned with legal issues than with consumer perceptions and marketing considerations. The ndings in Table 5 indicate that only 2.0 per cent of all banks in this study offer an unconditional guarantee. None of the

2006 Palgrave Macmillan Ltd 1363-0539 $30.00 Vol. 11, 2 99115

Journal of Financial Services Marketing

111

Sarel and Marmorstein

Table 5 Unconditional loss guarantee All banks (n=200) (%) Unconditional Conditional Mute Explicit denial 2 (p=0.025) 2.0 75.0 15.5 7.5 100 Bank size Small Large (n=104) (%) (n=96) (%) 0.0 76.0 19.2 4.8 100 4.2 74.0 11.5 10.4 100

small banks offer it and only 4.2 per cent of the larger banks provide it. It seems that the vast majority of US banks (75 per cent) believe that meeting the federal requirement is sufcient. The rest of the banks are not even pursuing this minimalist approach. The mute category consisted of 15.5 per cent of all banks with a heavier concentration among smaller banks (19.2 vs 11.5 per cent for larger banks). These banks simply avoided any reference to banks responsibility. Finally, the most surprising result is that 7.5 per cent of all banks are classied as Explicit Denial. These banks preferred to highlight consumer risk and avoided any mention of banks responsibility. Interestingly, this was the only category in the study where the proportion of larger banks taking a conservative approach was higher (10.4 vs 4.8 per cent for smaller banks). SUMMARY AND RECOMMENDATIONS Online security is a major issue for all nancial institutions. It involves the management of consumers perceived, as well as actual, security. Account hijacking and online fraud are on the rise. The rapid growth in phishing attacks threatens the future of online banking. Negative publicity damages consumer trust in the online service. Non-users are more reluctant to convert and users might reconsider their actions. Unless trust in the system can be maintained, the future of online banking could be at risk. This paper examined banks response to these security issues both conceptually and empirically.

The review of security experts opinions revealed that internal efforts that dont involve the consumer while necessary, are not sufcient to fully resolve the problem. Current phishing attacks target unsuspecting consumers. When fraudsters succeed in tricking consumers into directly or indirectly revealing personal information, online systems are likely to be compromised. Thus, it is quite clear that security efforts must prevent fraudsters from obtaining customers access information. All recommended solutions, however, require a greater consumer involvement in the process. While banks might be reluctant to involve the consumer, they probably dont have any other viable option. Consumer involvement is needed to help secure the system. The management of consumer perception and behaviour is critical for the future success of the online service. It should help reduce fraud and contribute to building trust in the online system. The empirical part of the paper examined banks actual response to these challenges. The ndings indicate that many banks are not meeting these challenges and that signicant opportunities for improvement exist. Smaller banks, in particular, are failing to take the necessary actions. Fundamentally, many banks are reluctant to get consumers involved. These banks are taking a low-key approach. They tend to provide some information for those consumers who are actively searching and avoid proactive solutions to reach the remainder of consumers. This approach is decient because it leaves the most unsuspecting consumers vulnerable to an attack. Moreover, when banks surrender the agenda to the negative publicity effects, they are not likely to succeed. Crisis management literature clearly demonstrates the need to be open, direct, and involve consumers in the process as early as possible. Prevention is always the best strategy and in this case it calls for greater consumer participation. The ndings identied the major deciencies that ought to be addressed. They include:

112

Journal of Financial Services Marketing

Vol. 11, 2 99115

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Addressing consumers concerns about online security

Improved authentication. Most experts recommend a move to a two-factor authentication process. The study found that only 4.5 per cent of banks have accepted this challenge and changed the authentication process. This is clearly a major concern that ought to be addressed by nancial institutions. The simplest option available is the shared secrets approach. Users are asked additional questions during the authentication process. The questions keep changing making it more difcult for fraudsters to guess. Experts believe this is a good rst step, although not as secure as other alternatives. Bank of America has recently added a new type of shared secret. Consumers need to register their specic computers with Bank of America and assign a digital image, such as a photo of a dog, to their account.6 When the consumer signs in, the site will display the assigned photo. This will help consumers verify that the site is legitimate (since an illegitimate site wont have this photo). When a consumer is using a non-registered computer, the system will apply the list of verifying questions mentioned above. Password-generating tokens are believed to be a more secure alternative. They involve a device that produces a one-time password each time it is used. The token eliminates the need to remember the password. Its highly effective and secure due to the creation of new random passwords. The introduction of these tokens, however, is more complex and requires careful consumer analysis. Consumers will need to have this device with them whenever they are trying to access their accounts. Devices could be lost or malfunction, thereby creating difculty and inconvenience for consumers. Several institutions have started to introduce these tokens. In the US, E*Trade Financial (banking and brokerage services) has just begun using this system and has been advertising it in their television commercials. E*Trade is offering this service free to their most active customers and charges others US $25. The extra cost might be viewed by some

customers negatively. First National Bank of South Africa (FSBA) began offering a similar system in 2003. After two years, only 12 per cent of FSBAs online banking customers use tokens. Consumer complacency and costs (about US $30 for tokens) are cited as the culprits.30 The key to introducing any of these methods is to recognise the consumer aspects of the adoption process. Success requires careful attention to implementation issues. Consumer Communication and Education. Almost half of the banks in the study have not made security communication a high priority issue on their website. Many banks are displaying security information only deep within their website. These efforts aim to reach only a select group of consumers who actively search for security information. These banks are not proactive at reaching all consumers and communicating with them about any security issue. Less than half of the banks prominently displayed fraud education information on their sites. The failure to proactively educate all consumers defeats the whole purpose of prevention. If banks will be able to educate more consumers about fraud detection, signicant improvements in security will be obtained. Banks ought to experiment with various educational approaches. Incentives to comply could be considered. Educational efforts should aim to increase awareness and ability to detect fraud. Experimentation could also help identify efforts that have a positive effect on establishing trust rather than alarming the consumer. Unconditional loss guarantee. The study shows that most banks pursue a low-key approach to the issue of nancial loss responsibility. Only 2.5 per cent of the banks are prominently displaying information on their websites about the loss responsibility. The large majority of banks provide some information about responsibility deep in the website. Its clear that this information is provided only for those who are actively searching for it. Banks are missing an

2006 Palgrave Macmillan Ltd 1363-0539 $30.00 Vol. 11, 2 99115

Journal of Financial Services Marketing

113

Sarel and Marmorstein

opportunity to reassure consumers and alleviate their concerns. The passive approach misses the opportunity to control the communication agenda. Signicant improvements in this area are warranted. Many worried consumers are not even aware of the current federal regulations that limit the potential loss. More banks need to use this information to reduce consumer concerns. Currently, 15.5 per cent of the banks are not providing any information about this coverage and an additional 7.5 per cent explicitly denied the bank responsibility and chose to highlight that consumers may have to bear the consequences. Informing consumers about current federal regulations should only be the rst step. Much more important is to offer consumers an unconditional loss guarantee. The strong power of an unconditional guarantee is well documented in the marketing literature. Yet, as this study reveals, only 2.0 per cent of US banks are offering this guarantee. This nding is quite surprising because banks are already required to cover most of the loss by law. The incremental increase in exposure is small, while the marketing value is enormous. As discussed above, the guarantee ought to be comprehensive, with no strings attached. It should be easy to invoke and fair to consumers. Once such a guarantee is developed, it should be marketed aggressively in all communication and distribution channels. A good example of an unconditional guarantee is Citibanks SafeWeb Online Fraud Protection. Citibank not only offers this service to all account holders, but also was able to turn this service into a strong, meaningful competitive advantage. Undertaking any of the actions recommended above involves costs. Banks ought to examine the cost effectiveness and efciency of various actions in their particular situations. A detailed costbenet analysis is beyond the scope of this paper. However, relative to existing levels of expenditures on internal security systems,

most of the recommended consumer oriented actions are not very expensive. Given the multitude of options available, banks ought to experiment with different options that may t their needs. Experimentation should focus on measuring consumer adoption and reactions. The goals are to get consumers more involved, more educated and less concerned about security risks. In sum, security concerns are real and important. The future growth of online banking requires that banks improve consumer perceived as well as actual security. Consumer trust is essential for future expansion of online banking. Signicant opportunities to enhance current practices have been identied. Financial institutions need to realise that a proactive approach to engaging the consumer in the prevention process is their best strategy. An informed, alert, and involved consumer is a major asset in the ght against fraud. It will help secure the system and contribute to building trust in the online system.

REFERENCES
1 2 3 4 5 6 7 Roberts, P. (2004) Gartner: Consumers dissatised with online security, Computerworld, December 6. Ilett, D. (2005) UK banks failing the security challenge, ZDNet UK, April 15. Brozo, J. (2004) Somethings Phishy, Wall Street Journal, November 15, p. R8. Warner, B. (2004) Internet banking fraudsters step up phishing scams, Computerworld, November 4. Salmon, J. (2005) We need to beware of something Phishy online, The Scotsman, April 26. Vara, V. (2005) Banks turn to photos, other tactics to boost online security, Wall Street Journal, May 31. Black, N.J., Lockett, A., Winklhofer, H. and Ennew, C. (2001) The adoption of internet nancial services: A qualitative study, International Journal of Retail and Distribution Management, Vol. 29, No. 8, pp. 390398. Daniel, E. (1998) On-line banking: Winning the majority, Journal of Financial Services Marketing, Vol. 2, No. 3, pp. 259270. Gerrard, P. and Cunningham, J.B. (2003) The diffusion of internet banking among Singapore consumers, International Journal of Bank Marketing, Vol. 21, No. 1, pp. 1628. Jayawardhena, C. and Foley, P. (2000) Changes in the banking sector: The case of internet banking in the UK,

10

114

Journal of Financial Services Marketing

Vol. 11, 2 99115

2006 Palgrave Macmillan Ltd 1363-0539 $30.00

Addressing consumers concerns about online security

11

12

13

14

15

16

17

18

19

20

Internet Research: Electronic Networking Applications and Policy, Vol. 10, No. 1, pp. 1930. Joseph, M., McClure, C. and Joseph, B. (1999) Service quality in the banking sector: The impact of technology on service delivery, International Journal of Bank Marketing, Vol. 17, No. 4, pp. 182191. Jun, M. and Cai, S. (2001) The key determinants of internet banking service quality: A content analysis, International Journal of Bank Marketing, Vol. 19, No. 7, pp. 276291. Karjaluoto, H., Mattila, M. and Pento, T. (2002) Factors underlying attitude formation towards online banking in Finland, International Journal of Bank Marketing, Vol. 20, No. 6, pp. 261272. Karjaluoto, H., Mattila, M. and Pento, T. (2002) Electronic banking in Finland consumer beliefs and reactions to a new delivery channel, Journal of Financial Services Marketing, Vol. 6, No. 4, pp. 346361. Polatoglu, V.N. and Ekin, S. (2001) An empirical investigation of the Turkish consumers acceptance of internet banking services, International Journal of Bank Marketing, Vol. 19, No. 4, pp. 156165. Sathye, M. (1999) Adoption of internet banking by Australian consumers: An empirical investigation, International Journal of Bank Marketing, Vol. 17, No. 7, pp. 324334. White, H. and Nteli, F. (2004) Internet banking in the UK: Why are there not more customers? Journal of Financial Services Marketing, Vol. 9, No. 1, pp. 4956. Sarel, D. and Marmorstein, H. (2003) Marketing online banking services: The voice of the customer, Journal of Financial Services Marketing, Vol. 8, No. 2, pp. 106118. Foss, B. (2002) Editorial: CRM in investment banks, Journal of Financial Services Marketing, Vol. 6, No. 4, pp. 306308. Sarel, D. and Marmorstein, H. (2002) Migrating customers to new distribution channels: The role of

21

22

23 24

25

26

27

28

29

30

communication, Journal of Financial Services Marketing, Vol. 6, No. 3, pp. 254266. FDIC. (2004) Putting an end to account-hijacking identity theft, Federal Deposit Insurance Corporation, Division of Supervision and Consumer Protection, December 14. Anti-Phishing Working Group. (2005) APWG response to the FDIC, February. http://www.antiphishing.org/ resources.html#articles. Van Dyke, J. (2005) Deputizing the customer, BAI Banking Strategies, January/February. Belch, G.E. and Belch, M.A. (2004). Advertising and Promotion: An Integrated Marketing Communications Approach (6th ed.), Chapter 17, Irwin McGraw-Hill, New York, NY. Waite, K. and Harrison, T. (2002) Consumer expectations of online information provided by bank websites, Journal of Financial Services Marketing, Vol. 6, No. 4, pp. 309322. Sarel, D. and Marmorstein, H. (2001) Improving the effectiveness of banks service guarantees: The role of implementation, Journal of Financial Services Marketing, Vol. 5, No. 3, pp. 215226. Hart, C. (1988) The power of unconditional guarantees, Harvard Business Review, JulyAugust, pp. 6473. Kolbe, R. and Burnett, M. (1991) Content analysis research: An examination of applications with directives for improving research reliability and objectivity, Journal of Consumer Research, Vol. 18, No. 2, pp. 243250. Shimp, T., Urbany, J. and Camlin, S. The use of framing and characterization for magazine advertising of mass marketing products, Journal of Advertising, January, pp. 2330. Radcliff, D. (2005) Fighting back against phishing, Computerworld, April 21.

2006 Palgrave Macmillan Ltd 1363-0539 $30.00 Vol. 11, 2 99115

Journal of Financial Services Marketing

115