In rolling out cutting-edge online banking services, Addison Avenue Federal Credit Union made strong authentication a key component of its online offerings.
The Palo Alto, Calif.-based credit union recently launched a suite of new tools designed to serve its technically savvy members. The institution has 160,000 members, including employees and family of companies such as Hewlett-Packard and Cisco Systems Inc. A core component of the suite, dubbed e2, is Security Key.
Offered in partnership with Mountain View, Calif.-based VeriSign, Security Key is a strong authentication tool that generates a randomly generated code for members to use when logging in to online banking. Addison Avenue offers the key as an application for smart phones or as a keychain token.
The credit union is targeting its initial Security Key launch to about 2,000 of its members who are highly mobile and conduct most of their banking online, said Addison Avenue CIO Blanca Guerrero. It's also launching a campaign to let other members know about the tool and its security benefits.
Addison Avenue already deployed VeriSign Identity Protection (VIP) Fraud Detection Service, which learns customers' behavior and requires additional authentication when suspicious activity is detected. The credit union also partnered with VeriSign to support sending a one-time password to the phone number the customer has on record or via SMS to the customer's cell phone.
The problem, Guerrero said, was that members who traveled outside the U.S. sometimes were in countries where SMS didn't work, or they didn't have access to the phone on record with the credit union. "We needed two-factor authentication that could work anyplace, anytime," she said.
"We want to provide them with the best security we can without them having to hassle with ensuring their cell phone is working in the area they're in," she said.
Security Key required some staff training to make sure they could properly describe it to members, and so far, the response from members using the security tool has been positive, Guerrero said. Addison Avenue also provides information about the tool on its website and in direct mail to select members. Security Key is free to install as an application; the price of a keychain token varies depending on the model a member chooses but is roughly $10. The credit union is offering the service to keep the Security Key activated with VeriSign free of charge through Dec. 31, after which it will charge members $10 per year.
Still, when it comes to online banking security, the credit union lets its members decide how much they want. Some members don't want the inconvenience of additional authentication, while some prefer very high security, Guerrero explained.
"We see this as a partnership between the members and us," she said. "We let them take some ownership. We allow them to tell us to only use challenge questions when doing high-risk transactions or anytime they access online banking."
The e2 suite also includes a mobile banking service, which allows members to conduct financial transactions on their cell phones and smart phones. Guerrero said Addison Avenue applies to same security functionality to its mobile banking service as it does to its other online banking tools.
Another core component of e2 is e-Deposit, a service that allows qualified members to deposit checks by scanning them with a scanner and uploading them via online banking.
Before rolling out the service to the entire membership, the credit union identified a group of low-risk members for an initial deployment, and developed rules for members to qualify for the service. Those rules include being a member for at least 99 days. In a risk analysis, Addison Avenue didn't find higher risk with remote deposit capture than with ATMs, Guerrero said.
e-Deposit has been a hit with customers, who are depositing $2 million to $3 million per month through the service, she said. "We're trying to provide the branch at your house."
According to a 2008 report by Gartner Inc., most banks have implemented stronger authentication for their online banking customers, largely due to the Federal Financial Institutions Examination Council's 2006 deadline for its Internet banking authentication guidance. But in a survey of 50 U.S. banks conducted by the research firm in March 2008, many banks were using stronger authentication measures – such as secret questions/answers and desktop cookies – that are already circumvented by phishing and malware attacks.
A separate survey by Gartner of more than 4,500 U.S. consumers two years ago showed that more than half considered extra security features extremely important when it comes to online banking.
Financial institutions should have even more motivation to implement strong authentication as online banking grows. A recent report by research firm TowerGroup predicted that online banking will become the primary customer touch point in the next years.
According to TowerGroup, there are almost 600 million online banking users worldwide with a project growth rate that far outpaces the other banking services of ATM, branch and contact centers. The number of online banking users globally is increasing at a compound annual rate of 20% through 2012, the firm said.