I like online banking and I'm the one that my relatives and friends call when they have problems with their web access to their bank's web pages. In general problems are related to security, using certificates, passwords etc. That gives me an opportunity to see how different bank's web applications work. My first concern is a security level that web application can offer. I do have to admit that just few of them are not as good as they could be and the truth is that they are improving their security.
Typical Situation:
Bank or other certificate provider issue a personal certificate that is used for online banking. Usually we do need to set up a password to access web application.
I always suggest to users that they should set up a password also for their certificate, so system would ask for it before certificate is used. In the next step we have to provide a password for web bank and we are in. (Assuming that we do store our passwords in a safe place and we do memorize them.) There are also other methods with "Smart cards", "Active Card One", "Secure Id" and many more.
This is something that should work. We have to know that the weakest link here are users.
How far should they go?
Here is a real situation. A well known and respected bank has, in my opinion, one of the best web based application, that was very well designed, user friendly and easy to use. They used authorized certificate and password access.
They obviously wonted to do a little bit more about security as their added value. As I said, security should be regularly updated and improved, it's good business decisions. Adding a virtual keyboard that user should type a password only by using a mouse and not a keyboard. That's a good idea.
Banks should always find a good balance between security and functionality of their web applications.
Adding new security levels - example of new functionality:
Adding a daily limit of transactions is also a good solution.
How does it work?
User have to set up a new password that is used only to set up a daily limit and it can be changed at any time. New daily limit does not apply to transaction between own personal accounts and some general billing accounts (bills for electricity, water,...) so far it all sounds good!
The main added value is that I have to have a password to change my daily limit so I could enter all my bills and after that I can lower my daily limit again.
That way I disable option that some other unauthorized person would want to make any kind of transaction on my account!
Conclusion:
Adding new security levels today is necessary and I think they are doing a good job.
I don't do 'online banking', -I could and probably should. It is very convenient, more than having to go in-person all the time. I don't even like using the 'deposit' kiosks... just have this fear of things not working right, -shredding the envelope, etc. I know... just paranoia on my part.
I do use those kiosks to check balances and stuff, so it's just a small jump to use online banking from there, eh? ;-)
-thestickman