Online banking is one of the most sensitive tasks performed by general Internet users. Most traditional banks now offer online banking services, and strongly encourage customers to do online banking with 'peace of mind.' Although banks heavily advertise an apparent '100% online security guarantee,' typically the fine print makes this conditional on users fulfilling certain security requirements. We examine some of these requirements as set by major Canadian banks, in terms of security and usability. We opened personal checking accounts at the five largest Canadian banks, and one online-only bank. We found that many security requirements are too difficult for regular users to follow, and believe that some marketing-related messages about safety and security actually mislead users. We are also interested in what kind of computer systems people really use for online banking, and whether users satisfy common online banking requirements. Our survey of 123 technically advanced users from a university environment strongly supports our view of an emerging gap between banks' expectations (or at least what their written customer policy agreements imply) and users' actions related to security requirements of online banking. Our participants, being more security-aware than the general population, arguably makes our results best-case regarding what can be expected from regular users. Yet most participants failed to satisfy common security requirements, implying most online banking customers do not (or cannot) follow banks' stated end-user security requirements and guidelines. The survey also sheds light on the security settings of systems used for sensitive online transactions. This work is intended to spur a discussion on real-world system security and user responsibilities, in a scenario where everyday users are heavily encouraged to perform critical tasks over the Internet, despite the continuing absence of appropriate tools to do so. Copyright 2007 ACM.

, ,
2007 Workshop on New Security Paradigms, NSPW 2007
School of Computer Science

Mannan, M. (Mohammad), & Van Oorschot, P. (2007). Security and usability: The gap in real-world online banking. Presented at the 2007 Workshop on New Security Paradigms, NSPW 2007. doi:10.1145/1600176.1600178