Last year, between Britney's divorce and the U.S. midterm elections, I couldn't help but notice a little newsbyte that several American online trading companies had been hacked. Yikes! Luckily, when I logged on to my accounts held with U.S. financial institutions, I found that my balances had not mysteriously vanished down a cyberdrain, but the episode did give me pause. The fact is, I've found stark differences in the practices at my American and European banks, and all evidence points to Europe being much more security-conscious.
I first noticed this with the different password requirements by American and British subsidiaries of the same bank. When I lived in the United States, this bank--which shall remain unnamed--allowed me to establish any eight-character password for online banking. If I wanted, I could use my cat's nickname as my password.
However, when I later did business with the bank's subsidiary in the United Kingdom, the password was chosen for me and sent to my home address. This password was also eight characters long, but it was an incomprehensible amalgam of special characters, numbers and letters in both upper- and lowercase. The result, of course, is that I knew I would never remember it. I tore out the password and tucked it inside my wallet. Yes, Mother, I know I'm not supposed to do that. But let's be honest. If given the choice between doing this and forgetting the difficult password, calling the help desk, being put on hold for 30 minutes, and then requesting a new password only to be told that you'll receive it in five working days, which would you choose? Besides, isn't a strong password tucked in my wallet better than the password "kitty"?
Anyway, I happened to be friends with the global head of information security at this bank, so I rang him up to ask about the difference. He explained that the bank's American and British subsidiaries are run under the philosophy of "each tub on its own bottom." They made and implemented their own security models for online banking based upon the "cultural and regulatory differences" in the regions. It seems the American subsidiary is more attuned to customer friendliness, while the U.K. subsidiary is more attuned to security.
Another big difference is in the use of stored-value cards. Here, I bank with an internationally known Dutch bank. When I first set up my account, I was given a smart card that functions the same as a debit card in the States but with added functionality: A chip on the smart card can be used to store electronic money. The idea is that you can transfer funds from your checking account to the chip, then use that money for small transactions such as paying for parking, purchasing train tickets and making incidental purchases at stores. The advantage from a security standpoint is that the parking meter, ticket machine or what have you doesn't have to authenticate you back to the bank; it's enough that you're holding the card. The disadvantage is that if you lose the card, you also lose the stored money--but I solve that by not keeping more than 20 euros on the card.
As an added benefit, the smart card provides greater security for online banking. When I got the smart card, the bank also issued me a portable smart-card reader. Here's how it works: When I log on, I enter the smart-card number into the bank's website and am prompted to insert my card and type my PIN into the reader. The webpage provides me with a number that I input into the reader. The smart-card reader comes back with another number, which I then type into the webpage to be authenticated. It sounds complicated, but the entire process takes less than 30 seconds. The only drawback is that I need to be in possession of the smart-card reader (and the smart card) in order to perform online banking. But then, so would a crook.
So why don't American banks do this? It all boils down to economics, really. Smart cards are widely employed throughout Europe and thus the infrastructure for them already exists. Americans, by contrast, still rely primarily on magnetic stripe cards, and the infrastructure is geared toward this technology. Smart cards would be much more expensive to deploy than a magnetic stripe card. Once again, Americans tend to view any losses due to security as simply the price of doing business.
Paul Raines is CISO of a nonprofit group in The Hague, Netherlands.