RSA Annual Consumer Online Fraud Survey

Key results of the survey include:

• 91% of account-holders answered that they are willing to start using a new authentication method, beyond the standard 'username-and-password', if their banks decided to offer stronger security, 73% commented that they would like their financial institution to use risk-based authentication
• 69% of account-holders believe that financial institutions should replace username-and-password log-in with stronger authentication for online banking
• 58% of account-holders believe that financial institutions should deploy stronger authentication for telephone banking
• 82% of account-holders would like their banks to monitor online banking sessions and telephone banking sessions for signs of irregular activity or behavior -- similar to the way that credit card transactions are monitored today
• While many financial institutions have begun moves to deploy stronger authentication over the past year, only 39% of account-holders are aware of it
• Less than 70% of respondents in the UK (69%) and in Australia (65%) claimed to be familiar with the term "phishing" -- compared to 83% in the US

In addition, trust in the online channel continues to erode. 82% account- holders are less likely to respond to an e-mail from their bank due to scams including phishing -- up from 79% in 2005 and 70% in 2004 -- and more than half said that they would be less likely to sign-up for or use online banking as a result. In addition, 44% of account-holders reported that they have become increasingly concerned about other types of attacks (besides phishing), such as Trojans and keyloggers, over the past six months.

"2006 was an eventful year for financial institutions in terms of ramping up their online banking security. Our survey affirms that the market is moving in the right direction, with more than 90 percent of consumers now willing to use stronger security when it is deployed, and this is something that banks should take into consideration when looking to accelerate their business," said Christopher Young, vice president and general manager, Consumer Solutions at RSA. "We anticipate that 2007 will bring new steps forward in online banking security, albeit in the context of an evolving threat landscape that is driving the need for added protection in other remote channels -- with a focus on telephone banking."

When asked for their views on online banking authentication, 69% of respondents answered that they feel banks should use something stronger than basic and static usernames-and-passwords; more than half (58%) want banks to ramp up telephone banking authentication as well. Moreover, 91% of account- holders responded that they would be willing to start using a new authentication method, beyond the standard username-and-password, if their bank decided to offer stronger security: 43% said they would be "very willing and would proactively sign up for the service," and another 48% said they were "somewhat willing and would sign-up if they had the time and it was a simple process."

When presented with several authentication options, including hardware tokens, personalized images, and risk-based authentication, the majority of respondents (73%) commented that they would like their financial institution to use risk-based authentication. Risk-based authentication involves a behind- the-scenes assessment of the user's identity based on factors including log-on location, IP address and transaction behavior -- which can be supplemented with out-of-band phone calls or secret questions for transactions that are deemed high-risk. Risk-based authentication is designed to provide strong security with minimal impact on the user experience -- a concept that resonated extremely well with the survey respondents.

Globally, 40% responded that they would like to use a hardware token for authentication. Account-holders in European and Asia-Pacific countries such as Spain, Germany, Singapore and India were the strongest advocates for this technology, with between 46-50% responding that they would like to use tokens.

Approximately half of all respondents (49%) agreed that -- assuming their bank decided to use tokens for online authentication -- they would appreciate it if they could use the same token to log-in to other web sites, in addition to their online banking site.

56% responded that they would like to use a personalized image to authenticate the online banking site to the user; 53% felt that personalized images would provide them with an increased sense of security. A personalized image is selected by users and used to help verify that they are in fact on their bank's legitimate site and not a fraudulent one.

Most consumers unaware of additional security that may already be in place

Despite the fact that consumers want added security and are willing to use it, only 39% of account-holders answered that they were aware of their financial institution using some form of additional security (personalized images, risk-based authentication, one-time-password device). In fact, U.S. financial institutions faced a 2006 year-end deadline to start enhancing online security set by the Federal Financial Institutions Examination Council (FFIEC). According to a Gartner survey of 50 U.S. banks conducted in October and November 2006, two-thirds of U.S. banks are already compliant with the FFIEC's Guidance on Stronger Authentication in an Internet Banking Environment(4), in time to meet the 2006 year-end deadline. Moreover another 30% planned to achieve compliance in the six months after the survey was taken, or by May 2007(5).

Based on a survey conducted by the Aite Group, 92% of the top 10 retail brokerages and 12 of the top 50 U.S. banks have already selected vendors for user-authentication, fraud-detection and transaction-monitoring solutions, and approximately 50% of financial institutions are expected to have additional security measures in place by the end of 2007(6).

Young continued: "The consensus used to be that security is something that should be handled quietly -- and that consumers trust their financial institution to keep their information and assets safe. However, as awareness of identity theft and online fraud grows, people want to feel reassured that they are in fact protected. Our experience shows us what our survey results affirm: educating consumers about new security measures in place, even if they are invisible to the consumer, is advisable and would be regarded positively by the bank's customers. While most consumers don't want to be burdened with security, they still would like to know they are secure, and as we can see, they are willing to embrace the technology."

According to the survey, 82% of account-holders would like their banks to monitor online and telephone banking sessions for signs of irregular activity or behavior -- similar to the way that credit card transactions are monitored today; 51% feel that banks should contact them if any suspicious activity is detected online; 48% felt the same for telephone banking as well. British account-holders felt the strongest in this regard with 93% claiming they would like their online banking monitored, compared to a figure of 70% in France.

As financial institutions work to accelerate their businesses by driving additional people online and introducing new online features and functionality, the survey results indicate that security must be addressed in order to maintain trust in the Internet and boost consumer confidence online. Four out of five account-holders expressed that, as a direct result of scams such as phishing, they are less likely to respond to an e-mail from their bank. In addition, more than half of the survey respondents (52%) said that they would be less likely to sign-up for or use online banking at all as a result of these scams.