On-Line Banking Inadvertant Insecurity

I was in Canada for work. I needed to make an on-line payment for one of my credit cards. I found it odd that the bank’s web page, Citi Bank, showed a different landing page than I was used to. I went to another bank’s page, HSBC, and it was different, too.

I assumed the hotel I was in was compromised or I was. It wasn’t until I returned home and fired up a known good PC that I found the bank web pages were legitimate.

This is a problem the banks need to resolve. Often I find banks change their landing page or authentication methods without notice. It makes it really hard for customers to know when they have a compromised connection versus a cosmetic restyling of their site.

I think banks and financial institutions should make and keep their pages as simple as possible. They can implement methods to verify the page’s authenticity by displaying a custom user image, for example. Banks can reasonably verify users by implementing two-factor authentication

I like Google’s Authentication method for its balance of the transitory to the more permanent. Would I recommend banks implement Google’s solution? Maybe not. But I like the two-factor option for “normal” access and super complex random strings for financial tools like mint.com. If you add in custom reset questions and GeoIP restrictions, it could be effective in most cases.

What are your thoughts? How can banks in the US and other countries improve their security while making their sites more flexible?