The evolution of electronic banking (e-Banking) started with the use of automatic teller machines (ATMs) and has included telephone banking, direct bill payment, electronic fund transfer and online banking. According to some, the future direction of e-banking is the acceptance of mobile telephone (WAP-enabled) banking and interactive-TV banking. However, it has been forecast by many that online banking will continue to be the most popular method for future electronic financial transactions.
What is e-banking?
Electronic funds transfer (EFT), refers to the computer-based systems used to perform financial transactions electronically. The term is used for a number of different concepts including electronic payments and cardholder-initiated transactions, where a cardholder makes use of a payment card such as a credit card or debit card.
A number of transaction types may be performed:
- Withdrawal: the cardholder withdraws funds from their account, e.g. from an ATM
- Deposit: where a cardholder deposits funds to their own account (typically at an ATM)
- Inter-account transfer: transferring funds between linked accounts belonging to the same cardholder
- Inquiry: a transaction without financial impact, for instance balance inquiry, available funds inquiry or request for a statement of recent transactions on the account
- Administrative: this covers a variety of non-financial transactions including Personal Identification Number (PIN) change
EFT transactions require authorisation and a method to authenticate the card and the card holder. Whereas a merchant may manually verify the card holder's signature, EFT transactions require the card holder's PIN to be sent online in an encrypted form for validation by the card issuer. Other information may be included in the transaction, some of which is not visible to the card holder (for instance magnetic stripe data), and some of which may be requested from the card holder (for instance the card holder's address or the CVV2 security value printed on the card).
EFT transactions are activated during e-banking procedures. Various methods of e-banking include:
- Telephone banking
- Online banking
- Short Message Service (SMS) banking
- Mobile banking
- Interactive-TV banking
Telephone banking is a service provided by a financial institution which allows its customers to perform financial transactions over the telephone.
Most telephone banking systems use an automated phone answering system with phone keypad response or voice recognition capability. To guarantee security, the customer must first authenticate their identity through a numeric or verbal password or through security questions asked by a live representative. With the obvious exception of cash withdrawals and deposits, telephone banking offers virtually all the features of an ATM.
Usually, there is the possibility to speak to a live representative located in a call centre or a branch, although this feature is not guaranteed. In addition to the self-service transactions, telephone banking representatives are usually trained to do what was traditionally available only at the branch: loan applications, investment purchases and redemptions, chequebook orders, debit card replacements, change of address, etc.
Online banking (or Internet banking), allows customers to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society. Online banking offers features such as: bank statements; electronic bill payment; funds transfer; loan applications and transactions and account agggregation that allows users to monitor all of their accounts in one place. It is widely recognised that online banking provides more revenue per customer and costs less per transaction than any other e-banking channel.
SMS banking is a technology-enabled service permitting banks to operate selected banking services over the customers' mobile phone using SMS messaging.
SMS banking services are operated using both Push and Pull messages. Push messages are those that the bank chooses to send out to a customer's mobile phone, without the customer initiating a request for the information. Typically push messages could be either Mobile Marketing messages or messages alerting to an event which happens in the customer's bank account, such as a large withdrawal of funds from the ATM or a large payment using the customer's credit card, etc. Another type of push message is a One-time password (OTPs).
Pull messages are those that are initiated by the customer, using a mobile phone, for obtaining information or performing a transaction in the bank account. Examples of pull messages for information include an account balance enquiry, or requests for current information like currency exchange rates and deposit interest rates.
The bank’s customer is empowered with the capability to select the list of activities (or alerts), that he/she needs to be informed. This functionality to choose activities can be done either by integrating to the Internet Banking channel or through the bank’s customer service call centre.
Mobile banking (also known as M-Banking, mbanking, etc.), or Wireless Application Protocol (WAP) enabled banking is a term used for performing balance checks, account transactions, payments etc. via a mobile device such as a mobile phone or Personal Digital Assistant (PDA). Mobile banking is most often performed via SMS or the Internet accessed through the mobile device, but can also use special programs downloaded to the mobile device.
Interactive television is a technique that allows viewers to interact with television content as they view it. It is sometimes called interactive TV, iTV or idTV.
As long as the customer subscribes to a satellite or cable television service some banking facilities, such as, checking balances, moving money between accounts, paying bills and setting up overdrafts are made available through a television set. A handful of major banks in the UK have experimented with digital banking services through cable and satellite TV companies.
- 50% of prospective customers registering for online banking give up before signing up
- 1 in 9 people who have tried online banking in the UK gave up due to poor usability or security concerns
- In 2001, one third of the top 20 European banks offered some form of interactive-TV banking
- In 2004, it was estimated that there were over 10 million users of interactive-TV based banking services in Europe
- In 2007, the estimated number of Europeans banking online is 130 million
- In 2007, 40% of US households banked online at least once a month
- 88% of e-banking users visit their bank's web site at least once a week
- It is estimated that 35% of online banking households will be using mobile banking by 2010
- By 2011, it is predicted that 80% of bank customers in the UK will use the internet to connect to their bank
- In 2000 there were over 2,500 banking websites across Western Europe
Problems encountered by disabled people and the ageing population using e-Banking
Blind and Partially Sighted
For blind persons, one problem may be selecting the right card from their wallet and inserting it in the correct orientation into an ATM.
When using online banking, the way a website is designed will determine how accessible it is to people with disabilities. In particular, blind people use browsers with speech or braille output which are text-based systems; therefore the site should be navigable independent of the graphics content. For people with low vision, the ability to vary the text size on their browser is essential. A further problem encountered by blind and partially sighted people is that many websites use graphics such that they are not meaningful when accessed by a text-based browser.
Using telephones for banking can provide problems as the decreasing size of handsets often means small keypads and small visual displays that people with visual disabilities find inaccessible. Some people are unable to distinguish between certain colour combinations used on mobile telephone screens and keypads.
Mailed notifications of PIN change that are not available in alternative formats are inaccessible to blind and partially sighted people.
People with hearing impairments require visual representation of auditory information that a banking website may provide. With the increasing use of multimedia on websites (e.g. podcasts, video streaming), it is important to ensure that information can be understood by those who have hearing impairments.
It is also important to appreciate that those using British Sign Language (BSL), use a different sentence structure and vocabulary compared to typical spoken English. Consideration should be given to using simple language and the inclusion of a glossary of banking terms.
For those who are hearing impaired, using a normal telephone for banking is difficult so a bank's services should be operable via a Textphone. Users of hearing aids experience disturbances due to electromagnetic interference (EMI), from digital mobile phones. The rapid pulsation of radio signals from digital mobile telephones can give rise to a buzzing, humming, squealing or squelch inside the hearing aid.
Hearing impaired users cannot locate or identify commands or controls that require hearing (e.g. a voice-based interactive mobile telephone that can be controlled only by listening to menu items and then pressing buttons).
Those with physical impairments who are banking by mobile telephone may find it hard to hold and activate the buttons.
People with a physical disability may have difficulty controlling their hands and arms therefore, holding and using a mouse effectively to use a banking website becomes a problem. Others find prolonged use of their arms or hands tiring.
Complex banking websites with too many steps or unhelpful messages may be difficult for people who are cognitively impaired. People with cognitive or learning impairments may have problems reading text or become confused by complex page layouts, tables or navigation structures. Moving and blinking text may also be distracting and impede understanding.
People with cognitive or learning impairments may experience problems with the operating systems of complicated mobile telephones.
Customers often have difficulty in remembering too many PINs (particularly if they are used infrequently), so are prone to writing them down which lessens the security of the system. People with dyslexia can have problems in remembering the digits in the correct order.
While older people often experience changes in vision, hearing, dexterity and memory as they age, they might not consider themselves to have disabilities. Yet the accessibility provisions that make banking webpages accessible also benefit older people with diminishing abilities. For example, many people with age-related visual impairments may benefit from being able to alter text size. Elderly people may also experience mobility difficulties when using the mouse.
Elderly people can often experience a range of difficulties with mobile telephones, such as the screen being too small to see; incompatibility with a hearing aid and too many complicated specialised functions.
Other problems encountered using e-Banking
Protection through single password authentication is not considered secure enough for personal online banking applications in some countries. Online banking user interfaces are secure sites (generally employing the https protocol) and traffic of all information - including the password - is encrypted, making it next to impossible for a third party to obtain or modify information after it is sent. However, encryption alone does not rule out the possibility of hackers gaining access to vulnerable home PCs and intercepting the password as it is typed in (keystroke logging). There is also the danger of password cracking and physical theft of passwords written down by users.
Security of financial transactions using mobile e-banking involving transmission of financial information over the air, offer the most complicated challenges that need to be addressed jointly by mobile application developers, wireless network service providers and the bank’s IT department.
The following aspects need to be addressed to offer a secure infrastructure for financial transaction over wireless network :
- Physical security of the hand-held device
- Security of the application running on the device. In case the device is stolen, the hacker should require ID / Password to access the application
- Authentication of the device with the service provider before initiating a transaction. This would ensure that unauthorized devices are not connected to perform financial transactions
- User ID / Password authentication of bank’s customer
- Encryption of the data being transmitted over the air
- Encryption of the data that will be stored in the device for later / off-line analysis by the customer
Lack of encryption
The lack of encryption on SMS messages is an area of concern that is often discussed and several banks that use it have overcome their fears by introducing compensating controls and limiting the scope of the SMS banking method to where it offers an advantage over other channels.
Suppliers of SMS banking software solutions have found reliable means by which the security concerns can be addressed. Typically, the methods employed are by pre-registration and using security tokens where the transaction risk is perceived to be high. Sometimes ATM type PINs are also employed, but the usage of PINs in SMS banking makes the customer's task more cumbersome.
Some customers avoid online banking as they perceive it as being too vulnerable to fraud. The security measures employed by most banks can never be completely safe but it becomes less secure if users are careless, gullible or computer illiterate. An increasingly popular criminal practice to gain access to a user's finances is phishing, whereby the user is in some way persuaded to hand over their password(s) to a fraudster.
There is a lack of common technology standards for mobile banking. Many protocols are being used for mobile banking – HTML, WAP, SOAP, XML. It would be a wise idea for the vendor to develop a mobile banking application that can connect to multiple banks. It would require either the application to support multiple protocols or use of a common and widely acceptable set of protocols for data exchange.
There are a large number of different mobile phone devices and it is a big challenge for banks to offer mobile banking solutions on any type of device. Some of these devices support the Java 2 Micro Edition (J2ME) and others support WAP browsers or only SMS.
As online banking consists of three main parts: the marketing / information pages, the online application and the transactional banking area, all of these can provide the user with problems:
- Inconsistent navigation and page layouts
- On-site search engines that don't find information, even when it is available
- Bank orientated language that is not explained
- Poor feedback when using interactive tools and forms
- Inability to save an application and complete is at a later date
- Too many steps in transactions and no visibility of progress
- Unhelpful error messages
- Pages that are inaccessible to assistive technology
- Incorporate a notch in bankcards according to EN 1332-2
- Cards incorporate embossed symbols
- Provide a facility for storing the user's preferred interface on the card according to EN 1332-4
A summary of the main WAI recommendations:
- Use the alt attribute to describe the function of images and animations
- For image maps, use client-side map and text for hotspots
- Provide captioning and transcripts of audio, descriptions of video, and accessible versions in case inaccessible formats are used
- Hyperlink text makes sense when read out of context
- For page organisation, use headings, lists and consistent structure
- Use cascading style sheets (CSS), for layout and style to provide a consistent design
- Summarise or use the longdesc attribute for graphs and charts
- For scripts, applelets and plug-ins, provide alternative content in case active features are inaccessible or unsupported
- For tables, make line-by-line reading sensible. Avoid using tables for column layout
- Label all form elements
- Provide clear navigation mechanisms
- Use relative sizing instead of fixed (e.g. for fonts, tables)
- Ensure documents are clear and simple
- Ensure functionality is available through the keyboard as well as the mouse
- Limit the use of graphical text
- Ensure font size can be increased
- Use good contrasting colours
- Provide skip links (e.g. Skip to content, Back to top)
- Provide a site map
- Avoid using justified text
- Ensure animation can be paused or switched off
- Make use of white space
- Offer an easy read or text-only version
- Offer speech output (e.g. Browse Aloud)
- Make clickable areas a large size and easily distinguishable
- Avoid using moving targets
- Provide high contrast location signs
- Provide at least 200 lux illumination on the interactive areas of the terminal
- Ensure that wheelchair users can reach the terminal and have adequate space to turn in front of the terminal
- Ensure that labels and instructions are unobstructed and in an appropriate typeface
- Where possible, the interactive areas should be between 800mm and 1200mm above the floor so that they can be reached by most wheelchair users
- Adhere to standard numerical keypad layout
- Provide training in the use of the terminal for new users
- There should be consistent design of the user interface adhering to the relevant standards whenever possible
- There should be an audio and visual indication when the phone is switched on or off
- The user should be able to return to the previous state or return to the default status at any stage in the process
- Error messages should be comprehensible to the non-technical user
- All labels and instructions should be in short and simple phrases or sentences. Avoid the use of abbreviations where possible
- Basic functions should be usable without having to use the visual display
- It should be possible to use the phone one-handed
- Provide text versions of audio prompts that are synchronised with the audio so that the timing is the same
- Set the TV colour, brightness and contrast to midpoints / defaults
- Check images on a widescreen as well as a standard screen to check the effects of stretching
- Light text on a dark background is easier to read on a TV screen
- The text should be of good contrast on a plain background
- Use a suitable font (such as Tiresias Screenfont)
- Allow generous inter-line spacing to minimise problems of visual tracking
- Do not use narrow lines because they distort easily
- Do not use pure red or white colours. Use colours with a maximum of 85% saturation
- Avoid combinations of red and green
- Avoid strong patterened backgrounds
- Avoid abbreviations which may not be understood by non-technical or new users.
- Keep the user informed if the system is "busy"
- Provide facilities for deleting last input, going back one screen, and returning to the home page
- Accessibility features should be able to be activated without going through a complex menu structure
- Ideally, provide a facility for the user to modify the text size and colour, and turn off scrolling or flashing text
- Use clear intuitive simple icons accompanied by concise text which correspond to the remote control
Passwords / User identification
Many online banking services impose a second layer of security as well as an initial password. Strategies vary, but a common method is the use of transaction numbers (TANs), which are essentially single use passwords.
Another strategy is the use of two passwords, only random parts of which are entered at the start of every online banking session. This is however considered slightly less secure than the TAN alternative and more inconvenient for the user.
A third option is providing customers with security token devices capable of generating single use passwords unique to the customer's token, this is called two-factor authentication (2FA).
Another option is using digital certificates, which digitally sign or authenticate the transactions, by linking them to the physical device (e.g. computer, mobile phone, etc). Other banks have responded not with security tokens or digital certificates, but by setting up a combination of controls that recognise a customer's computer via a cookie, ask additional challenge questions for risky behaviour, and monitor for fraudulent behavior.
One-time passwords (OTPs) are the latest tool used by financial and banking service providers in the fight against cyber fraud. Instead of relying on traditional memorised passwords, OTPs are requested by consumers each time they want to perform transactions using the online or mobile banking interface. When the request is received the password is sent to the customer’s phone via SMS. The password is expired once it has been used or once its scheduled life-cycle has expired.
- A password generating device has large clear print
- A password generating device has audio output
- Mailed notification of a password is available in alternative formats
- Many banks are able to issue promotional leaflets, bank statements, letters and mortgage forms in braille, large print and on audio tape. Some can also provide plastic guides and templates to help fill in cheques, and credit books
- Guidance should be readily distinguishable from other displayed information
- Provide the user with specific information relative to the task context rather than a generic message
- Provide information on how to recover from errors
- Indicate permitted range of values or syntax for user response
- Ideally, multi-modal help should be provided
- Allow skilled users the option of switching off help prompts if they are not required
- Keep spoken messages short and simple
- Do not use abbreviations in audio messages
- Allow users to interrupt the help at any time and return to the task
- APACS 70: 2006 Card acceptor to acquirer interface standards
- APACS 71 Bankcard PIN mailer security
- CAN/CSA-B651.1-01 (2001) Barrier-free design for automated banking machines
- EN 1332-1 Identification card systems - Man-machine interface - Part 1: Design principles for the user interface
- EN 1332-2 Identification card systems - Man-machine interface - Part 2: Dimensions and location of a tactile identifier for ID-1 cards
- EN 1332-3 Identification card systems - Man-machine interface - Part 3: Keypads
- EN 1332-4 Identification card systems - Man-machine interface - Part 4: Coding of user requirements for people with special needs
- EN 1332-5 Identification card systems - Man-machine interface - Part 5: Symbols and icons
- ISO 7816-1: 1998 Identification cards - Integrated circuit(s) cards with contacts - Part 1: Physical characteristics
- ISO 8583: 2003 Financial transaction card originated messages - Interchange message specifications. Parts 1, 2 & 3
- ISO 9564: 2002 Banking - Personal Identification Number (PIN) management and security. Parts 1, 2, 3 & 4
- ISO/IEC 7810: 2003 Identification cards - Physical characteristics
- ISO/IEC 9995-4: 2002 Information Technology - Keyboard layouts for text and office systems - Part 4: Numeric section
- FFIEC (n.d.) E-banking: introduction. [accessed 10/10/07].
- Gill, J. & Slater, J. (2000) Inclusive design of interactive television. [accessed 05/12/07].
- Out-Law.com (2005) Lloyds TSB tests password-generators. [accessed 28/11/07].
- Remote Card Autentication.info. [accessed 03/12/07].
- SkyInteractive (n.d.). What is interactive digital television? [accessed 05/12/07].
- Celent (2001) Interactive television in European banking: a report. Boston: Celent.
- ICBA Bancard & TCM Bank (n.d.) E-banking solutions. [accessed 28/11/2007].
- Rourke, C. (2004) User friendly e-banking. [accessed 11/10/07].
- Turk, V. et al (2003) The environmental and social impacts of ebanking: a case study with Barclays PLC. [accessed 28/11/2007].
- Wikipedia (2007) Electronic funds transfer. [accessed 28/11/07].
- Wikipedia (2007) Interactive television. [accessed 05/12/07].
- Wikipedia (2007) Mobile banking. [accessed 28/11/07].
- Wikipedia (2007) Online banking. [accessed 28/11/07].
- Wikipedia (2007) SMS banking. [accessed 28/11/2007].
- Wikipedia (2007) Telephone banking. [accessed 28/11/2007].