ING Bank has upgraded the authentication software on its Web site, and in the process it replaced an automated security system in its call center with one that is handled by people.
The Wilmington, Del., unit of ING Group NV is known for touting its automated approach to banking, making the call center system replacement somewhat counterintuitive. But Rudy Wolfs, ING’s chief information officer, said in an interview last week that it must balance security with access, and that he wants to ensure that customers could easily reach the bank by phone.
His unit, which uses the brand ING Direct, recently installed RSA Security Inc.’s PassMark authentication software on its site, but Mr. Wolfs said the unit will not use the companion speech recognition system at its call centers. Instead, he has chosen to improve security there by having customers authenticate themselves to live customer service representatives.
ING Bank has long asked callers challenge questions with numerical answers, such as part of their Social Security numbers. Because the questions had numerical answers, the system could authenticate the information automatically.
Now customer service representatives ask questions that have non-numeric answers. Mr. Wolfs said ING had some concerns about RSA’s voice system. “We haven’t found it to work reliably enough yet to deliver a good experience for our customers.”
Because ING has no branches, it cannot take the chance that its systems would inadvertently lock out a legitimate customer, he said. “We’re a high-volume, high-value player in the market here. We can’t be on the edge.”
Customers enroll in the PassMark software by selecting an image, which the Web site then displays whenever they log in to verify that the page is authentic. The software also examines users’ computers to make sure they are using a known system; if they are not, banks can configure the software to ask challenge questions.
The call center representatives ask customers the same questions to verify customers’ identities.
George Tubin, a senior analyst at TowerGroup Inc., a Needham, Mass., unit of MasterCard International, said it was wise for ING to be careful when making changes to its call center and its Web site at the same time.
If there are any problems with the site, “your only other alternative is to call the call center,” Mr. Tubin said. “You can’t go to the branch and have somebody at the branch walk you through the process” if you have no branches.
The ING site will continue to use an image of a keypad to protect customers from keylogger viruses; instead of typing their PINs on a keyboard, customers click on the numbers on the screen.
The keypad, installed last year, protects only PINs, and though there are other parts of the Web site where it could be used, such as some fields in accounts application forms or the personal information fields for retrieving a forgotten username, ING has not done so.
“If you really want to go crazy, you can put PIN pads or online keyboards on every data entry field on the screen,” Mr. Wolfs said, but ING wanted to keep those screens simple while shoring up security where fraudsters were focusing their attention: the login screen for active accounts.
At the same time, ING stresses to its customers the importance of using anti-virus software and avoiding phishing scams, Mr. Wolfs said. “Today, customers are more aware of their responsibilities and what they can do to protect themselves,” he said.
ING sent e-mails to its customers last month asking them to enroll in the PassMark system, and more than 1 million did so within two weeks. The enrollment process put an unexpected burden on the network, he said; some people spend a lot of time selecting an image, and each one they view must be downloaded from the unit’s servers.
“It was a bit of a surprise to us, how much browsing our customers were doing to find the photo that fits them best,” Mr. Wolfs said.
To cover the surge in traffic, it used some of the systems in its emergency backup center, he said. “Fortunately, we’ve got a lot of bandwidth here, both in our primary site and in our business continuity site, we had more than enough capacity to deliver on our solution.”
The extra demand did not disrupt ING’s site, Mr. Wolfs said.
Technology Credit Union of San Jose was not so fortunate. In November it installed both PassMark’s software and a new username and password system. The credit union said the six-page enrollment process slowed traffic on the credit union’s Web site to a crawl, and frustrated members overwhelmed its call center.
Mr. Wolfs said future changes will be less visible to ING customers. In addition to evaluating their computers during the log-in process, the software can use the data to determine if certain transactions should be challenged.
ING began talking to PassMark Security Inc. about its technology in late 2004; RSA acquired PassMark in April.
“Internet-only banks are more likely to have something visible,” like PassMark, rather than rely solely on products that are invisible to the end user, like transaction monitoring, said Chris Young, a senior vice president and general manager for RSA’s consumer solutions division.
