Press Release

RSA Announces Findings of Annual Consumer Online Fraud Survey

Consumers say 'Username-&-Password' must go: 91% of account-holders are willing to use stronger authentication methods offered by financial institutions. Trust in the online channel continues to drop: 52% are "less likely" to sign-up for or use online banking; 82% are "less likely to respond" to banking-related e-mails

BEDFORD, Mass., Thursday, January 25, 2007 - 

RSA, The Security Division of EMC, (NYSE: EMC) today released the findings of its fourth annual Financial Institution Consumer Online Fraud Survey. Conducted in December 2006, the online surveyasked 1,678 adultsfrom eight countriesaround the world for their opinions on evolving fraud threats such as phishing, vishing and keylogging, and on the efforts of their financial institutions to strengthen remote channel banking authentication.

Key results of the survey include:

In addition, trust in the online channel continues to erode. 82% account-holders are less likely to respond to an e-mail from their bank due to scams including phishing – up from 79% in 2005 and 70% in 2004 – and more than half said that they would be less likely to sign-up for or use online banking as a result. In addition, 44% of account-holders reported that they have become increasingly concerned about other types of attacks (besides phishing), such as Trojans and keyloggers, over the past six months.

"2006 was an eventful year for financial institutions in terms of ramping up their online banking security. Our survey affirms that the market is moving in the right direction, with more than 90 percent of consumers now willing to use stronger security when it is deployed, and this is something that banks should take into consideration when looking to accelerate their business," said Christopher Young, vice president and general manager, Consumer Solutions at RSA. "We anticipate that 2007 will bring new steps forward in online banking security, albeit in the context of an evolving threat landscape that is driving the need for added protection in other remote channels – with a focus on telephone banking."

Account-holders want stronger authentication...

When asked for their views on online banking authentication, 69% of respondents answered that they feel banks should use something stronger than basic and static usernames-and-passwords; more than half (58%) want banks to ramp up telephone banking authentication as well. Moreover, 91% of account-holders responded that they would be willing to start using a new authentication method, beyond the standard username-and-password, if their bank decided to offer stronger security: 43% said they would be "very willing and would proactively sign up for the service," and another 48% said they were "somewhat willing and would sign-up if they had the time and it was a simple process."

... but opinions vary when it comes to the preferred method of authentication

When presented with several authentication options, including hardware tokens, personalized images, and risk-based authentication, the majority of respondents (73%) commented that they would like their financial institution to use risk-based authentication. Risk-based authentication involves a behind-the-scenes assessment of the user's identity based on factors including log-on location, IP address and transaction behavior – which can be supplemented with out-of-band phone calls or secret questions for transactions that are deemed high-risk. Risk-based authentication is designed to provide strong security with minimal impact on the user experience – a concept that resonated extremely well with the survey respondents.

Globally, 40% responded that they would like to use a hardware token for authentication. Account-holders in European and Asia-Pacific countries such as Spain, Germany, Singapore and India were the strongest advocates for this technology, with between 46-50% responding that they would like to use tokens.

56% responded that they would like to use a personalized image to authenticate the online banking site to the user; 53% felt that personalized images would provide them with an increased sense of security. A personalized image is selected by users and used to help verify that they are in fact on their bank's legitimate site and not a fraudulent one.

Most consumers unaware of additional security that may already be in place

Despite the fact that consumers want added security and are willing to use it, only 39% of account-holders answered that they were aware of their financial institution using some form of additional security (personalized images, risk-based authentication, one-time-password device). In fact, U.S. financial institutions faced a 2006 year-end deadline to start enhancing online security set by the Federal Financial Institutions Examination Council (FFIEC). According to a Gartner survey of 50 U.S. banks conducted in October and November 2006, two-thirds of U.S. banks are already compliant with the FFIEC's Guidance on Stronger Authentication in an Internet Banking Environment, in time to meet the 2006 year-end deadline. Moreover another 30% planned to achieve compliance in the six months after the survey was taken, or by May 2007.

Based on a survey conducted by the Aite Group, 92% of the top 10 retail brokerages and 12 of the top 50 U.S. banks have already selected vendors for user-authentication, fraud-detection and transaction-monitoring solutions, and approximately 50% of financial institutions are expected to have additional security measures in place by the end of 2007.

Young continued: "The consensus used to be that security is something that should be handled quietly – and that consumers trust their financial institution to keep their information and assets safe. However, as awareness of identity theft and online fraud grows, people want to feel reassured that they are in fact protected. Our experience shows us what our survey results affirm: educating consumers about new security measures in place, even if they are invisible to the consumer, is advisable and would be regarded positively by the bank's customers. While most consumers don't want to be burdened with security, they still would like to know they are secure, and as we can see, they are willing to embrace the technology."

Account-holders expect their banks to monitor remote channel banking activity

About EMC

RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to cost-effectively secure critical information assets and online identities wherever they live and at every step of the way, and manage security information and events to ease the burden of compliance.

RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com

Notes: