When it comes to protecting our identities, financial services firms have to perform a tough balancing act. Consumers demand protection but aren't willing or able to use sophisticated technology safeguards like two-factor authentication tokens.
As a result, financial services companies are forced into technology options that provide some level of protection without being in the consumer's face.
This is the exact profile of risk-based authentication. You may not know the term, but if you bank online, have ATM cards, or read the papers, you know the technology. Risk-based authentication creates a series of challenges in response to algorithms built into the technology. As an example, when the system detects anomalous behavior, like a random withdrawal of $10,000 from your bank account, a teller may ask you for your mother's maiden name, birthplace and pet's name before allowing this to happen.
In principle this makes sense, but it can get intrusive. Last week, I traveled through France with my family when all of a sudden both my credit and debit card were cut off. Since many U.S. cell phones don't work in Europe (another stupid problem), I had to scramble, find a phone, call my credit card company, and fix things on the fly.
Fortunately, this situation did not occur while I was paying for dinner at Altitude 95 in the Eiffel Tower, but I still had to interrupt my vacation and deal with this situation before spending any more dough. Ultimately, I spent about 30 to 45 minutes on the phone with customer service folks and voice-activated services at two firms. My financial service companies apologized for the inconvenience and informed me that I should call them the next time I leave the country.
So here's my quandary: I don't want my bank blocking access to my own money, and I sure as heck don't want to call them every time I travel. On the other hand, I expect them to protect me as part of their service.
It's time for financial services firms to offer tiered authentication and explain the risks and responsibilities more clearly. For example, I'm willing to let authentication technologies like an RSA token alleviate this problem for me. Other people who aren't willing to do so should understand the ramifications of this decision.
With all due respect to the financial services industry, Joe Consumer wants convenience, security and privacy. You need to figure out a better way to provide these services. Think of this as a competitive differentiator today and a requirement in the near future.