Let's start with security. If you wish to use any number of banking services, then you need to put in place some security measures. Typically, these involve setting up an account name, recording a password and to protect against the possibility that someone might try to impersonate you, providing some slightly more difficult information, such as your mother’s maiden name, date of birth, or the name of your first pet.
Is this really about your security? Or does it have more to do with covering the banks' collective backs?
According to the Banking Code of Practice (2008), 'unless you have acted fraudulently or without reasonable care (...), you will not be liable for losses caused by someone else which take place through your online banking service'. Similar provisions apply to other services - such as cashpoints and card payments. The onus, in theory, is on banks to show a lack of care on your part.
But this is not the way it has worked in the past. When unauthorised cash point withdrawals were first reported, banks maintained for a very long time that these could only be the fault of the customer.
The transaction was taken as de facto evidence of customer negligence or fraud - and the response was correspondingly heavy-handed. Rather than receive sympathy, customers were treated with hostility and on more than one occasion reported to the police.
The position has since improved, though not nearly enough if the frequent coverage of this issue on consumer programmes such as BBC's Watchdog is anything to go by.
There are still major issues with how banks set up and police their security. Take passwords. Best practice is for individuals to use unique and difficult passwords on every single account they own. A difficult password would be a random combination of numbers and letters with upper-and-lower-casing a critical part of the equation.
For instance: Hy87Uik. Not only must it be unique to each account: it needs to change regularly - perhaps once a month. Furthermore, it should not be written down.
In the words of the immortal Andy Millman: 'they're having a laugh'.
For anyone with more than a few accounts, that requirement is pure nonsense. Meanwhile, the other security information that customers may be asked is laughable. 'Just a few security questions: can you tell me your date of birth?'
Er, yes. As if any fraudster worth their salt has not got a crib sheet in front of them with all the basic information they will ever need (harvested in five minutes flat off the internet).
I have discussed these matters with data security staff at a number of banks. Their complacency - or is it arrogance? - is mind-boggling. I asked a representative for Lloyds whether the same level of security was right for accounts containing several hundred thousand pounds as for ordinary current accounts. They reckoned it was.
Over at the Halifax, a system that was even weaker than that used by Lloyds (single word password, entered in full on every occasion) was described as 'the only way to do it'.
The platitudes are endless.
There are signs, however, that customers are beginning to get fed up. Unfortunately, the banks' record of responding to customer fed-upness is not good. If one looks at the fuss over charges, ever so slowly wending its way through the UK courts, reaction to potentially major issues can be categorised as roughly:
Stage 1: ignore them;
Stage 2: put out soothing statements;
Stage 3: get cross and warn customers of dire consequences;
Stage 4: back down and end up paying out far more than if the problem had been address properly in the first place.
OK. Unfair. This would probably describe the response of most major organisations to criticism of how they do business. But banks seem very prone to it.
In the case of banking, I would guess we are at around stage two. The issue is in play. Customer groups are beginning to raise the temperature. In February/March 2008 one such group received a high profile interview on BBC Radio 2, highlighting just this issue.
So far, there is little sign that banks are taking note. Why should they?
Two reasons. First, it is generally not conducive to good business practice to be in a state of constant warfare with your customer base. It makes switching that much more likely - as well as resentment, and a basic attitude that if you are not going to play fair, why should we?
There is no justification for insurance fraud. But there is a generally held view in the population that since insurers do not play straight, 'getting your own back' through exaggerated claims is acceptable.
Second, it is not at all clear that banks are in the right on this issue. Many of the stipulations about keeping passwords safe are just terms of business. Contractual terms.
According to the Unfair Terms in Consumer Contracts Regulations 1999 (s5.1) a term is unfair if 'Contrary to the requirement of good faith it causes a significant imbalance in the parties' rights and obligations under the contract, to the detriment of consumers'.
To put it bluntly: an unfair term is not binding upon a consumer. We are still a long way from this sort of legal confrontation. But don't think it can never happen: as that was possibly what in-house lawyers believed once upon a time in respect of charges.
So what are the alternatives? One obvious route forward is through biometrics. These are especially appealing for individuals who conduct a lot of business online. The falling costs of equipment such as fingerprint readers and iris scanners means that the days when every pc or laptop is fitted with one are - theoretically - not far off.
But is this really the way to go? Any ID system is only as strong as its weakest link (once biometric data is digitised, it can as easily be stolen as other data). It is a culture change - requiring millions to purchase the equipments. Worse, it raises the ghoulish prospect of criminal gangs stealing not only account details - but the appropriate body part as well.
One possible solution is OpenID. Instead of individual organisations creating proprietary ID systems, there is growing buy-in to a single worldwide ID system.
OpenId comes in two parts. For the technological savvy, it is software and software protocols that manage the OpenID system. These are created as open source code - which means that no one organisation owns them, and every interested programmer in the world can contribute to their enhancement and development.
For those brought up in the corporate environment, this may sound exceedingly scary. But doesn't that mean hackers can access the source code too? Definitely. However, the strength of open source solutions tends to be that there are enough white hats, ethical hackers, around to make this a major strength of the software that results.
Instead of one or two analysts working on the software, there will be hundreds – thousands, maybe - worldwide, all testing it, reading the code, looking for exploits and feeding back improvements or fixing bugs. It is the ultimate in free market coding – and it works.
Once past that hurdle, you are on to the OpenID system itself. This allows web users to create a single online identity that they can use across many different sites.
An OpenID provider allows you to create your own digital identity in the provider’s OpenID system. It then serves to authenticate that identity for any site that supports OpenID. Any website may add support for OpenID authentication, eliminating the need to invent their own registration and login procedures.
But this is surely just geek stuff. What major organisation is going to entrust its security to something so different? The answer is: quite a few. AOL. Yahoo. Orange. Meanwhile, serious organisations such as Microsoft and, in the UK credit-checking sector, Experian, are in the process of incorporating OpenID into their solutions.
OpenID is becoming fashionable - and perhaps that is the only reason for pausing before you leap in. Because the bane of business life is a fashionable solution that seemed like a good idea at the time - and subsequently turn out to be flawed.
There are also some very cogent criticisms of OpenID and how it works. It is vulnerable to phishing and other attacks. It creates privacy problems for the user. It is not a trust system. It is not a system that is (yet) totally suited to the average technologically illiterate internet surfer.
At base, the OpenID solution is about putting all your security eggs in one basket - and thereafter being completely dependent on the weakest link. Would you entrust your life savings to such a proposition?
At best, the jury is out on OpenID. It is certainly one way to go in order to rationalise net security where the consequences of password loss are small. It can also reduce the overhead on companies setting up security.
Whether it is yet or will ever be powerful enough for high consequence activities - such as banking - is another matter.
Which brings us full circle. The way banks do security now is increasingly at odds with customer demands. A more user-friendly solution is urgently needed.
John Ozimek is a writer and consultant.
