Safety fears for web banking

Many customers are still wary to bank through their computer

Hardly a month goes by without the launch of an internet bank. Some are new banks, others are the offspring of well-established High Street parents.

But despite cut-rate deals and saturation advertising, customers have just one question: How safe is online banking?

The new banks promise a lot. They are "built on advanced and secure technology so you can bank with total confidence" and promise "security you can trust".

Consumers, though, are wary.

With confidence already shaken by computer viruses and hack attacks, it does not help when even established banks get it wrong online and suffer security glitches.

Whom do you trust with your credit card?

The most-feared online problem, credit card fraud, is probably the rarest. As long as you shop on a web site that allows secure - encoded - transfer of your credit card details, you should be safe.

A hacker called Maxus managed to snatch thousands of credit card details from CD Universe

It's probably riskier to give your credit card to a waiter in a dimly lit restaurant.

Problems arise, though, when the companies you trust with your money get a bit sloppy with their security.

US online retailer CD Universe, for example, had a hacker nick the names and credit card numbers of 300,000 customers. The heist was made easy by a piece of widely used e-commerce software that stored card numbers in a plain text file.

In the UK, electricity and gas supplier Powergen parted with the financial details and addresses of thousands of customers without any hacking.

Customer John Chamberlain of Leicester found his credit card details and that of up to 5,000 other people during a search around the website.

Powergen has now advised thousands of customers to get new cards, and will pay them £50 for their pains.

Raiding the virtual bank

But what if the worst online nightmare comes true and somebody takes over your bank account or share portfolio?

So far, this has not happened.

But there have been numerous incidents that point to gaping security holes.

• When online bank Egg upgraded its website in May 1999, new security measures scrambled online session protocols and allowed users to see banking details of other customers.
• In November 1999, Halifax bank suspended its online share dealing service, after an attempt to fix a bug backfired. Again, account details were made available to other users.
• And Barclays, which claims to be the UK's largest online bank, had to take down its web site at the end of July, when customers were served the bank statements of other clients.

All incidents have one thing in common: The security loopholes opened up during a software upgrade.

And although nobody (but the banks involved) suffered any financial damage, customers will wonder what else can go wrong at web sites that fail to get the fundamentals right.

Test, test, test

This is the big problem for online operations: The reliability and security testing of complex e-commerce or e-banking systems is mostly done "in the wild", on a live web site.

As banks rush to get online, they can rarely test for worst case scenarios, with thousands of customers trying to log on at the same time, and numerous hackers and crackers testing the web site's defences.

There has been one honourable if costly exception. Intelligent Finance, the online banking arm of Halifax, postponed its July launch with one day to go.

The bank said it was worried whether its systems could cope with strong demand, although there have been rumours that its technical team discovered a security hole in the last minute.

Account raided - who pays?

Credit card fraud victims can at least rest assured that card companies will pick up most of the fraud bill.

But who pays when fraudsters empty your bank account?

Many banks originally relied on small print that told users they were responsible for their data and money until they alerted the bank to a problem.

For customers this was not good enough.

Most online banks have changed their tune. They now promise to stump up the money, unless a customer "acted fraudulently or ... grossly negligent" (Egg).

Abbey National's Cahoot warns users not to divulge their password and alert the bank when they think that someone else knows your security details, but promises to "accept liability for any loss you suffer as a result of any unauthorised access to the secure zone", if they follow the instructions.

Smile says it will "repay you any money that is taken from your account due to any error by our staff or our systems [or] a computer crime which is not identified and stopped by our security system", while laying out a strict code for customer behaviour.

Other online banks offer similar terms and conditions.

Access denied

But there is an online banking problem that is costing thousands of customers real money.

Too often, banking and share trading systems buckle under the pressure and crash.

Most times it takes just a few hours, some times it takes a few days to sort out the mess.

With every off-line minute ticking away, share deals are not done, bills are not paid, money is lost.

In the United States, the majority of complaints to the Security and Exchange Commission about online banking is not about security, but the difficulty of logging on.

Some people still keep their money under the mattress.

Others don't use credit cards or cash machines.

But with an abundance of technical problems , online banking continues to be a leap of faith.