Article Preview
Top2. Background
Although Internet banking is increasingly popular, with one survey reporting 47% of respondents used it in the previous month (Gartner, 2009), automated telephone banking continues to be an important service delivery channel for banking organisations around the world. The U.K. service on which the application in this research is based, for instance, has 4 million registered users, and receives 5.5 million calls per month. Its development is the subject of continued interest at the Bank.
The customer authentication process in the existing service is knowledge-based (“what you know”). Users must recall two digits selected at random from their Secret Number or ‘PIN’. The service is not alone in this method - the use of a PIN or alphanumeric password (or some combination of the two) is the current de facto standard for customer verification in U.K. telephone banking.
When they are used correctly, such passwords and PINs play an important part in the security of automated services (O'Gorman, 2003). However, the ubiquity of their use across different applications means that users are typically required to have many, making it difficult to remember them all.
A common response to this problem is to write some of them down or to use the same one across a number of different services, both of which have inherent security risks (Adams & Sasse, 2005; Dhamija & Perrig, 2000; Gaw & Felten, 2006). In one study (Dhamija & Perrig, 2000), for example, it was found that participants had ranging from ten to fifty situations where passwords were required, but in practice used one to seven repeatedly. Users have also been shown to choose passwords and PINs that are easy to remember, and are therefore high risk (Adams & Sasse, 2005; Bishop, 2005; Yan, Blackwell, Anderson, & Grant, 2004).