Security Measures on the Part of Banks and Customers 

However, the interviewed experts proved to be aware of the importance of information security and displayed a willingness to make the necessary investments. For example, the creation of a CISO position which is concerned with the topic on a holistic level and is not restricted to the technical side is called for, has in many cases already been implemented, or is in the planning stage. While most of the efforts undertaken by banks to improve security run in the background and are “invisible” to the customers, in particular the methods used for logging on to the online banking system and for verification of transactions are highly relevant for security and are at the focus of customers’ attention. The survey showed that a system using PIN and chip card found the widest approval, ahead of the conventional PIN/TAN method with a list of numbers used only once each. It is interesting to note that the biometric methods which are hotly disputed in the media also score well in terms of popularity among the respondents. However, virtually no European bank has made use of these methods. The mTAN method, i.e., the verification by means of a code sent to the user by text message, turned out to be less popular. But there was a difference among European consumers in this respect. When the answers from Austrian respondents only are considered, this method was right at the top of the popularity scale, possibly a consequence of the fact that this technology is in widespread use in Austria. Once in use, this verification method appears to convince customers of its value.   

Banks are not alone in their obligation to make the offered Internet services as secure as possible; customers share responsibility for their actions as well. Consumers are obligated to exercise caution in using their passwords or to use the latest release of virus scanners. The extent to which a normal consumer can be expected to bear responsibility for security is the subject of heated discussions and has, in isolated cases, even become the subject of court proceedings (cf. as example Karper (2006) and the court decision of the Cologne Regional Court 9 S 195/07 of 05/12/2007 (“No contributory negligence of a phishing victim”)). According to the study, a majority – 74% of the European bank customers – regard the bank as being “primarily” or “more” responsible for setting up their own computers so that no realistic risks threaten as a consequence of the condition of this equipment. Significant regional differences were determined with respect to customers’ willingness to accept responsibility. 42% of the Britons who participated in the survey answered that it was “more the bank” or even “primarily the bank” which was to be held responsible for the security of their own computers.