Enhancing User Security in Online Banking Applications

The Problem

In the digital age even with technological progress, schemes like phishing and identity theft exploit users' trust and security gaps, leading to cyber fraud. Despite efforts to fortify security protocols, these scams often capitalize on human error, lack of awareness, or lapses in cybersecurity practices, leaving individuals vulnerable to financial exploitation.

Many of the scams involve getting into bank accounts and draining away funds through e-transfers, tricking customers into moving money into different accounts .

The Solution

Real-time transaction notifications help keep accounts safe. When users receive immediate alerts on their phones or emails for any online activity, like payments or transfers, they can quickly spot unauthorized transactions. This helps them act fast—like freezing the account or reporting issues—to stop fraud in its tracks. Clear and constant communication like this boosts user awareness and builds a stronger shield against online scams, making online banking more secure.

Let’s look at what has occurred so far with this problem.

82%

Canadians worry most about unauthorized access to their online accounts

63%

Younger Canadian aged between 18-34
were a victim of fraud or scam in 2023

42%<

Canadians say they receive email or text alerts for every transaction

$283 Million

lost to fraud & scam in 2023

Understanding the affected- Based on true stories

Recently someone got into my partner’s bank account. The hackers made themselves a contact and then issued a $550 Interac transfer to themselves. After getting to know this I immediately asked my partner if they received any notification or alerts of suspicious login for their bank account in their email or text messages. Unfortunately, there was no such notification because my partner had not turned the 2SV.

To dig deeper I immediately turned to Google to see if there were any similar cases and I did find exact similar cases that happened this year (2023) and to my surprise my partner’s bank and the other victim’s bank were the same which is BMO, Bank of Montreal.

“Retired Teacher's Pension Check Leads to $3,918 Bank Account Hack: A Cautionary Tale”

“Bank Scam Nightmare: Toronto Man Loses Thousands, Accuses Bank of Insufficient Protection”

After seeing an emerging pattern I decided to look into BMO’s 2 Step Verification process to see the gap which might eventually contribute to a scam.

BMO-Chosen financial institution

Hypothesis

Due to the absence of a system message that asks users to enable their 2SV for their account, many users are unaware or dont pay attention to their alerts which helps keep their account secure. This neglect makes the user account vulnerable to scams and other online threats.

Looking into BMO’s current Sign-in journey

I logged in to my partner’s BMO bank account, to turn on the the 2SV, hoping to see a prompt or a notification to turn on the 2SV but I noticed its absence.

BMO Web Dashboard ( Current status: 2SV off )

  • Popup for 2SV absent.

  • No hotspots or labelling to acces the security section.

BMO Profile & Settings Dashboard ( Current status: 2SV off )

  • There is no direct indicator that 2SV is off.

  • Multiple steps to turn on the 2SV and the copy fails to label 2SV instead
    labelled as alerts.

What are the competitors doing

After doing some market analysis I found out that the competing banks heavily emphasize urging their users to enable 2SV for added security these requests often come in a way of a pop up, a notification or an occasional email. This help the users to view their 2SV alert status before they even start using any other services

Proposed solution for BMO

BMO is a large institution and helps contribute to the safety of their account holders efficiently. I believe emphasizing and encouraging users to enable their 2SV on both the web and the BMO app could further enhance security.

What the applied solution looks like

I updated both main dashboard and the account settings page to reflect the proposed solution.

BMO Web Dashboard ( Current status: 2SV off )

  • Immediate popup asking to turn on the 2SV for the users who have them off.

  • The pop up CTA acts as the direct hotspot to alerts

BMO Profile & Settings Dashboard ( Current status: 2SV off )

  • Visible indicator for the status of managing alerts

  • If users spot the 'Currently off' label on alerts while on the page for another purpose, they're likely to take action and enable it, securing themselves in the process.

Emphasizing on security

  • Adding a Pop-up alert that reminds the user to turn on their 2SV.

  • Reducing the user journey for managing the alerts.

  • Adding a quick access that directly takes you to the alerts page.

Alerts Modal update

  • Adding an indicator for a quick glance at the status of the alerts

  • Updating the copy to communicate clearly of whats expected

Next steps

  • Updating the UI of the Profile & Settings page and making an efficient user flow to access some of its services

  • Implementing the same process for other BMO Mobile app for both IOS and Android

Updating the Heuristics violation

Upon evaluating the heuristics of the task flow for managing alerts there were numerous violations which should be addressed in the next steps to name a few:

  1. Visibility of system status: There was no instant feedback that serves to inform the status of the interaction after managing some alerts.

  2. Consistency and standards: The icons in the nav bar are not labelled.

  3. Aesthetic and minimalist design: There is room to include icons for each service so the users have a visual cue and feel confident in their decisions.