Banking from Your Terminal - A Look at PRONTO (July, 1985)
----------------------------------------------------------
By Orson Buggy

Electronic banking services via personal computer and modem are springing up as
various banks try to jump on the information age bandwagon. This month 2600
takes a look at one of the older and more varied services available in the New
York City area.

Chemical Bank's PRONTO provides a host of banking services all
available for dialing up with your personal computer and modem. After signing
on with your account you can make balance inquiries, transfer funds between
accounts, use the bank's computer to keep track of your checkbook and budget,
pay bills to selected merchants, and send electronic mail to other subscribers.
All this costs twelve bucks per month, and you get a checking account and cash
machine card thrown in, too.

Naturally, PRONTO includes numerous security features to make sure that only
those authorized to do so can play with the accounts. First of all, you can't
call up PRONTO with just any dumb terminal. You must be using their special
software. This means that you can t even subscribe unless your computer is one
of the popular series that they support (Apple II, Atari, Commodore 64, Compaq,
and IBM compatible). On top of that, there's your personal password that you
have to fork over each time you connect. This sounds good enough to keep the
average troublemaking hacker out of their hair, but is by no means bulletproof.
If someone eavesdropped on a PRONTO conversation he or she could easily pick up
the codes needed to get into that account, since they're probably the same ones
for each session (unless, of course, the eavesdroppee has changed the password
lately). Of course, this hypothetical intruder would need their own copy of
PRONTO software. But that would not be much of an impediment to many hackers.

One bank officer, when presented with this argument, countered with, "But 
there's really nothing an intruder could do with your account even if they di
d manage to sign on to it somehow. They could get their jollies transferring
money between your accounts, but they can't take any out for themselves." PRONTO
allows you to pay bills, but only to a selected list of merchants. This has
over 300 companies on it, including other banks where you might want to make
loan or credit card payments, all of the area utilities, insurance companies,
several clubs, newspapers, and other kinds of businesses that bill you every
month. If there's someone you want to pay that's not on the list, you can ask
for them to be included. Chemical claims this is a big security advantage over
other banks' home services, since you can only send money to someone on their
pre-approved lists. Just in case the unthinkable should happen, the customer is
liable for the first $50 of a fraudulent electronic banking transaction, just
like in the credit card and cash machine services. Except in that case, the
customer may be liable for the first $500 (the maximum) if he or she fails to
notify the bank within two days of losing the bank card or access code.

Chemical also provides another service called PRONTO Business Banker. Like
PRONTO, it has slick promotional material telling the prospective manager how
he can get complete control over his company's accounts. The selling style is a
little different, but it appears to be basically the same service except with a
few minor changes for business customers.

The way the money actually gets transferred when you pay your bills is also
interesting - as of March when Chemical received a PRONTO request for a payment
somewhere, some clerk in New Jersey would actually write a check out, shove it
in an envelope, and mail it off. I don't know whether they've modernized this
at all, but they were planning to. Chemical also speaks of future expansions to
PRONTO, such as news, home shopping, and stock quotes.

In the bad old days, most bank transactions needed a human being's signature to
be processed. Electronic banking services replace the handwritten signature
with a digital identification. The security is fairly good when it comes to a
handheld bank card, suitable for sticking into cash machines wherever you go,
which otherwise stays in your pocket where no one else should have any access.
But the home banking services take this one step further - the latest
"signature" is merely a computer identification code, which, like a
common-carrier access code or credit card number, is only secure while no one
else knows about it.

Citibank's recognition of your digital signature is rather disappointing. Their
first level of security is the individual copy of the software they give you,
which has an embedded identification in it. The next one is the number printed
on your bank machine card that they give you (shades of the ATT calling card
blunders). The last one is the same "personal identification code" (PIC), a
four- to six-digit password, that is magnetically encoded on your banking card
and must be typed in whenever you use their cash machines. This puts a lot of
strain on the PIC, since its disclosure would compromise both your cash machine
and home banking accounts. Citibank warns you in their literature to inform
them immediately if, among other things, your banking software is "lost or
stolen." Either they don't think copying of that software is a threat, or they
have (ha ha) copy protected it.

By the way, one of the other home banking services is called EXCEL from Manu -
facturers Hanover (aka Manny Hanny). The only one of merit that I know of is
PRONTO, and then only because of the electronic mail included in the monthly
fee. You would have to be the kind of person who writes a lot of monthly checks
or has a difficult time making it out to the nearest cash machine in order to
benefit from those services.

[Citibank's bank-by-phone system is called DIRECT ACCESS. We tried out this one
using a simulation disk, which we ordered for free through an 800 number. The
people there were very happy to send us a demo-floppy for an IBM compatible.
This system has several other services including Dow Jones.]