St.George Bank may be sacrificing customer security in its aggressive campaign to promote the financial institution's Internet banking facility.

St.George customers who request a replacement card will receive an additional letter from the bank enticing them to use it's phone and Internet banking services.

Contained in an envelope, emblazoned with the phrase 'Phone and Internet banking' and the word 'confidential', the letter contains a four-digit security PIN (Personal Identification Number) and instructions on how to use it access to the bank's online service.

"This security number, together with your card/access number and Last Name, is your key to accessing all of your St.George accounts through Phone or Internet banking," it reads, then helpfully recommends that the user change the number and keep it confidential thereafter.

A St.George customer who observed that after appropriating his security number a malicious individual would only require access to his card number to misuse his account, was unhappy with security wisdom displayed by the bank's service representatives.

The bank told the irate customer, who contacted ZDNet Australia after detecting the security weakness when his PIN letter was accidentally misdirected to, and opened by, his 11 year-old neighbour, that it was not responsible for the problem because it's "illegal to open other people's mail".

The customer service sage then went on to discuss the finer points of criminal law as they relate to credit card theft and fraud explaining that these too are "illegal" activities and also beyond the bank's the control.

"The idea is that there's a lag between the receipt of the letter and the arrival of the card," St.George Bank media relations manager, Rebecca Taylor. "The card number never appears on statements or anything that we send to our customers."

Taylor acknowledged that the letter would provide family members and individuals sharing occupancy with St.George customers with enough details to defraud them, but said the chances of this occurring are "remote".

"We can't deny customers the convenience of using this service based on that one instance," said Taylor.

The Australian Banking Industry Ombudsman (ABIO) annual report last year identified a situation where a bank erroneously re-credited a mortgage account that its holder believed had been closed. The letter sent to the customer to notify her of the account's status was intercepted by her spouse without her knowledge. A gambling addict, he later used the anonymity of the Internet as a canopy to transfer AU$100,000 dollars from the account to support his habit.

To mollify anxieties, St.George Bank's customer service centre is informing its customers that they will be compensated for any financial losses resulting from fraudulent misuse of the system.

Taking the customer service centre's statements at face value, the banks online service could be open to abuse. An unscrupulous customer could, theoretically, access online banking facility to transfer funds using the PIN. Later, they could claim ignorance of the security number, and that a third party misappropriated it and conducted the transaction without their knowledge.

Presumably, the onus to produce evidence that the security number reached the card owner would lay with the bank's investigators.

"We wouldn't know that we would be able to," said the bank's corporate relations manager, Adam Cook. "I don't know necessarily that we wouldn't either - that would be the subject of the bank's investigation."

Given the method that the bank uses to deliver the PIN, some suggest that it would be hard to think of circumstances where the bank would be able to do so.

St.George believes that its customers have an adequate understanding of the implications of allowing their online banking PIN to fall into the wrong hands.

"Yes I think they would understand the importance of the number," said Cook. "That's why we ask them to change it when they first use the service".

Asked whether he felt there was any inconsistency in the two statements Cook replied, "we just need to remind them".

Cook said that the bank's policy of mailing PIN numbers through conventional postal services is not new and standard practice across the banking industry.

Cook is referring St.George's ATM card PINs, which are often mailed to customers, the card itself arriving shortly after. Activating a standard St.George ATM card requires the customer to undergo a 50-point identification process and divulge their account password, either over the phone or in person at a branch.

The St.George Internet Banking PIN does not require additional customer verification, and the bank believes that applying the same security checks and balances its currently applies to card PINs would go against the interests of the bank's customers.

"Technically we could, but that's not what the customer wants," said Cook explaining that customers would see visiting the bank as an inconvenience.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.