Wednesday, January 23, 2013

Improve Your Web Branch Security with the New VerifyU


The current VerifyU system has been in place since December 2005 and has been helping protect members' accounts by randomly challenging on logins and for higher risk transactions. The challenge questions were put in place primarily to protect against phishing where criminals were stealing usernames and passwords and then using them to gain access to accounts. The challenge questions did protect against phishing, but online security threats have expanded well beyond phishing over the last few years. Challenge questions are no longer enough.

That's why we are very proud to introduce the new VerifyU which features true out-of-band, multi-factor authentication to protect your account.We have been working on this new system for over a year in order to make it as secure as possible while still providing convenience to manage your accounts with us online.

At this time, enrollment in the new VerifyU is completely optional. However, over time we will begin to remind members of the benefits of improving their online security and encourage enrollment with the goal of making enrollment mandatory by the end of 2013. At first, the new system may seem a bit burdensome, but you'll quickly find it works much better than the challenge questions and significantly increases the security of your Web Branch account.

Found on the Profile & Services tab
To enroll, go to the Profile & Services tab on Web Branch and look for the Security Settings section and click on Enroll in the New VerifyU. The enrollment process will walk you through the required steps. If you have not yet verified your contact information with us or selected a username, those steps will be required prior to enrollment--but the process will guide you through all those steps.

VerifyU works by first having you log in normally using your username and password. Then, depending on a number of factors, the system decides if you need to be challenged. However, instead of asking a challenge question, we will be delivering a one-time code to you. This one-time code is not known by anyone prior to it being needed. Because of this, it is much more secure than a challenge question. Future logins from that same computer or device should not require challenges on log in. The system will always challenge you on a "high risk" transaction due to the sensitivity of those transactions.

In order to accommodate the many different computers, tablets and smart phones members use to log into Web Branch as well as the many different places you might be when you are logging in, we offer many different ways to have the one-time code delivered to you. When a one-time code is required, you'll be able to choose from any of the options you are enrolled in to have the code delivered to you.
  1. Phone Call--get the one time code delivered to your home, work or mobile phone via a voice call. When you answer, an automated message will play providing you with the code. You, of course, will need to be in one of those locations or have cellular coverage to receive the code. We also recommend putting in a "backup" number like one of a trusted family member or friend who could tell you the code if other options aren't available or working for you. By involving them in the process, the backup person would not know your username, password or member number or have access to any of your information.
  2. Text Message--get the one time code delivered to your mobile phone via text message. You will need to have your phone and have cellular coverage to receive the code.
  3. Email--have the one-time code emailed to you. We are offering email as a temporary way to receive the code as members get used to the new VerifyU one-time codes. If you have a good understanding for how the new VerifyU works, we highly recommend you don't enable this as the code delivery is not out-of-band. We plan to phase out the email option once members are used to the new VerifyU.
  4. VerifyU Key--a printable key (or you can take a picture of it) that allows you to decode the cypher we present. Think of this as a "secret decoder ring" for Web Branch. The best part of this is it works with no cell phone coverage or when you aren't near one of your phones.
  5. Smart Phone App--this option delivers the one-time code to you via an installable app on your smart phone. Like the VerifyU Key, it does not require cell phone coverage, but you must, of course, have access to your phone.
In order to change any of your preferences or phone numbers, you'll need to enter a one-time code. So make sure to have a variety of delivery options available to you.

Code delivery options
The one-time code delivery also serves another purpose. If you ever receive a one-time code and know you weren't logging in, then you know someone else is trying to access your account.

We are very excited to bring the new VerifyU to our members and feel strongly that we need to continue to look for ways to improve security to protect your accounts and sensitive information. We welcome your feedback as you begin to use the new VerifyU.

Monday, January 14, 2013

Choose a Username for Web Branch

You can now login to Web Branch using a username instead of your member number. If you haven't already, you'll be offered the opportunity to choose a username when you login to Web Branch. If you'd like to choose one before we prompt you, you can do so by going to the Profile & Services tab and clicking Choose a Username. In the near future, we will require all members to choose a username, but you can skip this step for now.

Upon picking a username, you'll no longer use your member number to login to Web Branch. We are making this change as part of our continued efforts to improve the security of Web Branch.

At any time, you can change your username by visiting the Profile & Services tab and clicking on the Change Username link under the Security Settings section.

Thursday, August 30, 2012

Web Branch Passwords Now Up to 32 Characters

The first defense in protecting your online accounts is choosing a good password. Beyond including numbers, symbols and capital letters, password length also plays a role.

In our ongoing effort to improve the security of Web Branch, we now allow you to choose a password of up to 32 characters. By allowing more characters, you can now use a "passphrase" rather than just a single word password. A favorite saying or song lyric is usually easy to remember and makes your password virtually uncrackable.

From Wikipedia:
Typical advice about choosing a passphrase includes suggestions that it should be:
  • Long enough to be hard to guess
  • Not a famous quotation from literature, holy books, et cetera
  • Hard to guess by intuition—even by someone who knows the user well
  • Easy to remember and type accurately
  • For better security, any easily memorable encoding at your own level can be applied.
  • Not reused between sites, applications and other different sources.

Since online security is only as strong as its weakest link, we also recommend having a unique password only for use on Web Branch. Other sites may have significant security issues in how they store and manage passwords. If your password is stolen from another site, and you aren't using it for more sensitive sites--like online banking--you won't have to worry about your account being compromised.

For more information on choosing a good password and our online security, please see our main website:

http://www.uwcu.org/OnlineBanking/OnlineSecurity/Passwords.aspx

http://www.uwcu.org/OnlineBanking/OnlineSecurity/Default.aspx

Monday, July 2, 2012

New Look to the Web Branch Login

As part of our ongoing efforts to improve the security of Web Branch, you'll notice a few cosmetic changes to the login box. Over the coming months, we'll be implementing a new multi-factor authentication system and this small change is the first. While the new look doesn't change functionality, it sets the wheels in motion for future enhancements.

Much more information on the new VerifyU system will be available as the time to implement that system draws closer.

In addition to the login box, you'll notice a new Security Settings section in the Profile & Services tab. Currently, the only option is to change your password, but additional functionality will be added here as it becomes available.

Tuesday, August 30, 2011

Our New Text Banking Number UWCU9 (89289)

To make text banking even easier and to make our number more memorable, we've implemented a short code for our Text Banking service. Now, you can send your text commands to UWCU9 (89289) to access Text Banking.

The 10 digit number 608-205-8910 will still work, but our replies will come from the short code.

In addition, all our SMS text alerts from Web Branch will come from the short code as well.

To avoid confusion, please begin using the short code for all future Text Banking needs and add 89289 to your phone's contact for UW Credit Union.

September 15, 2011 update:  Due to issues with some carriers, the 10 digit number will be used for alerts until you register for text banking. At that time, the short code will be sending any future alerts (as well as responses to text banking commands). We suggest you add both the short code and 10 digit number to your UW Credit Union contact on your mobile phone.