The current VerifyU system has been in place since December 2005 and has been helping protect members' accounts by randomly challenging on logins and for higher risk transactions. The challenge questions were put in place primarily to protect against phishing where criminals were stealing usernames and passwords and then using them to gain access to accounts. The challenge questions did protect against phishing, but online security threats have expanded well beyond phishing over the last few years. Challenge questions are no longer enough.
That's why we are very proud to introduce the new VerifyU which features true out-of-band, multi-factor authentication to protect your account.We have been working on this new system for over a year in order to make it as secure as possible while still providing convenience to manage your accounts with us online.
At this time, enrollment in the new VerifyU is completely optional. However, over time we will begin to remind members of the benefits of improving their online security and encourage enrollment with the goal of making enrollment mandatory by the end of 2013. At first, the new system may seem a bit burdensome, but you'll quickly find it works much better than the challenge questions and significantly increases the security of your Web Branch account.
 |
| Found on the Profile & Services tab |
VerifyU works by first having you log in normally using your username and password. Then, depending on a number of factors, the system decides if you need to be challenged. However, instead of asking a challenge question, we will be delivering a one-time code to you. This one-time code is not known by anyone prior to it being needed. Because of this, it is much more secure than a challenge question. Future logins from that same computer or device should not require challenges on log in. The system will always challenge you on a "high risk" transaction due to the sensitivity of those transactions.
In order to accommodate the many different computers, tablets and smart phones members use to log into Web Branch as well as the many different places you might be when you are logging in, we offer many different ways to have the one-time code delivered to you. When a one-time code is required, you'll be able to choose from any of the options you are enrolled in to have the code delivered to you.
- Phone Call--get the one time code delivered to your home, work or mobile phone via a voice call. When you answer, an automated message will play providing you with the code. You, of course, will need to be in one of those locations or have cellular coverage to receive the code. We also recommend putting in a "backup" number like one of a trusted family member or friend who could tell you the code if other options aren't available or working for you. By involving them in the process, the backup person would not know your username, password or member number or have access to any of your information.
- Text Message--get the one time code delivered to your mobile phone via text message. You will need to have your phone and have cellular coverage to receive the code.
- Email--have the one-time code emailed to you. We are offering email as a temporary way to receive the code as members get used to the new VerifyU one-time codes. If you have a good understanding for how the new VerifyU works, we highly recommend you don't enable this as the code delivery is not out-of-band. We plan to phase out the email option once members are used to the new VerifyU.
- VerifyU Key--a printable key (or you can take a picture of it) that allows you to decode the cypher we present. Think of this as a "secret decoder ring" for Web Branch. The best part of this is it works with no cell phone coverage or when you aren't near one of your phones.
- Smart Phone App--this option delivers the one-time code to you via an installable app on your smart phone. Like the VerifyU Key, it does not require cell phone coverage, but you must, of course, have access to your phone.
 |
| Code delivery options |
We are very excited to bring the new VerifyU to our members and feel strongly that we need to continue to look for ways to improve security to protect your accounts and sensitive information. We welcome your feedback as you begin to use the new VerifyU.
Will enabling this break 3rd party aggregation services? If so, is there a plan to address this issue?
ReplyDeleteThe short answer is yes, it will likely break most aggregation services (however, Mint will continue to work).
DeleteBecause of how the aggregation services work, they are the ones who will have to address this. Aggregation services work by asking their customers for their login information for their online banking accounts. Then they act as the member using "screen scraping" to login and pull out the relevant balance and history information. They do all this without informing us, without any arrangements to coordinate changes and without our explicit permission. Aggregators have gotten away with this for a long time and most financial institutions (UW Credit Union included) have basically looked the other way.
While UW Credit Union may be among the first to implement out-of-band, multi-factor authentication, most financial institutions will be following suit throughout 2013 and 2014. By that time, aggregators will have had to address this by getting formal support from the banks and credit unions they are getting data from. We are open to working with aggregators to allow them to get our data in a fully supported way that is acceptable to us. Mint reached out to us a year or so ago and we established a supported way for their system to continue to work.
One thing to keep in mind with all this is that you are giving out your online banking password to a third party. Would you give up your email password or Facebook password to a third party? If the answer is no, then why do you need to keep your Facebook account more private than your account balances and other private personal and banking data? If there was fraud on your account and it turned out it was due to a data breach at an aggregator, who would be liable for the losses?
We have had many discussions about our stance when it comes to aggregation services. The reality is that something is going to have to change for those services to continue. And the changes have to start with how they conduct themselves. It is our responsibility at UW Credit Union to protect our members' accounts and comply with the latest security standards, laws and regulations. Aggregators do not have the same standards as we do.
In the future, please explain terms such as "aggregators," so that the uninformed may know what you are talking about
ReplyDeleteYes, sorry. Aggregators are services that pull in data from multiple financial institutions to show all your relationships on one site. There are many currently available with Mint being the most popular.
DeleteThank you for implementing multi-factor authentication.
ReplyDeleteIt works great! Looking forward to others following your lead!
ReplyDelete