Wednesday, January 23, 2013

Improve Your Web Branch Security with the New VerifyU


The current VerifyU system has been in place since December 2005 and has been helping protect members' accounts by randomly challenging on logins and for higher risk transactions. The challenge questions were put in place primarily to protect against phishing where criminals were stealing usernames and passwords and then using them to gain access to accounts. The challenge questions did protect against phishing, but online security threats have expanded well beyond phishing over the last few years. Challenge questions are no longer enough.

That's why we are very proud to introduce the new VerifyU which features true out-of-band, multi-factor authentication to protect your account.We have been working on this new system for over a year in order to make it as secure as possible while still providing convenience to manage your accounts with us online.

At this time, enrollment in the new VerifyU is completely optional. However, over time we will begin to remind members of the benefits of improving their online security and encourage enrollment with the goal of making enrollment mandatory by the end of 2013. At first, the new system may seem a bit burdensome, but you'll quickly find it works much better than the challenge questions and significantly increases the security of your Web Branch account.

Found on the Profile & Services tab
To enroll, go to the Profile & Services tab on Web Branch and look for the Security Settings section and click on Enroll in the New VerifyU. The enrollment process will walk you through the required steps. If you have not yet verified your contact information with us or selected a username, those steps will be required prior to enrollment--but the process will guide you through all those steps.

VerifyU works by first having you log in normally using your username and password. Then, depending on a number of factors, the system decides if you need to be challenged. However, instead of asking a challenge question, we will be delivering a one-time code to you. This one-time code is not known by anyone prior to it being needed. Because of this, it is much more secure than a challenge question. Future logins from that same computer or device should not require challenges on log in. The system will always challenge you on a "high risk" transaction due to the sensitivity of those transactions.

In order to accommodate the many different computers, tablets and smart phones members use to log into Web Branch as well as the many different places you might be when you are logging in, we offer many different ways to have the one-time code delivered to you. When a one-time code is required, you'll be able to choose from any of the options you are enrolled in to have the code delivered to you.
  1. Phone Call--get the one time code delivered to your home, work or mobile phone via a voice call. When you answer, an automated message will play providing you with the code. You, of course, will need to be in one of those locations or have cellular coverage to receive the code. We also recommend putting in a "backup" number like one of a trusted family member or friend who could tell you the code if other options aren't available or working for you. By involving them in the process, the backup person would not know your username, password or member number or have access to any of your information.
  2. Text Message--get the one time code delivered to your mobile phone via text message. You will need to have your phone and have cellular coverage to receive the code.
  3. Email--have the one-time code emailed to you. We are offering email as a temporary way to receive the code as members get used to the new VerifyU one-time codes. If you have a good understanding for how the new VerifyU works, we highly recommend you don't enable this as the code delivery is not out-of-band. We plan to phase out the email option once members are used to the new VerifyU.
  4. VerifyU Key--a printable key (or you can take a picture of it) that allows you to decode the cypher we present. Think of this as a "secret decoder ring" for Web Branch. The best part of this is it works with no cell phone coverage or when you aren't near one of your phones.
  5. Smart Phone App--this option delivers the one-time code to you via an installable app on your smart phone. Like the VerifyU Key, it does not require cell phone coverage, but you must, of course, have access to your phone.
In order to change any of your preferences or phone numbers, you'll need to enter a one-time code. So make sure to have a variety of delivery options available to you.

Code delivery options
The one-time code delivery also serves another purpose. If you ever receive a one-time code and know you weren't logging in, then you know someone else is trying to access your account.

We are very excited to bring the new VerifyU to our members and feel strongly that we need to continue to look for ways to improve security to protect your accounts and sensitive information. We welcome your feedback as you begin to use the new VerifyU.

47 comments:

  1. Will enabling this break 3rd party aggregation services? If so, is there a plan to address this issue?

    ReplyDelete
    Replies
    1. The short answer is yes, it will likely break most aggregation services (however, Mint will continue to work).

      Because of how the aggregation services work, they are the ones who will have to address this. Aggregation services work by asking their customers for their login information for their online banking accounts. Then they act as the member using "screen scraping" to login and pull out the relevant balance and history information. They do all this without informing us, without any arrangements to coordinate changes and without our explicit permission. Aggregators have gotten away with this for a long time and most financial institutions (UW Credit Union included) have basically looked the other way.

      While UW Credit Union may be among the first to implement out-of-band, multi-factor authentication, most financial institutions will be following suit throughout 2013 and 2014. By that time, aggregators will have had to address this by getting formal support from the banks and credit unions they are getting data from. We are open to working with aggregators to allow them to get our data in a fully supported way that is acceptable to us. Mint reached out to us a year or so ago and we established a supported way for their system to continue to work.

      One thing to keep in mind with all this is that you are giving out your online banking password to a third party. Would you give up your email password or Facebook password to a third party? If the answer is no, then why do you need to keep your Facebook account more private than your account balances and other private personal and banking data? If there was fraud on your account and it turned out it was due to a data breach at an aggregator, who would be liable for the losses?

      We have had many discussions about our stance when it comes to aggregation services. The reality is that something is going to have to change for those services to continue. And the changes have to start with how they conduct themselves. It is our responsibility at UW Credit Union to protect our members' accounts and comply with the latest security standards, laws and regulations. Aggregators do not have the same standards as we do.

      Delete
  2. In the future, please explain terms such as "aggregators," so that the uninformed may know what you are talking about

    ReplyDelete
    Replies
    1. Yes, sorry. Aggregators are services that pull in data from multiple financial institutions to show all your relationships on one site. There are many currently available with Mint being the most popular.

      Delete
  3. Thank you for implementing multi-factor authentication.

    ReplyDelete
  4. It works great! Looking forward to others following your lead!

    ReplyDelete
  5. Will Quicken Update be able to access my account(s) with this new system?

    ReplyDelete
    Replies
    1. Yes, direct downloads to Quicken will continue to work since it bypasses the multi-factor authentication system. We do this since direct downloads is a "read-only" service and does not create as much risk.

      Delete
  6. What a pain. I've verified 3 times since yesterday. This is almost too burdensome.

    ReplyDelete
    Replies
    1. If you are verifying on the same device just for login over and over, then please contact us. There is likely something with your browser settings causing this and we can help.

      You should find that with normal behavior, you won't be challenged on login nearly as much as with the old VerifyU system (and there's nothing to remember).

      Delete
  7. Please explain the VerifyU key. If anyone can print it out and decode it, how does it increase security?

    ReplyDelete
    Replies
    1. Each member has their own unique VerifyU Key. Because it is 10 digits combined with 10 of the 26 letters each in its own unique order, there are billions of possible combinations.

      When you login to Web Branch and choose to be challenged via the VerifyU Key, we generate a six digit number in random order that corresponds to the letters printed on your unique VerifyU Key card. Only your card can "decode" the digits to the correct set of letters.

      To generate a VerifyU Key or to retrieve one, you must login to Web Branch and be challenged via one of the other options.

      Even though a printed card seems very low tech on the surface, the math behind the scenes makes it a very secure way to be challenged on Web Branch.

      Delete
  8. I am happy that UWCU is moving to multi-factor verification. I've been using two-step verification with gmail for some time and have found it to be very easy to use. It allows me to rest a little easier when I access my account either through public computers (university or hotel). Even if there is some rogue software recording key strokes or eavesdropping WiFi connections, the multi-factor authentication makes it much more difficult for the would be thieves.

    Thanks for trying to stay at the forefront of security technologies.

    ReplyDelete
    Replies
    1. You are right, this makes it much more difficult for most of the typical threats to compromise to your account. Help us spread the word to others that this is the best thing to do for all your important online accounts. Thanks!

      Delete
  9. How can we delete the verify u out of our preferences

    ReplyDelete
    Replies
    1. VerifyU is required to use Web Branch. You can change your preferences like adding or changing phone numbers, or adding the VerifyU Key or authenticator app. That is done in the Profile & Services tab under Security Settings.

      Delete
  10. is there any option to go back to the old system? it was much less of a pain. is there any way to turn off verifyu?

    ReplyDelete
    Replies
    1. No, the new system is a requirement to continue to use Web Branch and the old one will be retired. We are making this change both to improve security (sending a VerifyU code at the time of login is much more secure than security questions) and because of new regulations requiring better security for online banking systems.

      If you are getting challenged every time you login, that is definitely not the proper experience. Please contact us and we can help you. Once you've authenticated on a particular computer or device, you should not be getting challenged very often at signon.

      Delete
    2. Some people dont use the same computer or web browser. If I have 8 we browsers installed, I need to authenticate 8 times per computer. Two factor authentication is enough to get me to close my account. If I wanted additional security I would have enabled it.

      Please allow us to disable this feature.

      Delete
    3. Given two factor authentication is a requirement for online banking systems, disabling it is not an option. We continue to improve the system so frequent challenges are not a problem. Your example of using eight different computers seems a bit extreme. Once you have successfully authenticated on a particular device/browser, you should not be challenged again while logging in. The old system challenged at least every 30 days. The new VerifyU is not only much, much more secure, but you should be challenged less over time.

      Delete
    4. It's required for you to offer it. I have no problem with it being turned on by default. Is it also required for you to prevent the user from disabling it?

      I hit the old challenge every time I logged in. Luckily they were all the same answer so it didnt matter, I could just type in my "second password."

      It's sort of insulting to be considered extreme. I don't always use the same computer, and if my phone is dead it's a pain in the ass to use a mobile device to a) log into the bank b) open a new tab, log into mobile email c) go back and authenticate. Especially on low battery. At 2% battery it's not fun trying to log into an account that only I have the password to.

      I don't need more security. I don't reuse the password, and it's long enough. I don't share it with other people. I want multiple factor authentication turned off on my account.

      Delete
  11. The pursuit of security is good, but I'm disturbed at how it is being accomplished. Why do I have to allow so many Google scripts in order to use web branch? How much of my UWCU information is being shared with third parties? The way the VerifyU program allows you easy access is by putting a cookie on your computer. If you don't allow the cookie, it's a pain to have to verify each time. In addition, if you want to use another bank's website, the UWCU's information won't refresh itself because of the VerifyU.

    I suspect this started with good intentions towards security, but the implementation has turned into a power play by companies that want to data mine and companies who want you to have to use the UWCU Web Branch instead of other banks' sites... I believe the VerifyU needs to be reevaluated. If it is not, I might just take my business elsewhere...

    ReplyDelete
    Replies
    1. We appreciate the feedback on VerifyU. This kind of security will be the norm within a couple of years. It is actually required by regulation now, so we are quite surprised others aren't implementing it faster. The vast majority of members are finding the new VerifyU to be much more convenient than the old challenge question based version--not to mention it being much more secure. Implementation of this kind of security does not come without some need to adjust both personal and technical practices.

      The Google script you mention is Google Analytics. This analytics package is very commonly used. We do not share any private information with them and only use the data to understand the browsers and platforms our members use to access Web Branch. By knowing the most commonly used platforms, we can make sure the Web Branch experience is the best it can be for those systems. You are welcome to block Google Analytics if you choose--it will not affect the functionality of Web Branch.

      No UW Credit Union private member data is shared with third parties via Web Branch. We outline how we use member data in our privacy policy.

      You are correct, on two of your points. One, if you don't accept our cookie, you will be challenged every time. If you do accept the cookie, you will be challenged much less frequently than the old system which challenged at least every 30 days. We have additional device finger-printing in place, but mobile devices like iPhones all look the same so it isn't quite enough. There is nothing inherently evil with first-party cookies. Cookies in general have gotten a bad rap because of how they are used with third-party advertising. First-party cookies (those set by the site itself) are a core functionality of most web sites and provide a ton of convenience. Not accepting them or deleting them after every session isn't really making your web browsing much more secure--just less convenient.

      You are also right about another bank's site aggregating our data breaking when implementing the new VerifyU. One exception is Mint.com--we worked with them to provide a trusted, read-only feed of your account information. Others might use our OFX server (which is also read-only) and will continue to work. Other account aggregation systems are technically a violation of our policies (since they are accessing our site without our permission). We have really just turned a blind eye to them for years.

      What surprises me most about these questions about VerifyU is that you are concerned with our use of cookies or Google Analtyics, but not with sharing your Web Branch username, password and all your security question answers with a third party. Clearly the risks of doing that are greater.

      Delete
  12. This seems like a pain. We are not all connected to our phones by umbilical chord at all times when we might want to access our bank account. I realize it is not your fault that it is an evil world out there and I know you are trying to help keep us safe. Perhaps it will not be as burdensome as it now seems. The security questions worked very easily and if the questions could be simply changed more often would it not be adequate?

    ReplyDelete
    Replies
    1. Please do give it a chance. We have been using it internally for over a year and at first you will get challenged often, but eventually, it will only be if you are doing a "high risk" transaction. If it seems like you are being challenged constantly, please contact us. We can look into why and assist you.

      Security questions don't meet the requirements as they just amount to another password. While it seems really low tech, I suggest you check out the VerifyU Key as another option. It is very secure and can easily be printed and kept in a wallet.

      Delete
  13. What happens if I am traveling outside the United States, do not have an international cell phone, need to access my UWCU account via web branch from a remote computer (not my own) to transfer money into checking so that I can withdraw cash from a foreign ATM, and VerifyU challenges me? If I don't already have a copy of the VerifyU key with me, am I out of luck? How does one obtain the key?

    ReplyDelete
    Replies
    1. In the scenario you describe, it would be best to plan ahead and have your printed VerifyU Key with you. To get one, login to Web Branch and go to Profile & Services. Then click on VerifyU Settings. You must pass a challenge to make changes to your settings. After that, you can enroll in the Printed VerifyU Key. We can also help you get your key at any branch.

      We do think most members these days would be traveling with a device they already own and use regularly. Being in a foreign country with a device you own will not necessitate a challenge in most cases. Keep in mind that it is somewhat dangerous to use an untrusted device to login to your Web Branch account. The new VerifyU system is in place to protect that exact scenario.

      Delete
    2. Okay. Thanks, Eric.

      Delete
  14. Absolute rubbish. The paranoia in this country is amazing! Improve your encryption, leave customers alone! For each account, bank, telephone, email account, etc, we need to remember so many passwords and security questions than we need to write them down somewhere, making them unsafe! Plus, once those secret answers are online, a good hacker can have them. Stop the paranoia!

    ReplyDelete
    Replies
    1. The VerifyU code is generated as needed. Therefore it does not need to be remembered and there is no secret to be exposed by a hacker and posted online because it is different each time. Please give it a chance. It really is better than the current challenge question-based system.

      Delete
  15. How do I turn this off? i don't want it..
    if guys flood my inbox I'm moving to a different bank

    ReplyDelete
    Replies
    1. Turning off the new VerifyU system is not possible. We are required to protect online account with more than just a username and password. Please give it a chance. It is much more secure and convenient after a bit of a learning curve.

      Delete
  16. I got a little confused:

    Earlier above you say that Quicken downloads are safe (and continue to be supported) because they are read-only. But aren't aggregators (like Yodlee and Mint) also read-only? And how is one aggregator (Mint) able to interoperate with UWCU while another (say Yodlee) is not?

    BTW, I use Google's two factor authentication and like it a lot. So I agree that UWCU is moving in the right direction.

    ReplyDelete
    Replies
    1. The difference between Quicken downloads and online aggregators is that you aren't sharing your password with a third-party to use Quicken (the password is stored on your computer and submitted to UW Credit Union when you sync). To use Yodlee or Mint, you are giving them your password and it is stored in their databases. Because they are not financial institutions, they are not required to protect that information to the level we are. If that data is compromised under the old VerifyU system, the thief would have all the information they need to login as you and begin committing fraud.

      Mint worked with us to implement their aggregation services in a supported and authorized way. If the data you have at Mint were compromised, the thief would still have to be able to receive your VerifyU code to login. We have yet to hear from other aggregators asking for permission to access accounts on our system. This may sound like splitting hairs, but we only authorize members to use Web Branch, not third-party computer systems.

      Delete
    2. Thanks for the endorsement of Google Authenticator. We support that as an option and it does work really well with Web Branch.

      Delete
  17. Above, it says that joining is optional, but I have already been enrolled without being given the option. This is not good.

    ReplyDelete
    Replies
    1. Enrollment in the new VerifyU was optional starting in January 2013 when this article was originally published. Our plan all along was to eventually discontinue the old system and move members to the new one.

      Delete
  18. Maybe I'm not very savvy, but I don't see how using the authenticator to generate a code on my smart phone is more secure...actually, it seems to be less secure now. All I have to do on the authenticator is open it and a code is automatically generated for UWCU. This means that if I lose my iPhone, someone could login (assuming they have my UWCU bank login and password), and then use the authenticator to get the code. In the past. they at lease had to know the answers to my security questions. That layer is missing using the authenticator on my iPhone. I can't seem to password protect the authenticator to prevent this, so how secure is using the Google app? I don't get it...maybe I'm missing something?

    ReplyDelete
    Replies
    1. The likelihood of your losing your phone and it being found by someone who knows your Web Branch username and password is very low to near zero. It is much more likely for your username, password and challenge answers to be compromised by a key logger or other malware. We develop our security to protect against the most likely threats.

      We also recommend you do the following for your smartphone (on the iPhone this is very easy):

      --Create a lock code so no one can get into your phone if they happen to find it. This really should not be optional any more.
      --Use a remote wipe service so if you lose your phone, you can delete the data on it remotely (Find My iPhone does this on iOS, there are Android apps for this also).
      --In iOS 7, Apple updated Find My iPhone to render your iPhone unusable to a thief by locking your phone to your iTunes account. If a thief wipes your phone, the first thing it needs to be usable again is your iTunes password. So that feature should be enabled as well. Other carriers and devices hopefully will follow suit on this.

      Delete
  19. My user name and password pop up automatically on my new Iphone. I like how quick and convenient this is but wonder about the day I lose the phone and someone else can access my UW accounts instantly.

    ReplyDelete
    Replies
    1. It is a best practice to have a security code on your mobile device. This prevents someone finding your phone from accessing its contents. Also, with iPhones specificaly, it provides additional safeguards (see my above comment).

      I will also mention that the next version of Web Branch mobile (and the desktop version for that matter) will not allow you to save your password. It is something auditors/regulators are asking to be disabled. We hope to address this by making it easier to login to the mobile Web Branch. More to come on that early next year.

      Delete
  20. I got a text from Citibank earlier this week that someone was trying to charge hotel rooms to my account, the text stated that I should call if it was not me making the chages, I called and they stopped the transaction. I am all for more security...the harder the better I feel about my account's protection.
    Great job UWCU for the heightened security!!!

    ReplyDelete
  21. Apologies if this has been covered already, but it is possible to activate this system if resident abroad?

    ReplyDelete
    Replies
    1. Absolutely. We support international phone numbers. Google Authenticator and the VerifyU Key are also excellent options.

      Delete
  22. I absolutely hate hate hate this system. It makes me feel like your security is lacking and this feels like a very poorly thought out patch. The options to hack this type of system are endless. I hate it enough to move my accounts to a bank with a competent security system.

    ReplyDelete
  23. How do I set up Google Authenticator if I have a new phone?

    ReplyDelete
    Replies
    1. In the Profile & Settings tab there is a Security Settings section. Click on the VerifyU settings link. You will have to pass a challenge using a different method (like text message).

      Once you have entered the code successfully, scroll down to the smart phone app section and click more information. There you can generate a new code.

      This process is much more straightforward in the new Web Branch which will be available in a couple of months!

      Delete

We welcome your comments as a way to contribute to the discussion and provide feedback to UW Credit Union. We will not post discussion that contains personal attacks, racial slurs, profanity or other inappropriate material. We moderate comments so please be patient if you don't see yours appear right way.

If you have immediate service needs or require follow up, please contact us.