Wednesday, January 23, 2013

Improve Your Web Branch Security with the New VerifyU


The current VerifyU system has been in place since December 2005 and has been helping protect members' accounts by randomly challenging on logins and for higher risk transactions. The challenge questions were put in place primarily to protect against phishing where criminals were stealing usernames and passwords and then using them to gain access to accounts. The challenge questions did protect against phishing, but online security threats have expanded well beyond phishing over the last few years. Challenge questions are no longer enough.

That's why we are very proud to introduce the new VerifyU which features true out-of-band, multi-factor authentication to protect your account.We have been working on this new system for over a year in order to make it as secure as possible while still providing convenience to manage your accounts with us online.

At this time, enrollment in the new VerifyU is completely optional. However, over time we will begin to remind members of the benefits of improving their online security and encourage enrollment with the goal of making enrollment mandatory by the end of 2013. At first, the new system may seem a bit burdensome, but you'll quickly find it works much better than the challenge questions and significantly increases the security of your Web Branch account.

Found on the Profile & Services tab
To enroll, go to the Profile & Services tab on Web Branch and look for the Security Settings section and click on Enroll in the New VerifyU. The enrollment process will walk you through the required steps. If you have not yet verified your contact information with us or selected a username, those steps will be required prior to enrollment--but the process will guide you through all those steps.

VerifyU works by first having you log in normally using your username and password. Then, depending on a number of factors, the system decides if you need to be challenged. However, instead of asking a challenge question, we will be delivering a one-time code to you. This one-time code is not known by anyone prior to it being needed. Because of this, it is much more secure than a challenge question. Future logins from that same computer or device should not require challenges on log in. The system will always challenge you on a "high risk" transaction due to the sensitivity of those transactions.

In order to accommodate the many different computers, tablets and smart phones members use to log into Web Branch as well as the many different places you might be when you are logging in, we offer many different ways to have the one-time code delivered to you. When a one-time code is required, you'll be able to choose from any of the options you are enrolled in to have the code delivered to you.
  1. Phone Call--get the one time code delivered to your home, work or mobile phone via a voice call. When you answer, an automated message will play providing you with the code. You, of course, will need to be in one of those locations or have cellular coverage to receive the code. We also recommend putting in a "backup" number like one of a trusted family member or friend who could tell you the code if other options aren't available or working for you. By involving them in the process, the backup person would not know your username, password or member number or have access to any of your information.
  2. Text Message--get the one time code delivered to your mobile phone via text message. You will need to have your phone and have cellular coverage to receive the code.
  3. Email--have the one-time code emailed to you. We are offering email as a temporary way to receive the code as members get used to the new VerifyU one-time codes. If you have a good understanding for how the new VerifyU works, we highly recommend you don't enable this as the code delivery is not out-of-band. We plan to phase out the email option once members are used to the new VerifyU.
  4. VerifyU Key--a printable key (or you can take a picture of it) that allows you to decode the cypher we present. Think of this as a "secret decoder ring" for Web Branch. The best part of this is it works with no cell phone coverage or when you aren't near one of your phones.
  5. Smart Phone App--this option delivers the one-time code to you via an installable app on your smart phone. Like the VerifyU Key, it does not require cell phone coverage, but you must, of course, have access to your phone.
In order to change any of your preferences or phone numbers, you'll need to enter a one-time code. So make sure to have a variety of delivery options available to you.

Code delivery options
The one-time code delivery also serves another purpose. If you ever receive a one-time code and know you weren't logging in, then you know someone else is trying to access your account.

We are very excited to bring the new VerifyU to our members and feel strongly that we need to continue to look for ways to improve security to protect your accounts and sensitive information. We welcome your feedback as you begin to use the new VerifyU.

Monday, January 14, 2013

Choose a Username for Web Branch

You can now login to Web Branch using a username instead of your member number. If you haven't already, you'll be offered the opportunity to choose a username when you login to Web Branch. If you'd like to choose one before we prompt you, you can do so by going to the Profile & Services tab and clicking Choose a Username. In the near future, we will require all members to choose a username, but you can skip this step for now.

Upon picking a username, you'll no longer use your member number to login to Web Branch. We are making this change as part of our continued efforts to improve the security of Web Branch.

At any time, you can change your username by visiting the Profile & Services tab and clicking on the Change Username link under the Security Settings section.