FAQs on the Latest Security Practices for Online Banking

Dec 10, 2015

Or, why do I need to enter verification codes and come up with answers to strange life history questions just to login to online banking?

Security is one of Washington Federal’s top concerns, and cyber security of your online account information is a focus, particularly as we upgraded our online banking platform.  You likely noticed that the sign-in process for online banking now uses something called “out-of-band authentication.” These security strategies are also known as two-factor or multi-factor authentication.

Q:  Let’s back up. What is out-of-band authentication anyway? 

A: Out -of-band authentication is a two-step sign on process. Along with requiring the traditional username and password, the system asks you to provide a second type of verification through an entirely separate channel. For example, say you’re signing into your online banking profile for the first time from a computer. You’d start by entering your username and password, then the system would send a code to the phone number we have in our records.  This code can be sent via a SMS text message or automated phone call. Once you receive the code, you enter it onto your computer screen to continue signing in. Because your phone is a separate “channel” from your computer, it’s considered “out-of-band.”

Q: How does this keep my information more secure?

A: Out-of-band authentication is being used increasingly by financial institutions and other organizations that have high security needs. Requiring out-of-band authentication makes hacking an account more difficult because the hacker would need access to two separate and unconnected channels (both your phone and your computer) to gain access to your account. If we stick to the example above, then the hacker would need to have access the account owner’s username, password and phone in order to sign in to the account.  Simply put, the out-of-band authentication step provides an extra double check to ensure that the individual signing into the account is authorized.

Q: So does it work?

A: Nothing’s absolute, but out-of-band authentication provides an extra precaution to help protect your account against hacker attacks. According to a recent Verizon Data Breach Investigation Report, “95 percent of breaches involve the exploitation of stolen credentials.” By using out-of-band authentication, simply exploiting credentials won’t be enough to access someone’s account.

Q: How else does the upgrade help keep my information safe?

A: Our new system also requires more secure passwords. All passwords must be at least eight characters in length and consist of at least one uppercase letter, one lowercase letter, one number and one special character. (Phew!) While this may seem overly picky, additional password requirements are critical to keeping your information safe.

Want proof? Take a look at this example from the tech blog, MakeUseOf.com.

We’ll compare 5-character passwords with 5-point patterns. Passwords can contain any character on your keyboard, including a-z, A-Z, 0-9, and all special characters, such as !, @, #, $, and so on. In total, that’s about 90 different possibilities with a US English keyboard. Each character can use all possible entries, so each character can be any of those 90 possibilities. In mathematical permutations, we have to multiply them together.

So for a 90 character password, that amounts to 90x90x90x90x90 = 5,904,900,000. That’s almost 6 million different passwords you can make with 5 characters. No one will manually try to type in 6 million different passwords in order to guess the right one. Of course, for each additional character in your password, you multiple that number by 90. So upgrading to just a 6 character password gives you over 531 million possibilities.  You can see that minimum of 8 characters is much harder to guess, even with the help of a malicious computer program!

Q:  It seems like I’m constantly entering codes and answering security questions.  Why?

A:  The Intelligent Authentication platform that online banking uses will slowly learn which devices belong to you.  But in the meantime, when you switch between your work and home computer, or between your phone and desktop browser, it will ask you to either enter a verification code or answer security questions, or both.  We also use out-of-band authentication to verify it’s really you when before allowing an external transfer from your account with us to another account outside of the bank.  That helps protect the funds in your account from disappearing via an external transfer based solely on a stolen username and password.

Q:  Where can I learn more?

A:  For more information about how you can help keep your account safe, check out our other articles, Optimize Your Online Security or 5 Easy Ways to Protect Your Identity

Password Pic