Guardians of the galaxy (or at least of Internet Banking)

Man at desk
« Return to Learn

Ever wish you had a superhero on your side? Someone who would sweep you off the tracks just before the train rushes by? Someone looking out for you, ready to rescue you from danger? That’s sort of like the security OCCU provides its members. OCCU strives to keep up with the latest security innovations. Now, they’re implementing new member protections with a security packet from the Federal Financial Institutions Examination Council (FFIEC), an interagency body that prescribes principles and standards for financial institutions.

Aaron Trickett, Virtual Services Project Coordinator, says the additional security for Internet Banking and MyOCCU Mobile will use new identity validation methods for any transaction considered “risky.”

When members first set up their OCCU accounts, they probably picked some traditional security questions and answered them ahead of time. For instance, “What was your first pet’s name?” or “What street did you grow up on?” You may have been prompted to answer those questions at some point if something happened to tickle the system’s spidey sense, in other words, it has some reason to doubt you are who you say you are. A change in your typical browsing habits – things like using a new device, browser, or clearing your cache - will also trigger the system’s spidey sense.           

The FFIEC package includes additional identity validation methods, Knowledge Based Authentication and Out-of-Band Authentication, to ensure a fraudster isn’t trying to impersonate you. “When FFIEC has determined a member is attempting to process a transaction that is considered “risky,” it will prompt the member with these validation methods that must be completed before the transaction will process,” says Trickett.

The new Knowledge Based Authentication questions are different in that they are not picked from a list and answered ahead of time. Rather, the questions are sourced from public databases you have used in the past. Using LexisNexis to source the questions, Trickett says the system may ask you something like, “In 1997 you owned a house at which address?” The program will then present you with four or five choices, with one being the correct answer. If you are who you say you are, it should be easy for you to answer. Someone trying to hack your account won’t have a clue where you lived in 1997. Shazam!      

Out-of-Band Authentication is where the user will receive a unique code they’ll need to enter into Internet Banking or the MyOCCU Mobile Banking app before the transaction will process. You will receive the code either by phone call or through SMS (text message). For this method, it’s important that OCCU has your current contact information. If you’re asked to answer an Out-of-Band Authentication challenge and OCCU doesn’t have your current number on file, you’ll need to contact them to make sure the code can be sent to your current number.

While it’s good to know you have someone looking out for you, sometimes being asked to stop and answer questions or enter special codes can seem like added stress in an already busy day. It’s important to remember that OCCU is adding these additional security measures to help protect members. All OCCU members will be gaining the benefits of extra security, but very few will have to do anything differently than they do right now. 

OCCU has been quietly building security profiles and collecting transactional behavior patterns for all Internet Banking and MyOCCU Mobile Banking app users in the background. This data will be used to determine which transactions are out of the normal range of behavior for individual users. A high-end estimate predicts between 3-5% of all Internet Banking and MyOCCU Mobile Banking app users may be asked to answer an additional question or provide a code.    

“These new security measures are designed to be almost invisible to legitimate Internet Banking and MyOCCU Mobile Banking app users, but a roadblock for fraudsters,” says Trickett. “The new validation methods should be easy for the true owner of an account and are there only for added protection — not for the sake of inconvenience.”           

Now that’s what I call a hero.