Lately, even if all cookies have been deleted, my online banking site
doesn’t bother to ask me my security questions but goes straight to the
password entry screen. If I logon from a different machine, however, it does
ask the security questions. This also seems to happen with the site of my
credit card company. What could possibly be causing this?
Sitekey is a technique being used by many financial institutions as a way of
more securely making sure you are who you say you are when you login. They
claim that it’s stronger security; however, some security experts disagree with that
assessment.
Stronger or not, it’s there. How it works and how it decides to ask you your
additional questions are all kind of mysterious.
To start with, your question implies an assumption – an assumption that may
not be true.
Become a Patron of Ask Leo! and go ad-free!
You’re assuming your bank is using cookies.
Here’s Bank of America’s description of what they do:
When you sign in, we attempt to recognize your computer as one
you’ve used before to access Online Banking. You’ll find the choice to remember
the computer when you enroll, or when you sign in from a computer we don’t
recognize. We use a variety of methods to recognize the computers that you use
to ensure your safety and protection.
Note the phrase “We use a variety of methods…”. Wonderfully vague, no?
Other banking institutions use similarly vague descriptions.
Certainly cookies might be used in a situation like this. Personally I’d be
a little concerned if they were, since cookies are a convenience but certainly
not necessarily a security tool. For example, I don’t think it’d be too
difficult for someone targeting your bank to spoof the cookies needed to get
past that portion of the authentication scheme.
My guess (and I must stress it’s only an educated guess) is that
cookies are not being used. Additional information, perhaps the type of browser
you’re using and/or your IP address, might be recorded at the bank
rather than on your computer. That information might be associated with your
account. Then, the next time you login to your account using the same IP and
same browser the bank might assume it’s from the same place and not need to ask
you the additional questions.
An important point here is the additional information used here does not by
itself identify you. All it does is provide the bank with data that increases
the probability that you are accessing it from the same computer you were
before – a computer you told the bank to remember.
The ultimate goal of Sitekey is simply to require additional authentication
beyond your user name and password. If the bank can reasonably assume that
you’re probably coming from a computer you previously said to trust, then that
might be enough. If not, then asking you additional security questions provides
that extra level of security.
For definitive answers on why, or why not, your computer isn’t asking you
additional questions you’ll need to ask your bank since the implementation is
up to them.
My bank uses something called a “SiteKey” as well, but it’s for exactly the opposite reason. It’s not for the bank to double-check your identity, but rather for you to verify the bank’s identity. (That is, it’s not a phishing site.)
The login page asks only for your user name, and not for the password. After clicking “log in”, you are then given a second page, which shows the “SiteKey” you chose when signing up for online access. It consists of a picture (which you chose from a list) and a phrase (which you typed in), and asks for your password. A phishing site would have no way of knowing what picture and phrase are associated with your username on that bank. (Well, not unless they had some spyware on your system which discovered them when you logged in. But if they had that much access to your computer, they could simply capture your username and password and wouldn’t need the phishing site.)
I think there is something else there too, in addition to IP address and browser.
My computer travels back and forth between work and my home network. The banks never seem to recognize me when I switch networks. Even though I check the “remember this computer” box.
Why wouldn’t the bank assume I’m using two different computers (different IPs, same browser though) and remember both as trusted machines? Something else that is triggering it (same machine, different network, better ask again) is at work.