Lately, even if all cookies have been deleted, my online banking site
doesn’t bother to ask me my security questions but goes straight to the
password entry screen. If I logon from a different machine, however, it does
ask the security questions. This also seems to happen with the site of my
credit card company. What could possibly be causing this?
Sitekey is a technique being used by many financial institutions as a way of
more securely making sure you are who you say you are when you login. They
claim that it’s stronger security; however, some security experts disagree with that
Stronger or not, it’s there. How it works and how it decides to ask you your
additional questions are all kind of mysterious.
To start with, your question implies an assumption – an assumption that may
not be true.
Become a Patron of Ask Leo! and go ad-free!
You’re assuming your bank is using cookies.
Here’s Bank of America’s description of what they do:
When you sign in, we attempt to recognize your computer as one
you’ve used before to access Online Banking. You’ll find the choice to remember
the computer when you enroll, or when you sign in from a computer we don’t
recognize. We use a variety of methods to recognize the computers that you use
to ensure your safety and protection.
Note the phrase “We use a variety of methods…”. Wonderfully vague, no?
Other banking institutions use similarly vague descriptions.
Certainly cookies might be used in a situation like this. Personally I’d be
a little concerned if they were, since cookies are a convenience but certainly
not necessarily a security tool. For example, I don’t think it’d be too
difficult for someone targeting your bank to spoof the cookies needed to get
past that portion of the authentication scheme.
My guess (and I must stress it’s only an educated guess) is that
cookies are not being used. Additional information, perhaps the type of browser
you’re using and/or your IP address, might be recorded at the bank
rather than on your computer. That information might be associated with your
account. Then, the next time you login to your account using the same IP and
same browser the bank might assume it’s from the same place and not need to ask
you the additional questions.
An important point here is the additional information used here does not by
itself identify you. All it does is provide the bank with data that increases
the probability that you are accessing it from the same computer you were
before – a computer you told the bank to remember.
The ultimate goal of Sitekey is simply to require additional authentication
beyond your user name and password. If the bank can reasonably assume that
you’re probably coming from a computer you previously said to trust, then that
might be enough. If not, then asking you additional security questions provides
that extra level of security.
For definitive answers on why, or why not, your computer isn’t asking you
additional questions you’ll need to ask your bank since the implementation is
up to them.