How Paper, Tokens and Mail Service Could Have Cost Me My Bank Accounts

With the number of identity authentication measures and security features offered today, it’s unnerving to realize how easy it could have been for someone to hijack six of SIGNiX’s corporate bank accounts just a few days ago.

Our bank was recently acquired, so I went through the process to transfer accounts to the new bank. Like most financial processes today, accounts can be viewed and managed online. So to make the accounts impossible to access except for those with authorization, the bank sent me a hardware security token for each account we were transferring. 

When the bank mailed these tokens to me, they left two major vulnerabilities unchecked.

Vulnerability #1: Each security token was packaged with a document that provided step-by-step information on how to set up the accounts. The documents all contained my customer number, user name and password for the setup. That meant that all the tools and information anyone would have needed to access these six accounts was there for the taking—both steps in the two-factor authentication—in one convenient package.

Vulnerability #2: The package containing the security tokens and documents was intended to be shipped to our SIGNiX headquarters, but the package reached our previous location first. When the package reached our actual location our receptionist was allowed to sign for it. Should that have been opened at the wrong address or given to someone who had another motive, this could have resulted in fraud of major proportions. (Thankfully, the package was forwarded and our receptionist—like all of SIGNiX’s employees—is a rock star of the highest integrity.) 

These giant security risks could have been avoided entirely with a secure digital process—and it would be far cheaper and easier.

Consider another high-stakes process: signing a $250,000 loan. With e-signatures, you can do this anywhere and anytime with an Internet connection. But instead of mailing a security token with other ID information, as in the case above, the process remains fully digital with highly secure authentication processes—like knowledge-based authentication (KBA) or two-factor authentication. 

Digital two-factor authentication is one of the strongest ways to make certain only the right people have access to information. Instead of mailing tokens and login information, which could be intercepted by anyone, a one-time PIN code can be sent to your mobile phone via a text message. This is used in addition to a username and password.

In a worst case scenario, let’s say someone stole your phone and now has access to that PIN code—he still does not know your username and password. There are two distinct levels of verification one must meet.

With KBA, another secure authentication method, not only is a signer required to supply a Social Security number and a date of birth, she’s required to answer a series of questions pulled from information found in public databases. Questions may revolve around information from up to 30 years ago, and it would be extremely difficult for anyone other than you to know the answers or find them in your wallet or phone.

Not only is this safer, it’s cost-effective—there’s no paper or ink involved and no shipping. (Imagine buying and mailing six security tokens to every client the bank has. That’s not cheap.)

For now, I’m counting my blessings knowing this is a cautionary tale only. And in the future, my guard will go up fast to anything but secure digital processes like our own here at SIGNiX.

Need to brush up on e-signature security? Click here to download our FREE e-book.