Thread Options
#782616 - 07/25/07 05:30 PM Separate Internet Banking ID and PIN Mailers
A.B. Offline
100 Club
A.B.
Joined: Nov 2005
Posts: 165
KY
Upon assignment of the internet banking ID and PIN, a bank that I am auditing is putting both on the same letter sent to the customer. Understanding security concerns and best practices with having both evident on the letter, is there any FDIC and/or OCC regulation prohibiting this action?

Thanks in advance.
_________________________
Opinions/comments are mine and not my employers.

Return to Top
eBanking / Technology
#782968 - 07/25/07 08:41 PM Re: Separate Internet Banking ID and PIN Mailers A.B.
Czargazer Offline
Gold Star
Czargazer
Joined: May 2003
Posts: 298
Pacific Northwest
A reg outright prohibiting this? Not to my knowledge, but there are some questions to ask here.

My first question would be, what is the multi-factor authentication method used in conjunction with the user ID and password? If it's dealt with separately, and is robust, it might not be as big of a issue.

Secondly, I wonder what sort of written risk assessment there is on the subject. That may offer some clues to why they are doubling up on the uer ID and PIN. If there is no formal risk assessment, then that's a significant finding right there. You can refer to a number of things for that one.
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.

Return to Top
#783453 - 07/26/07 02:45 PM Re: Separate Internet Banking ID and PIN Mailers Czargazer
A.B. Offline
100 Club
A.B.
Joined: Nov 2005
Posts: 165
KY
Originally Posted By: Czargazer
My first question would be, what is the multi-factor authentication method used in conjunction with the user ID and password? If it's dealt with separately, and is robust, it might not be as big of a issue.


Yes, they are using Cyota for their MFA. Behavior based.

Originally Posted By: Czargazer
Secondly, I wonder what sort of written risk assessment there is on the subject. That may offer some clues to why they are doubling up on the uer ID and PIN. If there is no formal risk assessment, then that's a significant finding right there. You can refer to a number of things for that one.


There in lies another problem, no RA for internet banking. So, there are several concerns.

Thanks.
_________________________
Opinions/comments are mine and not my employers.

Return to Top
#783625 - 07/26/07 04:32 PM Re: Separate Internet Banking ID and PIN Mailers A.B.
califgirl Offline
Diamond Poster
califgirl
Joined: Mar 2002
Posts: 2,355
The O.C., California
Use of MFA will not mitigate the risk here for a first-time log in on internet banking. User name and PIN should be sent out separately.
_________________________
I can explain it to you. I can't understand it for you.

Return to Top
#784015 - 07/26/07 10:19 PM Re: Separate Internet Banking ID and PIN Mailers califgirl
Czargazer Offline
Gold Star
Czargazer
Joined: May 2003
Posts: 298
Pacific Northwest
Given that they don't have a risk assessment, I'd focus mostly on that--but specifically mention that the practice of sending the username and PIN out together exposes new users to a great deal of risk and needs to be reconsidered while they build a risk assessment.
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.

Return to Top
#790959 - 08/08/07 11:24 AM Re: Separate Internet Banking ID and PIN Mailers Czargazer
Baseball2013 Offline
Member
Baseball2013
Joined: Sep 2006
Posts: 70
Our Online Banking users choose their own password at application/registration for Online Banking. We mail them their user ID, which must be changed at initial sign on. I would never be comfortable sending both credentials in the same envelope, or even on the same day.

For business online banking, we have a more sophisticated system, which requires two ID's and two passwords, which we send out in *three* separate mailings over three business days.

Return to Top
#791003 - 08/08/07 01:31 PM Re: Separate Internet Banking ID and PIN Mailers Baseball2013
A_G Offline
10K Club
Joined: Jul 2004
Posts: 18,958
Two different envelopes, two different days, by two different people.
_________________________
With the lights out, it's less dangerous.

Return to Top
#791224 - 08/08/07 05:18 PM Re: Separate Internet Banking ID and PIN Mailers A_G
Titanic Offline
Gold Star
Titanic
Joined: Feb 2005
Posts: 300
My Workplace
We send two separate emails to the customer.One with general instructions, agreements and User ID. Another one with the temporary password. Such password is valid only for 72 hours.

Once customer signs up and update his/her online information, a Customer service reps contacts the customer to ensure that the customer indeed updated such info (here is where we offer other products and services as well).
_________________________
[b]"Common sense is not so common." Voltaire~[u]

Return to Top
#791603 - 08/08/07 11:13 PM Re: Separate Internet Banking ID and PIN Mailers Titanic
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 78,958
Galveston, TX
By e-mail? Encripted e-mail or secure site-to-site I hope?
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#793675 - 08/13/07 07:03 PM Re: Separate Internet Banking ID and PIN Mailers A.B.
AnnL Offline
Gold Star
AnnL
Joined: Jan 2003
Posts: 334
Western PA
Our system allows the user to choose a username and pssword during the auto enrollment. They must verfiy the amount of last deposit or their telephone banking PIN.

We follow the enrollment up with a welcome letter that contains a form for them to complete and return requesting they choose a security question/answer. This is sent to the address on our core system.
_________________________
"The light at the end of the tunnel has been turned off due to budget cuts."

Return to Top

Moderator:  Andy_Z