Announcing Online Banking Enhanced Login Security

onlineHomeBanking2
You can be confident that when you access your account information online, your personal information is protected. As more and more customers choose to use our free Online Home Banking services, our commitment to fight against Internet fraud grows stronger.


Aroostook Savings & Loan’s online security system now includes Advanced Login Authentication (ALA). This system is in compliance with the Federal Financial Institutions Examination Council (FFIEC) guidelines for protecting your financial information online.

You will enter your valid user ID, if the device used for login is typical for past successful logins, the Password page will appear. If the device is not typical, an extra layer of security is needed to complete the login process. The Advanced Login Authentication system will require you to enter a One-Time Security Code that you will choose to receive via phone or text message. Once the One-Time Security Code is entered you will then be asked to enter your Password to gain access to your Online Home Banking service. Lockout will only occur if you enter an invalid password beyond allowed retries.

As we work together, we can protect your identity and preserve your good name. Please rest assured that we are here to serve you, and we will work hard to keep your personal information confidential so that you may continue to enjoy the convenience of our free Online Home Banking services. 

Frequently Asked Questions about Advanced Login Authentication

Do you have a question about the new Advanced Login Authentication? We have compiled the following answers from some of the most commonly asked questions. If you are unable to find your answer here feel free to call us locally at (207) 498-8726, (207) 764-6591, toll free in-state (800) 696-8726 or email us at This email address is being protected from spambots. You need JavaScript enabled to view it. .

What is Advanced Login Authentication?

Advanced Login Authentication (ALA) is a new feature for Aroostook Savings & Loan’s Online Home Banking users that gives you and your accounts an additional layer of protection from fraud by using more than one method to confirm your identity. Advanced Login Authentication uses the phone channel to obtain a one-time security code to confirm authentication. The solution offers both SMS Text and Voice Interaction. To start the process, you are presented with a list of the phone numbers on record. Up to six telephone numbers are supported and can include domestic, international and extensions. If you do not have a phone number, you will be prompted to add a phone number(s). The first few screens will look like this:
SignOn2ReachYou2
You may choose any number listed to receive the voice interaction. Voice interaction works well on Mobile Devices as well as Land Lines. There are no restrictions in the Voice Phone network that would prevent a call from going to any device. When you select to get an SMS Text, you enter in the phone number where they want the SMS message to go as a way to give us permission to send the SMS Text (Mobile Carrier Requirement). We will verify the number matches one of the numbers already listed for you. If it does, we will send the SMS Text to the number you entered.

Why is Advanced Login Authentication necessary?

The Federal Financial Institutions Examination Council (FFIEC) has determined that the security provided by a single password may be defeated with new technology being employed by high-tech hackers of today. In response our regulators have mandated that enhanced security precautions be implemented to increase online safety and make accounts more secure while preventing spoofing attempts by look-alike websites.

How does it work?

You are no longer required to formally register your computer; the new Enhanced Security login system has technology to recognize if your computer has been used before to access the system. We are implementing a more secure and behind the scene process to validate your device (PC, laptop, tablet, mobile phone), username and password.

We are also adding additional layers of security in the event you log in from a device that has not been used in the past. You may be asked to validate your identity through a one-time security code via a phone call or SMS message. These enhanced security features provides increased security for every login.


What are the features of Advanced Login Authentication?

Features include: The new security enhancements will validate your computer that you routinely use to access Aroostook Savings & Loan’s Online Home Banking service. You will have the ability to logon from non-validated computers using a provided one-time security code. You will have the option to receive the one-time security code via a phone call or text message.

How many computers may be validated?

More than one computer may be validated however we recommend that you use only trusted computers over which you have control, such as your home computer. We do not recommend you access Online Home Banking on computers accessible by others not authorized to access your accounts (e.g., your local library or at work).

Why do I need to enter a password as well as a security code?
Your PASSWORD is used to access the Aroostook Savings & Loan Online Home Banking while a one-time security code is used during the login process if logging in from a non-validated computer.

What happens if I enter an incorrect Password?

If you attempt to login with the wrong password an error message will be displayed. You will be prompted to try again. You can attempt to enter your correct password three times before your Aroostook Savings & Loan online account is frozen. If your account is frozen, you will need to contact the Aroostook Savings & Loan Call Center to reconfirm your identity and have your account unfrozen. An Aroostook Savings & Loan representative is available at (207) 498-8726 or toll free in-state at (800) 696-8726, Monday through Friday from 8 a.m. until 5 p.m.

Additional Frequently Enhanced Security Asked Questions

Q: What if I am traveling for an extended period of time. Say for example I am traveling in Europe while on vacation and we have our laptop with us. If we normally log in from that device but now log in with that device while in Europe, will the step-up be needed?
A: Step-up is triggered based on Device profiling which doesn’t trigger differently if you are logging in from outside of the US. The device ID is analyzed the same way within the US or outside of the US. Also, there are no restrictions in making Advanced Login Authentication calls internationally. If you have already defined your cell phone in the system and it is enabled for international service, it will work fine.

Q. If we don’t pass Advanced Login Authentication, or the second authentication step, what happens? Is my account locked/frozen? What steps do I have to follow to get it unlocked? Or does it auto unlock after a set time?

A: The User ID is not locked or frozen if you do not pass Advanced Login Authentication. You are open to try again.

Q. How much time do I have to complete the step-up process?

A: Once Device ID indicates that you need to be stepped-up and you are redirected to the Advanced Login Authentication page, you will have 5 min to complete. If you don’t validate the one-time passcode within the 5 min and are still logged in, the system will redirect you automatically to the login page. The 5 min countdown starts after you enter your user ID and we validate it.

Q: Why did I have to go through the additional authentication process? (Why did I get stepped up?)

A: Most common reason would be this is a new device profile identified for you or there has not been enough consistent use of the Device to confirm the correlation. Because the Device Profiling looks at many factors together, as well as a system cookie and a Flash Object from a prior session, there are some instances where changes to a combination of factors would trigger a risk score that requires additional authentication. These situations are difficult to pinpoint and difficult to explain but essential to appropriate assessment of risk.  Examples Include:

  • Clearing Cookies + a Browser Setting Change
  • Many devices used by a single user in a short period of time
  • Multiple people using the same device can trigger a risk profile
  • A Browser Update, Cleared Flash Object, Dates Out-of-Synch

 
Q: If I login from a Public PC and the Device fingerprint is recorded or “registered” doesn’t this put me at risk?
A: Suggested education includes that fact that you should keep their PC firewalls and Virus detection up‐to‐date. This recommendation extends to using computers outside of you control: you should not login to online banking from a PC if you do not know if virus protection and firewalls are in place. The FFIEC has publically recommended: Consumers should not log in to Online Banking from Public Computers or using Public Wi-Fi access.  When you login to Online Banking from a PC where you do not have control over the Security Controls, such as firewalls and virus protection, you are at risk. Public PCs can have malware that records any information you enter. For this reason we strongly recommend you do not use Public PCs for online banking.

Q: If I enter an SMS number that is not listed, what message or screen will I see?

A: The screen and the message look like this:
EnterMobile

Q: If none of the phone numbers listed are current, I am able to click on “My phone number is not listed”. What does this do?
A: The screen looks like this:
PhoneNotListed

Q:
On the One-Time Security Code Screen, there is a link at the bottom of the page – “I didn’t receive a text message”.

A: The standard message suggests they wait a little longer or try again with another phone number. It looks like this:
TextNotRecvd

Q:
If there is no phone number listed for me at all, what will I see? Is it just blank with the radio buttons or will any message be presented?

A: The screen looks like this:

NoPhoneOnRecord

Q: Do I have the option of getting the One-Time-Passcode in email?
A: Email is not used in Advanced Login Authentication. Because email is received on the PC and accessed through the browser on the PC it is not another channel and can be compromised by malware.

Q:
What if I select SMS Text and do not receive the Text Message with the One-Time-Passcode?

A: Since the SMS message carrier network is not as well developed as the voice phone network, there may be gaps in service caused by smaller carriers that do not participate in the full network. There can also be delays in message delivery across any area of the network.  If you select SMS text and the message is not received, you are directed to try the Voice Phone Call or use another number.

Q:
I do not have a land line and use a service like Go Phones, Trac Phones, or other pay per use phones. I do not receive the voice or text message.
A: We researched these services and noticed that in some cases these programs do restrict SMS message to person-to-person messages or require you to buy a specific level of service to get access to program type SMS messages. We do not know of any issues that would prevent these phones from receiving a phone call on pay per use phones and going through the Voice Advanced Login Authentication process.

Helpful Hints for repeated step-up

If you continue to get stepped up over and over, we have found that sometimes user’s browsers don’t encrypt the Device ID correctly and therefore cannot be recognized as a previously used Device. Here are some hints we have found helpful in resolving client-side issues that prevent a device from properly registering and resulting in users being c stepped on every login:

  • Clear cookies; do not check “Preserve Favorite Sites” - Internet Explorer only.
  • Delete any flash cookies for our website. This can be accomplished at "http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html" and scroll through the list to find our website. Highlight and click (‘Delete Website’) – All browsers

The Voice Interaction workflow goes like this:

ReachYou2
Select a phone number and click continue. The phone rings and the automated voice identifies the call as coming from us and ask you to key or speak the number on the screen into the phone. The screen looks like this:

PhoneCallComplete
After the number is entered or spoken correctly, you need to click “phone call completed” and are put back on the password page.

The SMS Text Message Interaction looks like this:
ReachYou2
Select “send a text message” and click continue. You key in your Mobile Phone Number on this screen. You have to key in the number to “opt-in” to receive the text message. We check the number against the numbers on file. If your entered number does NOT match a number on file, we will not send the message.

EnterMobileTerms
When you click “send text message” AND the numbers match, we send the message with the code.

This screen appears for the code entry:
EnterSecCode
Once the code is entered, submitted and checked against the code sent, you will proceed to the password page.