All the worries stirred up by the Heartbleed security flaw highlight why it makes good sense to take precautions with personal data. But sometimes companies erect security barriers so high that they shut out even their own clients.
I recently went online to our Schwab account and requested a wire transfer. After a delay and a second request, followed by verification by telephone, several days passed without any money transfer.
Schwab then said: “In order to complete your request please go to one of our branches and bring a picture ID with you.” In a follow up call, an agent explained that the company grew suspicious based on a computer IP address — the identifying number given to a computing device — that did not match the location they expected.
I had logged in from home, but I was using a secure browser called Authentic8 Silo which masked my location (I’ve recently written about secure browsers here). I turned to experts to learn more about what had happened.
“I am surprised that mainstream companies are relying on that as a security measure, because I think the mechanism is incredibly brittle,” said Scott Petry, Authentic8’s co-founder and CEO. “If you go and travel around, it’s standard operating procedure for you to be picking up different IPs in different regions.”
Yet Schwab is far from alone in its practices. Security experts say companies routinely scope out your IP address whenever you visit their websites.
“Using IP address to prevent fraud and risky web activity is a widespread practice and you can expect almost everybody from online stores to social networks to banks are doing it,” said TJ Mather, president of MaxMind, which offers companies IP intelligence and online fraud prevention tools.
In the last five to eight years, companies have increasingly employed “confidence ranking” filters in which IP address and other data helps them set fraud alerts, said Mark Bregman, chief technology officer at Neustar which helps firms with IT security.
“Companies use a variety of methods for fraud detection, including browser header information, confirming account registration data matches, cookies, device finger printing, and for mobile users, device location,” he said. “This multi-tiered approach is appropriate because each method has its weakness. For repeat customers, companies will look for consistent behavior and information.”
Added Mather: “Session analysis is also used to do things like looking at the web pages a user navigated through before logging in or looking at the time users take to perform certain actions to identify anomalous behavior.”
Despite several phone calls and days of delay, Schwab remained suspicious and kept the account frozen. A traditional signed letter sent by mail did not assuage those fears. Only a visit to a Schwab office, even if one does not live in a town with a Schwab office, would resolve the issue, they said.
“We sincerely regret that certain circumstances that require a client to provide verification within a branch office may cause some inconvenience, but it’s a measure we sometimes have to take for the client’s own protection,” said Sarah Bulgatz, a Schwab spokeswoman.
Of course companies must take security precautions to prevent fraud. Yet in the future I expect that more people will turn to VPNs and secure browsers that provide websites less information– as users take more control over the flow of their own data. So IP address checks may become ever less accurate.
As for Schwab, it took several hours to travel to and from its office to prove that their warning flags had misfired. Because other banks and brokers rely on similar techniques, it is possible the same set of circumstances could have happened with them. Yet the episode had soured the relationship. Perhaps somewhat impetuously, on Friday, we liquidated the account.
Alienating clients is not inevitable, especially if companies adopt better fraud detection methods. Chip Witt, director of product management, enterprise & OEM at security company Webroot, suggests two-factor authentication is ultimately the best approach for Internet security.
“Client certificates are a more efficient way to identify individual users than an IP address, as the certificate gets installed on the device, and does not change as the location and IP address does,” he said. “Neither certificates nor IP-based user identification address the other concern in a mobile world: a lost or stolen device. An increasingly popular way to positively affirm identity is to use two-factor authentication.”
“This, as it turns out, is also one of the more flexible and mobile friendly approaches, as it relies on something the user knows, their username and password, and something the users has, a secure token generator (or a mobile device that can receive tokens via SMS or mobile app).”