You want to access your bank account. You enter the password, then go to the security question. You are mistaken in the answer. The site still lets you enter. Is it strange? It is in any case a practice adopted in particular by the access service of Desjardins.
Customers of the Desjardins movement have indeed been able to access their bank account even if they did not quite have the right answer to the security question required for two factors authentication, which, one might believe, should be strict enough in its application.
“Low tolerance is planned in the answers to security questions in order to offer a more fluid experience, without compromising security,” said Jean-Benoît Turcotti, spokesperson for Desjardins.
This low tolerance is a known practice in computer security as an adaptive authentication.
“It makes it possible to recognize a striking error, for example a forgotten accent”, continues the spokesperson for Desjardins, who specifies that this tolerance “does not apply to the password of accessd, but only in very specific contexts”, a way of finding the right balance for its users between rapid access and duly protected access.
“At all times, several safety layers remain in place to ensure the protection of information and avoid unauthorized access to members’ accounts,” adds Mr. Turcotti, who does not disclose the nature of these layers, but this could be a combination of technical factors, such as an already known internet address, a computer device that has been approved in the past, or other.
The Desjardins movement adds that this authentication method is on the outing of its digital services, since security issues will soon be withdrawn from the ways to identify online.
Desjardins is not the only financial institution in Canada to juggle different authentication methods. The Association of Canadian Bankers (ABC) promotes to the twenty members who make it up with multifactive authentication and other fraud detection techniques, including biometrics, data analysis and real -time transactions monitoring.
Adaptive authentication
IT security is a cat and mouse game between the constantly renewed data protection tools, and the means to get around these tools. This explains why some companies that manage sensitive data, such as banks, juggle authentication systems whose identification criteria vary depending on the context.
“In information security, user authentication is based on three elements,” explains the security expert and president of the Cybersecurity Crypto-Québec Luc Lefebvre. The first element is something that the user knows, like his password. The second is something he has, for example, his computer or his browser. The third element makes it possible to identify it. This usually takes the form of a biometric imprint.
Security systems have evolved in recent years to take into account factors that the user does not have to memorize.
Behavioral analysis, which is improved by the use of artificial intelligence, and the contextual evaluation in real time are therefore taken into account. This allows secure systems to find the right balance between data protection and user experience.
Thus, the user of a secure web application that would have the right password and the right answer to a security question, but which would suddenly be in a country other than the usual, or which would use an unrecognized computer device, may not be authorized immediately to access their account.
On the other hand, a user who will always consult his bank account from the same computer, from the same physical place and the same Internet address, could pass security even if he has forgotten an accentuated character or if he has reversed two characters in the answer to the security question.
The human factor
“It is not unidimensional. If someone is mistaken for a letter, it is not just the security question that is assessed to accept the connection. There is the Internet address, browser information, location, etc. Said Luc Lefebvre.
Photo Marco Campanozzi, Archives La Presse
The president of the Crypto-Québec cybersecurity organization Luc Lefebvre
All this is designed to prevent the password from being the only security factor.
Luc Lefebvre, security expert
It has been proven over and over again that the password was not a foolproof protection measure.
Online scams, false questionnaires on social networks, phishing emails … For people wishing to steal the identity of a person, there are tons of means to try to appropriate the password and the answers to security issues.
And often it works. Especially if your password is “123456” and your favorite color is red …