How We Protect You

Enhanced multi-factor authentication security technology enables you to authenticate your online banking transactions in real-time using your mobile device by means of a simple accept or reject response to an authentication request.

We will replace the current one-time password (OTP), also known as a Security Access Code (SAC). In the future, when you perform an elevated risk online banking transaction, you will receive an interactive pop-up message on your banking application on your mobile device providing the details of the transaction and requesting you to click either “Accept” or “Reject” the transaction. This is called a Push notification request. If a transaction is not legitimate, you can simply reject it by clicking the Reject button displayed in the authentication request and the transaction will not be processed, stopping the attempted fraud in its tracks. Please make sure your push notifications are enabled for your banking app. Push notifications are important because it gives you a full overview and control of all transactions on your account.

Biometric authentication is a security process that relies on the unique biological characteristics of individuals to verify that they are who they say they are. Biometric authentication systems compare physical traits to stored, confirmed, authentication data. If both samples of the biometric data match, authentication is confirmed. The advantages of biometric authentication are its convenience and security. Since biometric authentication uses unique characteristics for verification, they are difficult to replicate. Traditional methods, such as usernames and passwords, are not as secure because they can be stolen or guessed easily.

For this new way of authentication, enabling biometrics is not mandatory, but it is recommended for a better user experience.

Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password. Out-of-band authentication is often used in financial institutions and other organizations with high security requirements. Out-of-band helps improve cybersecurity because it makes hacking an account more difficult due to two separate and unconnected authentication channels that would need to be simultaneously compromised for an attacker to gain access. This new authentication utilizes out-of-band authentication via a push notification to your banking app.

The new method provides a much more secure means of authentication because it allows you to accept or reject transactions directly via your mobile phone — you, as the account owner, remain firmly in control of every elevated risk transaction because you accept or reject each transaction on your phone before the transaction is processed.

Whenever an elevated risk online banking transaction is being performed, you will receive a pop-up message on your banking application on your mobile device (push notification authentication request). This message will contain the details of the transaction being attempted and will allow you to choose whether to continue with the transaction or stop it. Because your response to the authentication request is sent to the bank using a separate mutually encrypted connection directly between your mobile device and the bank, instead of an OTP/SAC code being entered on your computer (where phishing and other cyber-attacks may get a hold of it), phishing and other cyber-attacks are prevented.

One-time passwords (OTPs) / security access codes (SAC) can be intercepted by fraudsters employing cyber-attack techniques referred to as “phishing” or “man-in-the-middle” or “SIM swap” fraud. Fraudsters lure unsuspecting users into entering their online banking credentials (username and password) on a site that mimics the real banking site. The unsuspecting user, seeing the familiar visual layout of the banking site, enters his or her login information on this fraudulent site, effectively giving it to the fraudster. The fraudster relays the captured information to the legitimate banking site in real-time. This results in the user receiving an OTP/SAC on their mobile device. The fraudster then mimics the real bank by asking the user to enter the OTP/SAC on the fraudulent site. Since the unsuspecting user again enters this OTP/SAC on the fraudulent site, the fraudsters now have everything they need.

At this point the fraudster has the power to do what they want on the online banking site without any further user interaction. By the time the user realizes what has happened, the fraudster has already cleared out the bank account. Because we make use of the separate mutually encrypted connection directly between the bank and the user’s mobile device to send the Authentication Requests and responses to it, it does not require any information to be retyped on your computer, and thus the fraudulent site never gets all the information required to transact on behalf of the user, which means your account is safe.

• Funds Transfers (Internal and External)
• Zelle or other P2P payments
• ACH transactions (business)
• Wire transfers (business)

We will require two-factor or multi-factor authentication if you initiate one of these transactions.

The app is available for all devices running iOS (iPhones and iPads), Android, and Windows Phone operating systems. There is also a version of the application that runs on most feature phones. If your phone has a color screen, a browser, and can run common applications (e.g. Instagram or Facebook), it should be able to support the authentication.

Authentication is required only for elevated risk transactions. If you do not have your mobile device with you, you will still be able to perform transactions that are not considered to be elevated risk transactions.

When performing multiple or bundled payments, you will receive only one message for authenticating the bundled transaction. The message will contain a figure showing the total value of the bundled transactions and the number of transactions being performed. You then have the choice to either accept or reject the bundled payment.

The only costs associated with using are for the GPRS, EDGE, 3G, 4G, 5G or Wi-Fi data transmitted, if applicable. These costs will depend on what data package you have with your mobile operator or Internet service provider, but the authentication messages are small (roughly 1KB per message), which should be negligible in terms of data costs.

If you travel abroad, the authentication will work wherever you have Wi-Fi Internet connectivity. It will also work if you have roaming data connectivity (GPRS, EDGE, 3G, 4G, 5G etc.) but you may incur roaming data charges when authenticating in this case, even though it uses a very small amount of data.

If you have no Internet connectivity, we will fall back to requesting you to enter an OTP/SAC in order to transact. The application has the built-in functionality to generate an OTP/SAC on the device when it has no mobile communication.

Authentication request messages should appear on your mobile device within 5 to 10 seconds (on average) if the application is not open and has to be woken up. If the application is already open, the authentication request message should appear almost instantaneously. Traffic on the mobile network may affect the time that it takes for the message to appear on your mobile phone. The quality of coverage that your mobile operator provides in your location may also impact delivery times.

If messages do consistently take too long to reach your mobile phone, you should contact us at 800.273.3406 opt 4.

A timeout occurs when your response to the authentication request message takes longer than we allow. This might be due to the message taking too long to reach your mobile device, or if you take longer to respond to the message.

If a timeout happens, click the resend button on the online banking screen on your computer to send another message. If timeouts occur repeatedly, contact us at 800.273.3406 opt 4.

If you press the cancel (red) button to end a call while an authentication request message is displayed on your mobile device, the system will recognize that you cancelled the authentication request message. A message will appear on your online banking screen informing you that the transaction was cancelled via your mobile device. The online banking screen will then prompt you to click either the resend or cancel buttons on screen.

If you receive an authentication request message for an elevated risk transaction on your account that you did not initiate, you should click the reject button to reject the transaction. This will prevent the transaction from being processed.

With this new way of authenticating, devices can be added to your account and identified as a ‘trusted device’.  All authentication requests will then be routed to this trusted device to approve – this creates a trusted environment which increases safety and speeds up your authentication steps for future transactions.

To register a trusted device:

First time: automatic registration takes place which will give you the option to also enable your biometrics on your trusted device if the device has biometric capabilities.

Adding additional devices: go to settings > device list > add a new device > follow the easy prompts to identify and register another device to be linked to your account. If the device has the capabilities, you will again be able to activate the biometrics if you wish to.

You can call us at 800.273.3406 opt 4 where we will be able to manually remove the device in question from your trusted devices list to ensure no fraudulent activity can take place.