How Bank Apps Know You’re You
A lot goes on behind the scenes to keep you safe from hackers
If we’ve learned one thing from years of hacks and phishing, it’s this: A username and a password alone aren’t strong enough to protect our most precious accounts.
So why don’t our bank apps require us to pile on extra security settings?
Security experts (and our own columnists) have long urged people to turn on twofactor authentication or other tools to secure their apps. Banks, arguably the most sensitive apps on our smartphones, don’t often make you use any of that. Instead, banks run a lot of software in the background to make sure you’re really you. Among several factors considered during logins are: the time of day, location, device IP address, mobile carrier, and if any links prompted users to open the app. If anything differs from your unique “fingerprint,” your bank might suspect a hacker or a phishing attempt, and prompt you to take more steps to verify your identity. The four biggest U.S. consumer banks by deposits, Bank of America Corp., BAC, Citigroup Inc., JPMorgan Chase and Wells Fargo & Co., say they run multiple layers of authentication and monitoring tools from the moment users open the app until they log out.
“We have multiple and redundant controls that are not always visible to our end user,” said Tami Hudson, Wells Fargo’s executive vice president and cybersecurity client officer. “Those things really help us to proactively identify login attempts that we would define as risky or potentially risky.”
What the banks do
In the past, you might have been asked to answer security questions—“What was the name of your first pet?” Now, newer behind-the-scenes measures take precedence, say security experts and banking software providers. Some compare a user’s password-typing speed and cadence with that person’s prior attempts. Others analyze the pressure with which credentials are entered by checking how many pixels are covered when the user taps each key.
This mélange of authentication practices is found largely in banking apps because the stakes are higher. Banks know if customers have any concerns about the safety of their money, they’ll go elsewhere. On top of that, banks must abide by federal regulations to use secure data management practices, such as end-toend encryption.
All of that weighs on a bank’s decision to approve a login or transaction, said John Buzzard, lead fraud and security analyst at Javelin Strategy & Research, which assesses risks in digital banking security.
“If there is a sudden aboutface somewhere, there’s an opportunity for banks to stop it, pause it or request more information,” he added. These tools aren’t failproof. If you have your login credentials stored on your smartphone, a phone thief who also knows your passcode may still be able to use autofill to log in. “But the secret sauce determines how far they go once they get through,” Mr. Buzzard said. Even if these defenses are breached and money is stolen—more often through victim manipulation than actual hacking—the funds are generally protected in other ways, too.
What you can do
The four banks we spoke to say protecting users from fraudsters means not revealing every tool they have at their disposal. Still, each shared information about its techniques.
All four support Face ID and Touch ID for Apple devices, and fingerprint sign-on for Android phones. Biometrics can make signing in easy for you and harder for people who aren’t you, Mr. Buzzard said. The apps also automatically log you out after a short period of inactivity. There might be other security layers, such as transaction alerts, two-factor (aka twostep) authentication and single-use passwords, that you choose to activate. Banks don’t turn everything on by default because they don’t want to create too much friction, Mr. Buzzard said.