Online Banking Out-of-Band Authentication Solution
As of May 5th, 2013, Summit State Bank will implement a new Out-of-Band login authentication process for Summit Online.
Our Out-of-Band solution is designed to reduce the risk of fraud by better confirming your identity when accessing Summit Online, using a user ID plus two additional components or factors. The solution allows you to authenticate through the use of a one-time security code. The interaction occurs outside the online channel, through either an automated voice call or a text message.
Frequently Asked Questions
How it works:
You log in to Summit Online normally, entering a valid user ID.
When you enter a valid user ID, the Device Profiling process determines if the device profile is typical for past successful logins with the device. If it is typical, the Password page appears. If it is not typical, then additional authentication will be required before you can proceed.
Note: The Password page will no longer include a picture and phrase, and preselected challenge questions are no longer used. These functions are replaced with the Out-of-Band Authentication, described below.
After you enter your user ID, your device and network path are also authenticated in order to detect indicators of fraudulent activity. Over 100 attributes are gathered and reviewed when authenticating your device. This evaluation occurs each time you log in to Summit Online, and it is transparent to you.
There are two possible outcomes when authenticating your device:
- Device Profile is Typical: There is nothing suspicious about the device profile. Step-up authentication is not necessary. You will be allowed to proceed to the next step in the login process and enter your password.
- Device Profile is Not Typical. There is something abnormal about your device profile, and step-up authentication is required (see Frequently Asked Questions below for possible reasons for this). You will be required to complete step-up authentication before proceeding to the next step in the login process.
Note: You will no longer be asked to register your device. This function is replaced with Device Profiling, which is performed with every login.
When step-up authentication is needed, Summit State Bank provides an Out-of-Band Authentication solution that uses a phone call or text message to confirm your identity.
- When you use a phone call to confirm your identity, you first must select a phone number from the numbers that are on record at Summit State Bank. You must have access to the phone in order to log in. After selecting the phone number, you will receive an automated phone call that instructs you to say or enter the one-time security code displayed on the Enter Security Code dialog into the phone.
- When you use a text message to confirm your identity, you need to enter your mobile phone number to give permission to send the text message. The number entered must match a number on record at Summit State Bank. In this case, the one-time security code is delivered to the mobile phone by text message, and you will enter the code on the Enter Security Code dialog.
To begin using Out-of-Band Authentication, you will click Continue with Security Code on the Step-Up Authentication page.
The Tell Us Where to Reach You dialog prompts you to select a phone number to use for Out-of-Band Authentication.
Note: For security reasons, all but the last five digits of your phone numbers are masked.
You cannot successfully complete the Out-of-Band Authentication process without at least one valid phone number recorded in Summit Online. If you do not have a valid phone number on record, then you must contact Summit State Bank before you will be able to log in. Click on the My Phone Number is Not Listed link for Summit State Bank contact information.
Phone Call Authentication
If you select a phone number on the Tell Us Where to Reach You dialog and then click Continue, the Enter the Security Code dialog is displayed. You will receive a phone call at the selected phone number.
When the phone call is received, you are asked to speak or enter the displayed one-time security code. You have three attempts to correctly enter or speak the security code.
After completing the phone call, you must click Phone Call Completed.
If you spoke or entered the correct security code, Out-of-Band Authentication is successful, and you will be allowed to proceed to the Password page (or the Password Reset page if you are updating your password).
If you click the I Didn't Receive a Phone Call link, further instructions are displayed on how to contact Summit State Bank.
Text Message Authentication
If you selected the text message option on the Tell Us Where to Reach You, the Enter Your Mobile Phone Number dialog is displayed. You are prompted to enter a mobile phone number where the text message can be sent.
Note: Based on your carrier contract, you may be charged standard text message rates.
After you enter your mobile phone number and click Send Text Message, the phone number is validated with numbers on record for you at Summit State Bank.
If the mobile phone number matches a number on record, a text message containing a one-time security code is sent to your phone, and the Enter the Security Code dialog is displayed.
On the Enter the Security Code dialog, you are asked to enter the one-time security code that was sent in the text message.
When you enter the code and click Submit, Summit Online verifies that the entered security code matches the security code sent by text message. You have three attempts to enter the security code correctly.
After the correct security code is successfully entered, Out-of-Band Authentication is successful, and you are allowed to proceed to the Password page (or the Reset Password page if you are updating your password).
If you click the I Didn't Receive a Text Message link, further instructions are displayed on the Text Message Not Received dialog.
Why did I have to go through the additional authentication process?
The most common reason would be that a new Device Profile has been identified or there has not been enough consistent use of the Device to confirm the correlation.
Because the Device Profiling looks at many factors together, as well as a system cookie and a Flash Object from a prior session, there are some instances where changes to a combination of factors would trigger a risk score that requires additional authentication. Examples include:
- Clearing Cookies or a Browser Setting Change
- Many devices used by a single user in a short period of time
- Multiple people using the same device can trigger a risk profile
- A Browser Update, Cleared Flash Object or Dates Out-of-Synch
Please follow the instructions to provide additional authentication so the system can learn that this profile is safe and you can access the system from this profile in the future.
If I log in from a Public PC and the Device fingerprint is recorded or "registered," doesn't this put me at risk?
When you log in to Summit Online from a PC where you do not have control over the Security Controls, such as firewalls and virus protection, you are at risk. Public PCs can have malware that records any information you enter. For this reason we strongly recommend you do not use Public PCs for Summit Online.
Why am I not asked to Register my Device? Or why are Devices Profiles always recorded?
Rather than registering your PC, we are reviewing each unique login for any security risk. This approach works behind the scenes to protect each Summit Online session. This provides increased security for every login.
Why am I getting stepped up all the time when accessing the system from an international location?
For security purposes, users logging to Summit Online from international locations (except USA and Canada) will always be stepped-up to Out-of-Band Authentication.
If you continue to get stepped up over and over, we have found that sometimes browsers don't encrypt the Device ID correctly and, therefore, cannot be recognized as a previously used Device. Here are some hints we have found helpful in resolving issues that prevent devices from properly registering and result in stepped up authentication on every login:
- Clear cookies; do not check "Preserve Favorite Sites" - Internet Explorer only
- Add https://summitonline.summitstatebank.com to your Trusted Sites - All browsers
- Delete any flash cookies for https://summitonline.summitstatebank.com – All browsers