What is the One-Time Security Code? I've also heard it called Advanced Authentication, "Step-up" or Out-of-Band Authentication?
These terms all mean the same thing – just different ways of saying it or describing the service. Using recommendations from the FDIC, a stronger, more secure login method was developed. This security protocol looks at every login attempt and runs it through an algorithm of tests. These tests are meant to determine if this attempt meets the same framework as past attempts. If too many things are different, it will require additional, more advanced, means of authentication. The "Out-of-Band" represents that the authentication steps out of the network connections – the Internet Band – and utilizes a totally different connection point to the customer. The process for the review of each login is called Device Profiling.
What is “Device Profiling”?
Device Profiling reviews many different aspects of your login such as information about your PC, the location from where you are logging in and the networks being used to make that connection as well as a system cookie and a Flash Object from a prior session. This allows for a much more secure connection. Changes in the combination of these factors can trigger a risk score that requires additional authentication. If your laptop is stolen and the login information is known by the thief, chances are they will “stepped-up” when they try to log in because the network connection will be different. Without the Out-of-Band calling one of your numbers to get the pass-code, the account is inaccessible.
Why can’t I just register my PC?
Registering the PC was a good method but it’s no longer the best method. If someone stole your laptop and knew your login information, they were not challenged in any way and could gain access. Criminals are consistently finding new ways to gain access to your personal and financial information, so we are continuing to find ways to stop them and protect your information. Rather than register the device, the new process registers each unique login and looks for abnormalities in that login configuration. This adds many more layers to the security process.
Why not still use the Challenge Questions/Image?
The new process replaced the Passmark or Challenge Questions and Image. They are no longer part of the login process.
The phone numbers listed are not correct / I need to add a phone number?
If the phone numbers listed are not correct or you need one added, you will need to call or visit M&S Bank and, after verifying your identity, we can help by updating your profile. The update is immediate and you will be able to retry the process.
Why am I getting the Advanced Security screen and being asked to do the "step-up" again?
While the initial implementation required the additional authentication for several customers, it probably won’t ask you again if all things stay the same. However, there are lots of things that change and can cause the system to ask you to “step-up” and go through the process.
- Traveling – This is probably the most common. As you travel and use different networks, even if using a MyFi personal internet card – the connections may be different enough to prompt the system to want additional authentication.
- Multiple users on the same device. If you log in and out, then your spouse logs in, the system may trigger. However, over time, this should happen less and less as the system learns what is “normal” for that device.
- User logging in from different devices in a relatively short amount of time can trigger the prompt.
- Sometimes a user’s browser doesn’t encrypt the Device ID correctly and therefore cannot be recognized as a previously used Device. Here are some hints we have found helpful in resolving client-side issues that prevent device from properly registering and resulting in users being stepped on every login:
- Internet Explorer only - Clear cookies; do not check “Preserve Favorite Sites”
- All browsers - Add the institution’s website to trusted sites
- All browsers - Delete any flash cookies for the institution’s website (This can be accomplished at http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html and scroll through the list to find the institution’s website. Highlight and click ‘Delete Website’).
- Automatic “clean-up” applications can cause the device to appear “new” to the Out-of-Band System.
- Updates to your browser, cleared flash objects and/or dates getting out of synch.
I don’t have a landline or cellphone / I use dial-up / I’m on a military base / My line is answered by a live operator / My line is answered by an automated system – what can I do?
By the nature of this being an “out-of-band” process, it steps outside the Internet lines of communication. Therefore, the system does look for a phone number. If you do not have a phone, perhaps a close friend or family member can act as part of your “trusted circle.” This means you could have their number added to your profile and thus, when the system asks you to call, you can select that number. That person could be with you at the time you login and when the system calls or texts, you can use that phone to receive/send authentication, or use Instant Messaging or chat. There are also times when a bank representative can aid in the process via email. It’s suggested that if you use this method you log out and back in a couple of times to ensure the connection has been made.
For an automated system:
Calls Answered by a Live Operator – With Extensions To address scenarios where a live operator answers the main number, our Online Banking system begins calls to telephone numbers with extensions with the following message, which begins once a voice is detected on the line: Hello. Please transfer this call to extension . This message is followed by the DTMF tones for the extension entered in our system. Customers do not have to confirm the extension. The company’s operator would transfer the call at this point. Once the calling system detects a voice after the DTMF tones, the Advanced Login Authentication Sign On message begins to play.
Calls Answered by an Automated System When an automated system, sometimes called an auto-attendant, answers the main number, the system should work, however more time might be needed before the extension can be accepted by the phone system. In that instance, the Advanced Login Authentication may never reach the recipient.
I use a TRAC / GO Phone / SmartTalk / Intellos / Pay-per-use phone – I didn’t receive a call or text – why?
In some cases small, regional carriers may not participate in the full national network and thus a text may not come through, or may require you to buy a specific level of service to get access to program type SMS messages, and therefore may not work. If you have text messaging service but did not receive your text, please let us know as adding these smaller carriers can be done, but is a case-by-case situation. However, there should be no issue that would prevent a Voice Advanced Login Authentication process to fail. If you have this happen, please get in touch with us and provide specific information (date, time and phone number) about the event to investigate.
When I log in at the library, I always get “stepped up” – why?
Because this is not your “normal” PC and because so many others are using it – this will not be a “recognized” device and the system will see it as a red flag. The FDIC and FFIEC commission, as well as all Financial Institutions will tell you, It is not recommended to use Public PC’s for accessing your personal data. There is no guarantee that the PC you are using has been kept up-to-date on security updates or virus protection so your login information may be at risk if you use this device.
What does the text message look like?
The message is confined to 160 characters and includes text required by the carriers. The standard message says: M&S Bank Messages. The one-time code is [PIN]. Please enter and submit it online. Msg&Data rates may apply/STOP if unexpected/HELP for support.
What does the “STOP” on the text message mean? What happens if I type and send “STOP?”
The STOP messages go to the origin of the test message. It’s a complicated process, but generally the Mobile Carriers will only accept messages from a “Short Code” that is certified for the program and they require that the Short Code support STOP messages. So for Advanced Login Authentication SMS Text messages, we have a single Short Code from the vendor that manages this aspect of the Authentication Solution. So the response message is generic to the Short Code and the Advanced Login Authentication Vendor – not M&S Bank. If STOP is typed in, it will not prevent any future calls. The Advanced Login Authentication SMS Text message program is essentially a one-time opt-in. So when you enter your phone number to send the SMS Text message you give the sender permission to send the message. This overrides any previous STOP message response.
I didn’t receive the text message – what now?
Since the SMS message carrier network is not as well developed as the voice phone network, there may be gaps in service caused by smaller carriers that do not participate in the full network. There can also be delays in message delivery across any area of the network. If you select SMS text and the message is not received, please try the Voice Phone Call or use another number.