Members' 'Do Not Track' Choice Raises Questions Over How To Respond
AUSTIN, Texas-As members begin to use powerful new "Do Not Track" privacy tools at Internet banking sites, not everyone is perfectly clear on how credit unions will verify member identity.
"We'll have to wait until operational versions of the browser privacy tools are released before we can develop an appropriate solution to honor the members' desires," said Kelly Dowell, COO for Jwaala here, which provides Internet banking and authentication technologies to credit unions.
Four other authentication providers and five credit unions contacted by Credit Union Journal were not able to comment on how Do Not Track privacy tools would affect ID authentication technologies, including multifactor authentication.
Members can stop third parties from gathering information about them at credit union websites using Microsoft's new version of InPrivate Filtering. The Internet Explorer tool allows people to block all third-party analysis and advertising platforms as they browse the web.
Mozilla and Google are considering similar features in their browsers, and the Federal Trade Commission recently encouraged developers to build Do Not Track features into browsers.
One solution might be to offer members an alternative verification process, said Dowell. "I am certain of one thing: the security systems will not become less probing."
UWCU in Madison, Wis., thinks that privacy tools might dilute some website navigation and trending features but will leave authentication processes intact, according to Eric Bangerter, director, Internet services, at the $1.2-billion CU. That's because UWCU third-party authentication software always acts like a "first-party" process, he said.
"Although we run third-party security software in-house, all the cookies and images are served locally by us, from our primary domain," said Bangerter. The third-party software essentially becomes tied to a first-party process, which is something that Microsoft's privacy tool isn't designed to block.
In fact, if a credit union is currently verifying member identity through a third-party without tight integration to or endorsement by the credit union's primary domain, then the process is most likely vulnerable, he continued. "Credit unions should not choose an Internet path where they are showing security processes delivered by a third party."
In any case, most people aren't savvy enough to turn on web privacy tools, Bangerter added. "Consumers don't know enough yet. The vast majority is going to skip InPrivate Filtering and other tools."
InPrivate Filtering won't interfere with authentication or risk analysis provided to credit unions by RSA, the Bedford, Mass.-based security division of EMC, according to Angel Grant, RSA senior manager, anti-fraud solutions.
"If a member implements browser privacy controls, it will not impact the effectiveness of RSA Adaptive Authentication and their Internet banking log-in session should work correctly," Grant said. "Nor do we anticipate a dramatic impact if Do Not Track legislation is passed."
At UWCU, visitors using browser privacy tools to block third-party images would prevent the credit union's web analytics partner from determining whether they had previously visited the site and which pages they had used, said Bangerter.