Banking’s ‘Valar Morghulis’ moment

I had the most unusual exchange with my bank recently.  I was paying a lawyer for some services and had just set up his account.  I paid him through an online wire transfer and didn’t think another moment about it.

But several hours later I received a call from my bank, BB&T.  They had put a hold on the transfer because it was new and because it had been set up that very day.  The bank representative called my phone and left a message, which I returned immediately afterwards.  Their caller ID verified that I was calling from the very number they had just left a message on.

But I still had to prove who I was.

They asked for information about my company and who is also allowed to authorize the release of funds from the account.  They asked me to confirm the lawyer had received the funds, but asked me to not use email.  When I inquired why he told me that since our initial set up had been via email, I should use some other vector to confirm delivery.

I assured him I would call the lawyer and he offered to confirm the authorized transfer of the money – how did I want it?  It could not be email, nor could it now be by cell phone since I was using my phone to discuss the matter with him.  I would need an entirely new vector for confirming the transfer.

We ended up using a messaging service.  It was still tied to my cell phone account, but that actually increases the security from the bank’s perspective.  I found the entire exercise more interesting than exhausting, as they were now confirming two factor authentication between the bank and the lawyer I was paying, as well as a second pair of authentication dimensions for validating me.

The most common factors for authentication are:

1. Someone you are, like a fingerprint
2. Something you know, such as a password
3. Something you have, a USB or keyfob

To ensure security, we provide two of these dimensions to authenticate ourselves, that we are who we claim to be and are authorized to access the account (in this case), secure door, or even safe deposit box we are trying to gain access to.

I’ve found that a lot of people have trouble grasping the difference between these differnet dimension, so I suggest a popular pop culture reference that displays it brilliantly: 

Game of Thrones

There’s a scene a few seasons back that demonstrates two-factor authentication in a very simple way, that I think resonates very well, particularly for young people (who are the most likely to be using online banking).

In the clip, the Braavos assassin Jaqen H’ghar (played by Tom Wlaschiha) bids farewell to his young protégé Arya Stark (Maisie Williams) who leaves to avenge her murdered family.

Assassins, by their very nature, need to remain out of the public’s eye, and Jaqen takes his anonymity seriously.  So, how can he provide his young apprentice a way to reach him if needed?  This is a brilliant, if unintended, two-factor authentication moment!

First there is the coin, something she has.  It provides the initial stage of legitimacy to whomever she approaches – someone she doesn’t know and has no reason to believe her.  Then she provides the oral bon fides, Valar Morghulis, the secret phrase that only an authorized agent would share with her.  For the banking world this would be the password or pin, something that she knows. Who knows?  Properly positioned, banks could spawn an entire Valar Morghulis subculture – t-shirts, tattoos, even beer.  Brand management taken to the extreme!

These assassins are not alone.  We’ll soon see two factor authentication integrating GPS systems, proving somewhere we are.  We’ll authenticate off corporate Wi-Fi, proving something we can access.  Or we’ll ping off store shelf beacons, authenticating something nearby. 

All of these increase security options – and the more we mix them up, the harder it is for thieves and spies to compromise them.