Two-part texting security
04/08/2008
By Trevor Baca, VP Software Engineering


Security best practices demand two-part identification. Credit card plus signature. Banking card plus PIN. Or, if we're in the UK, chip plus PIN. The principle is clear enough -- identity theft of a single piece of information happens too easily but theft of two loosely coupled pieces of personal information should be much more difficult.

Welcome to text messaging as one piece of the two-part security paradigm.

The people at Chase bank have been leaders in innovative uses of communications-enabled business processes (or CEBPs). Deposit more than a user-configurable number of dollars and Chase's automated prompting system can dial your cellphone and let you know. Withdraw more than a user-configurable number of dollars and Chase's automated IVR systems can dial your cellphone and leave a different message. Automated alerts are a cost effective customer experience extra with no additional overhead in call center costs.

So how are Chase working in text messaging as one part of the two-part security paradigm?

Log in to any Chase account online and click the link that says that you forgot your username or password. Nothing too exciting about username retrieval. But in Chase's new implementation, you can click a radio button to have an "activation code" sent to your phone by text message. The incoming message reads something like "Text from 242-733. Fr: Chase Online. Activation Code is XXXXXXXX. Enter is now online when prompted or in password field when logging on. Text Stop to STOP, Help for support."

It's a small detail and a great idea. We know that people look at text as the communications medium of intimacy and one-to-one contact. So it's a reasonable extension of the feelings most of us have about text to use the medium to convey small bits of personal information. And allowing "STOP" and "HELP" escape routes demonstrate extra concern for customer service in the process.