InCommon Federation Discussions About Online Student Services

["Rodney Petersen" <>]

I am struck by the extensive reliance on SSN's in all 3 scenarios,
including Bank B for which the member number and online userid IS the
SSN.  I understand the need for financial institutions to collect SSN's
for tax-reporting purposes, but I am amazed (as is the Federal Trade
Commission!) that they are still insisting on its use for identity
verification.

I expect there is a lot more detail behind the "Process for Applying for
an Online Account" than what is included in this chart.  For example,
when Bank A says "apply online" what does that mean?  I assume that
includes a series of security questions - similar to process for Online
Brokerage.  I know that when I recently applied online for a credit card
they asked a series of security questions (previous addresses, sequence
of place of residence, employers, etc.) that only I would know.  The
questions included multiple choice questions that were a little tricky,
too.  (BTW, I'm sure they asked for my SSN.)  At the end, I was
"instantly approved" and given an account number that I could use to
make an immediate purchase.  That was AMAZING to me - but I felt safe
and secure.  I think this approach and database of info (from the credit
monitoring services) is the type of technology that Axciom is using to
identify/authenticate remote distance ed students.

Finally, I noticed that Bank C and Online Brokerage send credentials via
postal mail.  I believe (not sure) that is a common practice in higher
ed and the December 2008 FERPA rules have confirmed that as an
acceptable practice.

The HEOA compliance question (verification of students participating in
higher ed course) is an interesting one because it is concerned about
the sharing of userid/password for course completion (and by extension
financial aid fraud and academic dishonesty).  However, I suspect there
is a lot of userid/password sharing in the online banking industry (do
any of you share your userid/password with your spouse?)  In fact, I've
pushed my financial institution on this a bit and the only way for my
wife and I to access each other's online retirement accounts, including
IRA's, is to share userid/password with each other (short of going
through the process of creating Powers of Attorneys, etc.)

Anyway, I think there are indeed lessons to be learned from the
financial sector and other e-commerce industries.

Thanks, Renee, for sharing.

-Rodney

--------------------------------------------------
Rodney J. Petersen
Government Relations Officer & 
Director of Cybersecurity Initiative
EDUCAUSE

1150 18th Street, N.W., Suite 1010
Washington, D.C. 20036
(202) 331-5368 / (202) 872-4200

EDUCAUSE Policy Analysis and Advocacy
www.educause.edu/policy
EDUCAUSE Cybersecurity Initiative
www.educause.edu/security
Identity and Access Management
www.educause.edu/iam
-------------------------------------------------- 

-----Original Message-----
From: Renee Shuey [] 
Sent: Friday, February 05, 2010 5:58 PM
To: InC-Student
Subject: [InC-Student] Banking Account Provisioning Processes

Hi All:

Attached is a document containing the account provisioning and password
reset processes for 3 banks and one online trading company.  I'm
interested in thoughts/insights you might gleam from this exercise.  
Can/should we determine which practices might be useful to us in HE and
which ones might not be compliant with FERPA, HEOA, etc?  Might be a
useful exercise prior to launching our remote process survey. 

Have a great weekend!  It's snowing in central PA.
Renee

P. S. if you find any info that clearly defines the bank, please please
let me know so I can remove it.  I think I have it clean. ;)