Episode 79 – Protecting your DRS account with online security

Thousands of DRS customers log in every day to manage their retirement, so keeping those accounts secure matters. We’re joined by Michael from our Contact Center to walk through recent online security updates including removing email as an MFA option and adding the ability to use authenticator apps. He shares simple steps you can take to help protect your identity online.

Episode transcript:

[music intro]

Jenny

Welcome back to Fund your Future with DRS. Well, there are thousands of DRS customers who sign in to their online DRS account every day. They can check their investment balance, run a scenario for future retirement, or update their beneficiaries, change their tax withholdings. There’s all kinds of things that you can do with your online account, and it’s super critical that these online accounts stay secure and that our customers and DRS does everything that we can to make sure that these accounts are safe.

There’s lots of personal information on there. So we’ve invited Michael from our contact center to talk with us about some recent updates that we’ve done to her online security. We’ve gotten lots of questions about this multi-factor authentication. And just to kind of talk about some tips that what customers can do to make sure they’re staying safe online. So welcome, Michael!

Michael

Thanks for having me. It’s a pleasure to be here today.

Seth

So, Jenny mentioned multi-factor authentication is one of the things customers can do to keep their accounts safe. Can you just give us a brief description of what multi-factor authentication is and what that means?

Michael

Yeah, multi-factor authentication can actually be a really drawn out description. So, thanks for the clarification on a brief description. So multi-factor authentication or we’ll commonly referred to it as MFA, it’s an additional security layer. Yes, it’s a separate method, but it really gives that secondary level of protection instead of just a username and password. Now with this it really does add that security because usernames and passwords are compromised every day.

Same thing with email addresses. So having that secondary piece of identification to really make us believe that you are you, not make us, but make the online accounts think that it’s you. And it’s really hard to replicate those secondary methods.

Jenny

And I think it’s important to say, too, that DRS isn’t the only one using MFA. It’s pretty much every banking website that I go to nowadays or things like. Mostly, I think I’ve noticed it on banking websites that I view. Financial websites are using these, so it’s becoming much more common now.

Seth

I think Amazon uses it now. I think my Strava account does. There are lots of… I think it’s become common practice for people to know, oh, I’m going to get a code on my phone. I’m going to have to enter that code in and now I can get into my account.

Jenny

Yeah, yeah.

Michael

Yeah, absolutely. And I mean, even my car insurance started using multi-factor authentication now.

Seth

Yeah. They don’t want somebody else to pay your bills for you.

Michael

That’d be nice.

Seth

Yeah. So, DRS recently made some changes for, online account and multi-factor authentication. Could you just share with the audience what some of those new features are for people?

Michael

Absolutely. Well, I know for the people that do utilize their online account fairly regularly, we’re all familiar with that email code. Well, since email is sadly regularly compromised, we’ve added some additional methods and we’re actually getting rid of email, the authentication method. And we’ve added things like an authenticator app, as well as the ability for our members that don’t necessarily use a smartphone to get a phone call on a landline or a home phone. So, they can still utilize that multi-factor authentication.

Seth

Yeah, I know, I know, you were part of the team that’s been working on making these security updates, and it was really important to us as an organization to have a system that works for our entire customer base. And we have customers who are 95, and we have customers who are 25. And I think for folks who might still have a landline, we want to make sure that that is an option for them.

And as you said, almost any time we have seen a customer’s account be compromised, it has been because their own personal email was compromised and they didn’t have a secure password on there, somebody got access to that. And so and they were able to get that multi-factor authentication. So, we’re removing that as an option for people to use email and have to use some other.

And lots of our customers already are using their phone or authenticator app. I got a random email from a customer who found out that he could use his authenticator app, and he was so pleased. He sent me an email and said, this is the greatest, you know, change that DRS has made. He’s been critical of us in other areas, and so he was really excited about that. And I think this is us really trying to make sure customers’ accounts are as protected as possible.

Michael

Absolutely. And that plays into also separating that multifactor method, since we want people to be able to recover their passwords or user IDs, those are still going to be through email, but by removing that secondary method or that MFA method from that, if your identity is compromised from some other data breach somewhere, they can’t recover your username, they can’t recover your password, and they can’t sign in. All because it’s now been separated.

Seth

Yeah, that’s a good point.

Jenny

And then what are the new methods that we’ve put in place now to authenticate your login credentials?

Michael

Yeah. As Seth mentioned, you know, there was a customer that’s really excited and I’m really excited for it. I think our biggest one is an authenticator application. You can get these on tablets, smartphones, and you can get these right from your app store. Most of them are free and there’s dozens of them. So, it’s whatever one you are most comfortable using is going to be compatible with using an authenticator app on the DRS online account access, or OAA as you’ll just see it abbreviated.

Jenny

Yeah. So, like for example, I use the Google Authenticator app. So that’s one that I could set up with DRS.

Michael

Absolutely. And we’ve tested Microsoft Authenticator, the Google Authenticator. Personally I use the LastPass authenticator. And so, it’s really dealer’s choice on that one.

Jenny

Great. So, other than multi-factor authentication issues, what sort of tech troubleshooting issues do you see customers have with their DRS online accounts? Or do you have any specific examples or tidbits?

Michael

So, a big one is browsers — not to call out any specifically — but you have like these incognito browsers and some of them don’t play well with our cookies and things like that in the background to really they help our website identify if your computer’s legitimate. And so, when it doesn’t allow those, it can throw errors as well as password managers.

People will save passwords for, say, DOL or Commerce or Revenue and they’ll save it and it will get saved as like “Washington state.” And then when they try to sign in here, it will auto populate those other agency’s passwords and say, that’s not right. If you do use a password manager, they’re great. Make sure that they’re separate entries for the different logins that you have.

Seth

And when you update your password, make sure you also updated in whatever manager… I know this is a common thing. A person resets their password, they think they’re good and then it auto fills in for them and it’s the wrong one. And I know, Michael, you help a lot of customers through tech issues and a lot of folks in our contact center.

That is a big part of what we’re trying to do. You know, we are not tech support, but it is really oftentimes a simple question we will ask customers, do you have another browser you can try that on, or do you have another device? I’m trying this on my tablet. Do you have a smartphone or a laptop that you can try it on… Is sometimes just the combination of those things isn’t working well for the user?

Michael

Yeah, absolutely. And that’s a great point. And if you are using a password manager and you’re having issues signing in, I always recommend one of my first things is, hey, can you manually type your password in? And that’s going to tell if it’s because it’s being auto filled incorrectly. And sometimes they just need to change their password. And we’re more than able and happy to do that right on the phone with them too.

Jenny

Which is always such a tricky line to walk to, because then sometimes if you manually type it in, you want something that you can remember. But then I like using the authenticator app because then it provides that like 16 string of numbers and letters.

Michael

Yeah, absolutely. And secure passwords are a great thing. You don’t want to reuse passwords for multiple sites, especially with the same username because, you know, one of them gets compromised. Now they’re all compromised. Yeah, absolutely. Definitely. Using unique passwords helps to secure I mean, all of your accounts, not just DRS.

Jenny

Yeah, I appreciate that my phone will tell me within my password manager app. It’ll say, you know, this password has been compromised or this password is easily guessed. It’ll have like a little red exclamation mark. And I’m like, “oh, I got gotta change that.”

Seth

Yeah. Everybody’s working to try to help us stay more secure across the digital universe. So, Michael, are there other things that DRS customers can do to help keep their DRS account more broadly safe beyond multi-factor authentication or their online account that want to share with customers?

Michael

Yeah, some of my general tips that I use in my personal life are I kind of have a password update policy, if you will. So, you know, certain times of the year I will update certain passwords on a regular basis. If you have one password that you use and you haven’t changed it for five years, it’s more likely to become susceptible to compromise, especially with, you know, password requirements are constantly changing, the constantly needing to be more advanced.

So, you know, your password you had five years ago might have had six characters, but now you’re required to have ten.

Seth

I know one thing that comes up in our contact center pretty frequently is for our retiree community, especially where they’ve had some sort of identity theft happen or their bank account has been compromised. And one thing that we frequently talk with customers about is, do they even want to have their online account on anymore? We have the ability to turn that off for them.

So that can sometimes help provide an additional reassurance to people. It’s a way that it adds a little more friction to the system, and it slows it down. For somebody who might be trying to also get into their DRS account. So, I know that’s a frequent phone call when a person calls and says, hey, my bank account was compromised, I need to change my account number or something like that.

We’ll work with them on getting things updated, but there are other ways we can help prevent additional fraud, or for the fraud to cascade or domino for them.

Michael

Absolutely. So, if somebody does call us, you know, with one of those unfortunate scenarios. Yeah, we kind of make some recommendations for, hey, make sure to contact these other places. But in terms of securing DRS, yeah, you touched on a very important part. They might not want that online access. They might use it once every five years. We can absolutely disable that access.

And even if you’re not registered, we can disable that access before there’s a registration. And potentially before there’s a fraudulent registration.

Seth

Yeah.

Michael

And another thing that we offer is, you know, we’ve been talking about multi-factor authentication here is when you called the DRS, we have what we call a code word. But you can kind of think of it like a multi-factor authentication. When you call, we’re going to ask some verification questions. And then you need to provide us this code word or password or a multi-factor authentication on the phone to really validate that you are you, you know, this is going to be a unique word that you make up. So you could always put those on even if your identity hasn’t been compromised.

Seth

Yeah. We try to help customers keep their account as secure as possible.

Jenny

I wanted to put it, an extra plug for just folks who may not have a DRS online account yet. That’s important to do, even if you’re years away from retirement. I actually worked for the state for, you know, 4 or 5 years before I changed jobs and then started working for DRS and then created my online account. But it’s very handy because you can go in there.

You obviously change your beneficiaries access DCP, but also like running the benefit estimator. And we’ve talked about things like this before, but you can also go in and check your service credits to make sure that you’re not missing any service credit. So yeah, just wanted to put in a plug for those who create an online account if you don’t have one.

Seth

It’s such great advice because I think especially younger folks, retirement is so far away. It’s just thinking about like, why would I do this? But yeah, updating your beneficiary is a super easy thing to do online. And for folks who get married or get divorced or have a child like that, it’s perfect time to go in and create your account, get your beneficiary updated, and then you can run all sorts of scenarios of like, well, what if I did quit today?

Yeah. What would my pension be at 65? That can be sometimes inspiring, sometimes maybe less inspiring, or make you feel like you need to work a little bit longer. But yeah, there’s lots of great tools within the online account. And back to Michael’s point, another frequent area where we see customers’ accounts be compromised is because they never set up an account.

So, somebody else sets up the account for them. And we have mechanisms to try to prevent that from happening. But it is something that can, compromise an account. So, it’s another good reason to set up an account as soon as you can. Thanks, Michael.

Michael

Absolutely. Thanks for having me.

Jenny

All right. Thank you so much.

Michael

Thank you.

[music outro]

Disclaimer

Thanks for listening. And now we’d love to hear from you. What topics would you like to hear about? What questions do you have for us? Send an email to drs.podcasts@drs.wa.gov that’s drs.podcasts@drs.wa.gov. The Department of Retirement Systems provides this podcast as a public service, but it’s neither a legal interpretation nor a statement of DRS policy.

References to any specific product or entity do not constitute an endorsement or recommendation. The views expressed by guests are their own, and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by DRS employees are those of the employees and do not necessarily reflect the view of DRS or any of its officials.