Inside Mercury

How we approach account security at Mercury

Written By

Jake Keuhlen, Head of Core Product Engineering

How we approach account security at Mercury
Copy Link
Share on Twitter
Share on LinkedIn
Share on Facebook
Linegraph tracking a Mercury account balance
Banking engineered for startupsExplore MercuryMercury is a financial technology company, not a bank. Banking services provided by Choice Financial Group, Column N.A., and Evolve Bank & Trust, Members FDIC.
Copy Link
Share on Twitter
Share on LinkedIn
Share on Facebook

With over 100K startups that trust Mercury for banking*, it’s our job to do whatever we can to ensure the security of your account and make it as easy as possible for you to do the rest. You work hard to grow your business, so we work hard to keep it safe.

In practice, this means adapting our account security strategy in lock-step with an ever-evolving financial landscape. Generally, the more layers of protection your account has, the less likely it is to be targeted and breached by a creative hacker or phishing agent.

Similarly to how we approach the rest of your Mercury experience, our approach to account security is meant to prioritize your safety without compromising user experience. The most recent addition to our security system, WebAuthn, is an important part of this approach. This powerful infrastructure allows each user to select their choice of authenticators to verify their identity — allowing them to keep their account secure on their own terms. It’s just one piece of the puzzle that is multi-factor authentication (MFA).

What is multi-factor authentication?

MFA is an identity verification procedure that requires a user to produce multiple types of information (i.e., "factors") in order to prove who they are. These factors fall into three attribute categories: "something you know," "something you have," and "something you are." At Mercury, we always require you to present two of these factors in order to be authenticated.

Read on to learn a bit more about each of these three factors.

Something you know

"Something you know" refers to a password, which serves as your first line of defense against an imposter.

Here are the measures we take to help ensure that your password is a strong one:

  1. We require a minimum password length of 10 characters. We’ve chosen a length just slightly above the National Institute of Standards and Technology (NIST)'s suggested minimum of eight characters to boost your basic level of protection without making it too much of a chore for you. In line with this philosophy, we don’t impose any specifications on how many special characters you need to include.
  2. We use Have I Been Pwned to check passwords you create against those found in data breaches. One indication of a password’s strength is whether it’s been leaked before. Preventing the reuse of breached passwords ensures that an attacker can't trace a leaked password you already use for your other accounts back to your Mercury account.
  3. We enforce a rate limit. After too many incorrect login attempts, our system will automatically lock your account. We take this action on the assumption that your account is under siege by a brute-force attack, but if you do find yourself shut out of your account after a few too many mistypes, you can always restore your access by following the “Forgot Password” flow.
  4. We do not require password rotation. Our MFA requirement fills the gap that old password rotation policies have attempted to alleviate. We’ve also found that forcing users to constantly reset their passwords can be counterproductive, generally leading to poorer quality passwords and more reuse across services.
  5. We never store or log passwords in plaintext. A plaintext password is one that is written in its pure, unadulterated form — completely devoid of any encryption to deflect machine or human eyes. Organizations that store their passwords in a spreadsheet, for example, would easily find their downfall in a database dump. After all, even passwords need passwords — which is why we hash all of ours with bcrypt, an algorithm that converts plaintext into a series of unintelligible characters.

The combination of these simple choices strikes a balance between establishing basic requirements and covering gaps where users could potentially weaken their own security. So how can you do your part? Use a password generator to create strong, unguessable passwords.

Something you have

"Something you have" refers to proving your identity with something in your possession.

Our approach to "something you have" may be slightly different than what you’ve seen from most financial institutions. To begin with, we require it as a baseline level of security, meaning it cannot be disabled. Secondly, we do not permit the use of text messages (SMS) as a confirmation apparatus.

SMS-based authentication is seen as the de facto standard of MFA by many organizations, lending to its convenience for the user to confirm their identity from a personal device that is associated with a pre-registered phone number. The problem is that it’s also convenient to bypass.

Here’s one technique used by hackers: Imagine someone walks into any phone carrier or SMS-as-a-service store in the U.S. and signs up for a new account. They tell an employee that they’d like to transfer their “old phone number” — in actuality, your current phone number — to this new account. Once they make the switch, you lose access to your number while the hacker receives the texts and calls with all of your MFA codes.

Another common maneuver is a full SIM swap. A crafty agent will start by collecting information about you that’s available online or in other data breaches. Armed with this information, they’ll assume your identity and approach a mobile carrier employee, claiming to have lost their phone. To seal the deal, they will convince the mobile carrier employee to activate your SIM card on their device. In this case, the imposter will also receive your MFA codes.

To avoid the risk of granting unauthorized third-party access to your funds, we utilize soft tokens, which are secret keys you can store on your phone (or sometimes in a password manager) that generate time-based one-time passwords (TOTP) every 60 seconds. Soft tokens are typically easy and free for users to download, and, when used correctly, they can provide a significant amount of added security. In case you lose the device where your key is stored, we also offer one-time-use backup codes that you can download and stow away in a safe location if needed. Each of these codes can be used once to log into your account.

This factor of authentication is also where WebAuthn comes in, serving as an even more secure form of "something you have." This is a protocol that can rely on a number of authenticator devices  — including Windows Hello, Google Authenticator, or even a physical YubiKey — to verify your identity.

Almost all modern laptops and cell phones ship with what is called a Hardware Security Module — essentially a physical component of the device that handles secure information on the user's behalf. Leveraging public key cryptography, we’re able to authenticate a user with even more certainty and security than with TOTP codes because the interaction between your device and the requesting server is scoped to a single allowable domain. This means a phishing attacker can't set up a look-alike website and trick you into providing your credentials. Your keys will simply refuse to authenticate on the fake domains.

Something you are

If you've used our iOS or Android apps before, you’re probably familiar with the third factor of authentication: “something you are." It almost always involves a biometric signature, which is a body characteristic unique to each person.

On your laptop, you’re given the option to set up Touch ID, and on your mobile device, you’re also given the option to set up Face ID. This method combines security with convenience — unlike a password that you could forget or a key you could lose, you always have your face or fingerprint conveniently on hand. With this functionality, your unique biometric data is able to encrypt a token stored locally on your device. The combination of your biometrics alongside your phone gives us far more certainty to unlock your account than just a password — and it allows us to present you with a more seamless login experience.


Offering best-in-class security to our customers is a never-ending work in progress, but it’s one important step towards offering best-in-class banking. With Mercury, you can get free checking and savings accounts, debit and credit cards, domestic and international (USD) wire transfers, as well as access to products like Treasury and Venture Debt — all with the confidence that your business is in good hands.

Not sure about Mercury? Give our demo a spin to see it in action.

*Mercury is a financial technology company, not a bank. Banking services provided by Choice Financial Group and Evolve Bank & Trust®; Members FDIC. The Mercury Debit Cards are issued by Choice Financial Group and Evolve Bank & Trust, Members FDIC, pursuant to licenses from Mastercard. The IO Card is issued by Patriot Bank, Member FDIC, pursuant to a license from Mastercard.

This communication does not constitute an offer to sell or the solicitation of any offer to purchase an interest in any of the Mercury Advisory, LLC investments or accounts described herein. Some of the data contained in this article was obtained from sources believed to be accurate but has not been independently verified. No representation is made that any investment will or is likely to achieve its objectives or that any investor will or is likely to achieve results comparable to those shown. Past performance is not indicative and is no guarantee of future results.

Notes
Written by

Jake Keuhlen, Head of Core Product Engineering

Share
Copy Link
Share on Twitter
Share on LinkedIn
Share on Facebook