Why do banking websites always log you out after inactivity?

Question

It seems that every single banking & financial website that I have used logs me out after a certain period of time.

Are there a legal requirements or technical reasons for financial sites to do this? Or is this just their form of "security" to prevent others from accessing your account should you forget to logoff or secure your computer or device?

This is very poor user experience in my opinion. Google does not log me out after such a short period of time, and I feel that my Google account with 2-Step Verification and a legion of extremely intelligent engineers is far more secure than my banking accounts.

It seems I should be able to choose whether these sites log me out automatically, or if I may stay logged in for a reasonable period of time (30 - 90 days being common for other sites).

Edit:

I believe the selected answer is the most complete answer to the question, but none of the reasons seem to be good reasons for banks to end your session.

There are a couple of levels of risk associated with an attacker gaining access to your banking website session:

viewing your private (financial) information
modifying your account (this includes stealing money, locking you out, etc.)

This same situation exists on any website account, but for financial websites, and for most people, #2 is far more severe than for other types of sites.

I think a better solution than logging users out would be to:

default the session timeout to a short duration
allow the user to change the session timeout for his/her account
require re-authentication for actions that modify the account or move money around

If you choose to stay logged in for 90 days, and your life savings get stolen, are you going to accept the fault and be okay with not getting any of that money back? Or are you going to - regardless of the fact it was *your* misinformed choice that caused the issue - expect your bank to resolve the issue, give your money back, and take the huge PR hit involved with an account being compromised? — Anthony Grist, Apr 03 '14 at 14:47
As I mentioned above, any changes that **modify** your account - such as moving money out of it - should (re)require your authentication. — mkopala, Apr 03 '14 at 20:35
It would be nice if the user could adjust settings based on their threshold for risk. I'm seriously considering changing banks due to mine claiming a time out after just a few seconds. Calls to the financial institution in question are useless as they invariably claim I'm not using an up to date browser. However it doesn't seem to matter if I'm using the latest Google Chrome Version 50.0.2661.86 as of writing or the latest Firefox 45.0.2. I have no intention of staying logged in for 90 days or even 90 minutes. My account at the credit union doesn't suffer from this problem. — Elder Geek, Apr 26 '16 at 16:59

dr jimbob · Accepted Answer · 2014-04-02T07:11:03.310

It's for your security. This way people can't accidentally stay logged into their account, so anyone with access to your computer has full access to your bank account.

This way thieves don't have motivation to break into your house to steal your computer not just for the value of the computer, but potentially to get access to your life's savings and use it to purchase items, transfer funds out of the country, etc. (Yes, they could break in, install keyloggers, and potentially do the same attack.)

Power gmail users will check their email accounts hundreds of times a day; having to re-log in every time would be overly burdensome. Your bank account you only need to log in rarely; maybe for 10 minutes once a week or month.

The potential repercussions of a stolen bank account is typically more severe to the average user than the repercussions of having your email account stolen.

Not to say that losing your email account can't have severe repercussions as well (especially if you can use your email to reset passwords, use as part of 2-factor authentication, use for social engineering, etc.)

score 9 · Answer 2 · edited Jan 26 '17 at 07:38

9

If your bank issues credit cards, it must maintain PCI-DSS compliance.

PCI-DSS requirement 8.1.8 states:

8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

edited Jan 26 '17 at 07:38

Gqqnbig

307
1
2
8

answered Jan 03 '17 at 06:10

John Wu

9,101
1
28
39

score 5 · Answer 3 · edited Apr 02 '14 at 02:42

5

Session expiry is incorporated into applications to safeguard the user from session hijacking or cookie thefts.

Not all users are tech savvy and might not understand what session hijacking or cookie thefts are.So forcing the users to login every few minutes of inactivity is for safeguarding the users information.

Banking applications use cookies and sessions to maintain the user state and security. Inactivating the cookies after few mintues of idle time makes it impossible for the hacker who stole the cookie to login too.

edited Apr 02 '14 at 02:42

woliveirajr

4,462
2
17
26

answered Apr 01 '14 at 23:29

akr

149
2

This doesn't address the question of why **banks & financial websites** specifically do this. – mkopala Apr 03 '14 at 20:40
6

@mkopala Nobody is going to come to Google asking them to give them back thousands of dollars. – Casey Sep 09 '14 at 19:02

score 5 · Answer 4 · answered Apr 02 '14 at 09:39

5

As well as the above answers, it's also to prevent people hopping onto your computer if you're away from your machine.

For example, if Bob signs into his online banking in his workplace, then decides to grab a coffee without locking his workstation first; then anyone could walk past and jump straight into his bank account.

With the X minute expiration/log out, this problem is greatly reduced if Bob gets distracted with other tasks.

answered Apr 02 '14 at 09:39

Ben Poulson

453
3
15

2

If Bob is that lax about the security on his system perhaps an object lesson would be helpful. – Elder Geek Apr 26 '16 at 17:01

score 2 · Answer 5 · answered Jan 03 '17 at 07:51

Most banking IT stacks are outdated and are houses of cards waiting to fall. Something as easy as implementing a configurable session timeout and to ask to reauthenticate on sensitive actions is easy on a sane stack, but it's a tremendous endeavour on 30 year old mainframes with a strong COBOL smell.

Another point to consider is that given the current absence of competition (all banks are bad in terms of UX), there is no business incentive for them to justify "wasting" developer time on this.

score -1 · Answer 6 · answered Jun 03 '21 at 06:11

-1

The real answer is that websites run on shared devices like internet cafes. Mobile banking apps run on personal devices, typically dont log you out, and secure very sensitive areas with additional pins or biometrics.

answered Jun 03 '21 at 06:11

Frank

159
5

1

This is not the "real" answer at all. The PCI-DSS requirements, and all the other answers explaining the broad danger of someone accessing a computer when you are not there are the far, far better answers than the hyper-specific "shared devices". – schroeder Oct 06 '21 at 15:25
@schroeder the op is talking about websites. Mobile banking apps dont log you out. They just require reauthentication. This is because they are personal devices and mobile banking apps are intended for a single user. The op asks why websites log him out. As opposed to banking apps. Banking apps typically ask for YOUR pin code to reauthenticate. The other answers dont address the op question. But i guess with your snooty tone you arent open to being convinced – Frank Oct 07 '21 at 04:27

Fritz · Answer 7 · 2021-10-06T18:22:22.910

-2

These idle logout requirements are used in certain industries that deal with Personally Identifiable Information (PII). MFA is just one security measure, it has no effect once your logged in. The leaking of a customers PII can do a lot of damage to the customer as well as the company. If you are interested in what PII is all about see this training slide deck.

Example, a person is at a café and they login to their bank which shows the users accounts, including their account numbers. They go to get some sugar for their coffee and forgot to lock their screen. They get distracted by a conversation at the condiment area when someone sits down next to the table with the laptop. Now they just took a pic of the screen which has the account numbers and balances.

edited Oct 06 '21 at 18:22

answered Oct 06 '21 at 15:05

Fritz

101
2

The PCI-DSS answer provides a specific requirement. This answer does not make sense if applied to all the other web apps that maintain much longer timeouts, even though they also deal in more more sensitive PII data categories. – schroeder Oct 06 '21 at 15:26
And the slide deck does not answer the question at all. – schroeder Oct 06 '21 at 15:29
It's a simple answer, and that is industries like banks have an obligation to protect their customers PII. The slide deck tells you why that information must be protected. – Fritz Oct 06 '21 at 17:57
And that's not the question. And "PII" does not explain the timeout. This is a site of security professionals. PII is well-understood here. However, PII is not relevant in this context. – schroeder Oct 06 '21 at 19:50
Your added example is silly. Someone could take a picture from across the room while someone was sitting at the laptop... a timeout is not an effective control for that threat. – schroeder Oct 06 '21 at 20:06
Your example is a different situation, since if someone is working on their laptop in a crowded public place, they should use screen protector. The idle logout is a last ditch effort to protect the users information. Like it or not, institution's like banks will always use this extra safeguard. – Fritz Oct 07 '21 at 14:17
You appear to have lost the plot. I know that they use this control. Because they are required to. but not for the reasons you have supplied. Your reasons do not make sense, especially in the light of the other answers that provide relevant details. Your claim that it is because of PII is simply incorrect. And your example threat is not relevant. – schroeder Oct 07 '21 at 15:01
My Answer is exactly the same as the answer that the answer with highest upvotes. If you don't know what PII is, study it more because it covers pretty much every data that you would NOT want someone to casually know about you. And PII is the only reason for the idle logout requirements, otherwise there would be no reason for it, since there would be no data to be stolen from you... – Fritz Oct 14 '21 at 17:19
Well, I lead whole teams of DPOs across an entire national sector working with Information Commissioner's Offices to adjust and affect interpretations of Data Protection regulations, so your wild, unsupported assumption that I must not know what PII is borne from the same logic that you've used to try to answer this question. You have no idea what you're talking about. – schroeder Oct 14 '21 at 17:58
If this is just the same as the other answer, then upvote that one. Don't provide a tangent to it without providing a unique perspective or adding something new and relevant to the Answers. – schroeder Oct 14 '21 at 17:59

Why do banking websites always log you out after inactivity?

7 Answers7

Linked