SinglePoint Security: Authentication, Encryption and Commercial Fraud Controls

SinglePoint authentication layers three factors. The first factor is the password — minimum 12 characters, mixed case, numeric and symbol, rotated on a Company-Administrator-configurable schedule, checked against a blocklist of breached credentials sourced from external threat intelligence. The second factor is the SinglePoint token — delivered through the U.S. Bank token app on iOS and Android for most users, or as a physical hardware token for users who cannot install the mobile app. The token generates a time-based one-time password (TOTP) bound to a device-unique cryptographic seed, and the seed never leaves the token. The third, optional factor is biometric — Face ID or fingerprint on the mobile device — which unlocks the token app and allows CFOs to approve wires from their phones without retyping the TOTP.

Every SinglePoint sign-in requires factor 1 + factor 2. High-risk transactions — a wire to a brand-new beneficiary, a payment above a configurable dollar threshold, a sign-in from a new IP address or a new device — re-challenge the token at the point of release, not just at the point of sign-in. This prevents an attacker who has harvested a password and a single TOTP from pushing funds to an attacker-controlled account after the session is established.

SinglePoint sign-in lockout triggers after five consecutive failed password attempts. Lockouts require Company Administrator unlock or phone verification through the SinglePoint Service Centre at 1-800-377-3404. IP allowlisting is available for customers who want to restrict SinglePoint access to corporate IP ranges, and sensitive roles can be configured to require sign-in only from allowlisted networks. Session inactivity timeout is 15 minutes; hard session cap is 8 hours.

SinglePoint enforces TLS 1.3 for every browser and API connection, with Perfect Forward Secrecy cipher suites only and HTTP Strict Transport Security (HSTS) preloaded. TLS 1.0 and 1.1 are disabled at the load balancer and have been for years in alignment with PCI-DSS and NIST 800-52 Rev. 2 guidance. Certificate pinning is applied on the U.S. Bank token app to prevent TLS interception on compromised Wi-Fi. Inside the data center, service-to-service traffic is mutually authenticated with short-lived workload certificates.

Data at rest inside SinglePoint — account balances, transaction records, user credentials, audit logs, BAI2 exports, document uploads — is encrypted with AES-256. Key management uses an FIPS 140-2/140-3 validated hardware security module (HSM); keys are rotated on a documented schedule and never exposed to application hosts. Database-level encryption is supplemented by column-level encryption for the most sensitive fields such as TIN and account number digest. Backups are encrypted with distinct keys and replicated across geographically separate U.S. regions for disaster recovery.

Passwords leak. MFA can be phished. That is why SinglePoint layers transaction-level fraud controls on top of authentication. Dual control is the foundation — any payment above a Company-Administrator-configured threshold requires a second approver on a separate device. The attacker who compromises one user cannot release funds alone. Positive Pay validates every check presented for payment against an issue file uploaded by the customer; mismatches are held for exception decision before posting. ACH Positive Pay extends the same idea to electronic debits, letting Company Administrators whitelist originators and block all others.

SinglePoint runs machine-learning anomaly detection on every wire and ACH batch. Models score transactions on beneficiary novelty, amount deviation from historical norms, sign-in device and geolocation, time-of-day pattern and known fraud indicators. High-score transactions trigger Fraud Desk review before release; the customer gets a phone call from a 1-800-377-3404 representative who confirms the wire out-of-band. This has intercepted millions of dollars of business email compromise (BEC) attempts on SinglePoint clients. Fraud and identity theft consumer education is published by the Federal Trade Commission.

Customers report suspicious SinglePoint-themed phishing to phishing@singlepointportal.at. The SinglePoint Fraud Desk ingests the reports, takes down phishing sites through registrar partnerships and updates mail-filter signatures to protect other customers. If a customer entered credentials on a phishing page, immediate phone escalation to 1-800-377-3404 triggers password rotation, token revocation and heightened fraud monitoring on affected accounts. CFPB publishes additional consumer-facing resources on protecting financial information.

SinglePoint operates under the supervisory jurisdiction of the Office of the Comptroller of the Currency (OCC), which charters, regulates and examines U.S. Bank National Association. OCC examination cycles assess the enterprise information security program, third-party risk management under OCC Bulletin 2013-29, incident response and governance. SinglePoint-specific controls are tested as part of the broader digital commercial banking examination scope.

The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule requires financial institutions to maintain a written information security program, designate a qualified individual to oversee it, perform risk assessments, deploy access controls, encryption, MFA, continuous monitoring and vendor oversight. SinglePoint inherits the U.S. Bank enterprise program and overlays commercial-grade controls on top.

Additional frameworks shape the SinglePoint posture: NIST 800-53 control catalog alignment, SOC 2 Type II annual audit, PCI-DSS for card data handling, Regulation E dispute rights (with commercial carve-outs where applicable), Regulation CC for check funds availability, BSA/AML transaction monitoring and OFAC sanctions screening on every wire and ACH beneficiary. Material cyber incidents affecting the bank are reported to the OCC under the Computer-Security Incident Notification rule within 36 hours of determination. Securities law obligations for U.S. Bancorp as a public company flow through the U.S. Securities and Exchange Commission.

No commercial banking platform can protect a customer from themselves. SinglePoint pairs enterprise-grade controls with customer-side practices the Company Administrator is expected to enforce. Use unique, strong passwords and rotate on the configured schedule. Never share tokens or TOTP codes — the SinglePoint Service Centre will never ask for a TOTP over the phone. Reconcile accounts daily; positive pay exceptions decay to default-pay if not actioned before the cut-off. Maintain an up-to-date Company Administrator — an orphaned admin role is a sign-in recovery nightmare that can delay fraud response. Report suspected phishing immediately to phishing@singlepointportal.at. Keep browsers, mobile OS and the U.S. Bank token app patched to current releases.