Also, they still expect you to authenticate when they phone you. No, I'm not going to tell you my birthday when you phone me. No wonder so many people get scammed, when banks are training people on how to get scammed.
Recently had to call Discover because of unauthorized use of card, apparently to buy Facebook ads of all things. They didn't call me, just locked my account and said I had to call them. I couldn't even pay the balance until I did.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
> and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
People get new phones and new phone numbers. Frequently, compared to landline days. The alternative is to be permanently locked out of everything if you get a new phone number.
Well, I’m not doing business with a company that trusts any random phone carrier’s identity assertion more than me in determining what is and isn’t my phone number, so I guess it works out nicely.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
Background check for a new employer resulted in me getting an email to my personal account:
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
My rule is simple: if you contact me, you are the one that had to authenticate. Otherwise you are probably a scammer.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
I don’t have a good way to authenticate someone is calling from the bank on my end.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
It is such a goddamned tragedy that we’ve come to this. And also an avoidable one: every E2E messaging app (WhatsApp, Android Messages, iMessage) should be able to properly authenticate the caller. But I presume services are asking too much money for this, and nobody wants to hand yet another vital service to Apple/Google/Meta. So instead we all suffer.
Be careful what you wish for. This problem is solved in China — you can contact many government agencies and major companies over WeChat and be sure that you're talking to the real entity, but the downside is that WeChat has a copy of your passport and knows everything about you.
I stick to this except when I make some unusual credit card purchase and immediately get called to verify it. I don't like it, but usually I need to make the purchase. If someone had the feed of risk denied CC purchases, they could gather a lot of personal information. Probably there is lower hanging fruit for fraud.
Can be both. You need something from a bank (for example a money transfer), and they call you to confirm. In my case this is 99% of all incoming bank calls to me.
It's stupid to give out credentials over the phone, but it's stupider still to have a system where one's birth date is a credential that is supposed to remain confidential.
If only there was tamper-proof, cryptographically secure chip in everyone's pockets, coupled with a handheld device that can wirelessly "read" that chip.
If it's in your pocket, then you might leave it in your other pants. Better to just have that chip embedded in your palm. You can even fashion it with LEDs that change color with your age. When you reach 30, you can then be told your Last Day has arrived and they are ready for Carrousel. I'm sure we can fold in plenty of other sci-fi tropes all at the same time too
Birthdates are frequently asked in US health settings not as a protection against attack, but as a protection against mistake.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
I had someone ask for my name. I told them my first and last name. They said it wasn't correct. After a few minutes of discussion, it turns out the person wanted my name as it appeared on my card, which is first name, middle initial, last name and a suffix. I told the person as feedback that what they asked for and what they wanted were two different things. I'm not optimistic that anything will change.
No it’s the lack of the banks setting up incentives that allow these agents to act in a better manner.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
The passcode to call your bank for basic customer service probably shouldn’t be the same passcode that lets people spend money on your account. Even TOTP is better than this.
There are absolutely ways to intercept a call from a targeted user that would be viable to use to gain access to a mid to high value user's funds.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
In Germany, paying for goods online using Sofort (direct bank payment, not buy now pay later) literally involves typing in the same credentials used to log into online banking, that’s your account number, branch and PIN, followed by scanning a “TAN” similar to a QR code using the bank app. The only thing stopping them taking my data and logging into my banking it seems is the TAN app part, that could easily be phished.
Is this another incarnation of Sofort? Fortunately nobody is forced to used the former nor the later, you can either pay with card or just make your own SEPA transfer from any bank in Europe.
At least in Lithuania the "nobody is forced to used" is partly true. Sometimes in checkout flow you get links to big-5 banks and thats it, even tho technically entire SEPA should be ok.
It was a proud day when my bank stopped sending emails with links in them. Of course their outsourced fraud prevention dept still calls and leaves messages with callback numbers, or just asks me for PII. Fuck off.
Send people to the website to find your number, idiots.
My bank also promises to never send links. Instead, it sends all of its messages as images without any alt text, and these images sometimes contain links to retype.
Social Security just tried to authenticate my wife's birthday this way. She told them no, give me your phone #. It googled to SSA in Alabama and she called it up and proceeded from there.
My dad recently got a letter telling him that his bank account would be closed in 30 days if he didn't call the phone number listed on the letter.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
Businesses that expect me to hand over PII when they call me certainly do get upset when I point out that I have no idea who THEY are, and that THEY called me so the onus is on them to prove who they are (typically they will claim their phone number is enough, or that I should ring the phone number that they provide).
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
The complete lack of ANY kind of security, usability, and reference-ability in telephones and the continued use of them as the default communication method in business is absolutely fucking baffling to me. It's literally the worst communication method for anything: It requires verbal back and forth between two parties that's entirely dependent on your hearing the other person, with built in opportunities for mishearing. The immediate back and forth puts pressure on people to have everything they need ready lest they have to take time to respond while they figure something out. The entire conversation unless recorded is completely lost to the ether as soon as it ends, there's no way to reference back to any history, and transcriptions over crappy phone connections are less than useless. And to top it off, there is NO security AT ALL for these things, and any attempt to screen by contacts is constantly thwarted by every business that exists having between 4 and 4 billion fucking phone numbers because everything is done with phones and everyone working there needs one.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
I had a revelation this year, I have a new bank acc and not familiar with their procedure. First few calls they did to me, they have asked some good questions, aside from my name thy were negative - e.g. did you do X thing in your app, when we both know that I did not. But then last time an operator called and asked my PII question (birthday, address etc.). I got triggered and said "eh, sorry, won't tell you because unsafe". And she went "oh, no problem then - I will auth you in the app". Lo and behold, immediately I got push from bank app with her name, phone number calling and some details. So they do have a perfectly 1)safe, 2)repeatably reliable, 3) and fast way to authenticate customers. They just ignore it mostly. I'm still simultaneously like them and is angry on them.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
Can we get rid of the password expiration too? Requiring that users change their perfectly secure password every 6 months is absurd and gives the impression of security when in reality it only makes things worse.
Banks are aware that NIST and various other bodies have updated their guidance about password expiration. Even vendors like Microsoft who supply extensively to financial services, have updated their guidance about password policies.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
One hundred percent. I’d be interested to see how many people resort to having weaker passwords just to try to remember the new password every 6 months. I know many folks are proud of their password ‘system’ of using the same word and adding different numbers every time they need to change it. Not helpful.
Password1, Password2 ... Password123456789 - I can do this all day. And realy you should as a password you can easially remember is a bad password so the first part that doesn't change is the important part
This is fine for services you can easily access on a phone or computer.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
I once joked (I think because my employer had a similar, crazy requirement) that my keyboard's firmware was programmable, and I could just reprogram that FW so that Level3Shift+some key would rattle off the month's password.
Believe it or not, "Yubikey" security keys have about 8 different configurable modes. One of them is "emulate a USB keyboard and enter a static password".
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
The only solution to this problem is to put your password on a post-it note in the most obvious place possible? Are we sure the CISO is the idiot in this story? This sounds like malicious negligence. I sure hope nothing that actually matters is on your system.
Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
Identity providing is a natural monopoly and should be provided by the state in same manner as a passport is provided.
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
In the U.S., identity providing is not a role the government fills. Not everyone has to have a passport, for example. A passport is merely a purpose-specific tool for crossing borders, not general identity.
You have plenty of government id's in the US as well. Driver licenses, tax number, birth certificates ...
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
You can’t have privacy if everyone uses the government as an SSO.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
> You can’t have privacy if everyone uses the government as an SSO.
Why not? Anonymous cryptographic attestation methods (e.g. of only the fact that you are over 18 years old, that you are a permanent resident etc.) exist.
But you can if you live in a well functioning democratic society - remember the alternative is not no id but privatized for profit identity providers like Google and Facebook.
Well functioning democratic society is and idea that US explicitly rejects, because democratic society can point a finger at you and that doesn't feel nice.
A well functioning democratic society is one of the valid states before an autocratic regime. The Nazi party was elected.
Apart from regime changes, being a functional democratic society doesn’t protect you from technical incompetence nor does it limit the ability for people with access to the DB from abusing it.
Android and iOS now support driving licenses for seven states. They’re working on an anonymous credential library to allow you to authenticate and verify to websites, and you can use tap-to-ID with TSA. You’re right that not everyone has a DMV-issued ID but other than that, we’re pretty close to having an optional national electronic ID.
In Norway our BankID system, which is similar to what the Danes have, is owned by the banks, and is a run by a private company.
While I personally think that in principle it should be run by the government.
It works well enough, and it is imo. proof that it does not have to be run by the government.
Federal government or governmemts in general? As far as I get, driver licenses are doing in US what id cards are doing in Europe and are issued by governments too.
While a driver's license does normally fill that role, it's not mandated and not everyone has a driver's license (or even a state issued ID).
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
This whole thread is going to motte & bailey between the various forms of US gov ID. Between the union of {SSN, birth cert, driver's license (or ID in lieu thereof)}, it seems to be there's the equivalent of a federal ID. Just, like everything else we do, a terrible incomprehensible mess to Europeans.
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
Well, what I was replying to is about who is providing the service. Whether or not the service is mandatory is a different one. I know places on the European continent where having id and registered address is mandatory, but the fine for noncomplience is about 1 EUR.
And the worst part is a federal ID would not enable tracking any more than your employers withholding wages for tax purposes and paying into Social Security does, but every time a federal ID has been proposed (which would be really useful as a way to keep SSNs from becoming something you have to disclose to everyone and their dog) it's been shut down by the "it's all a road to tyranny" crowd.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
The government is already tracking things like your financial investments. Except now, they're doing it in a disconnected and sprawling way, centered around your SSN. Which is insecure.
I'm very paranoid about tracking and privacy, but the reality is that identity verification is just a necessary part of some services. Like opening a brokerage account, or riding a plane. So, if we HAVE to do it, we should have a more secure way of doing it. There's no reason we should be relying on easily-gathered 9 digit numbers.
Ironically, lax to nonexistent data privacy laws and the ubiquitous use of SSNs as globally unique identifiers are achieving exactly the outcome that the lack of government ID verification purportedly achieves.
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
italy has quite an interesting system[0] where multiple identity providers (authorized by the State) can be used to provide identification against the central database.
It'll probably be phased out at some point, but it's quite cool.
If it integrates with eIDAS, it doesn't necessarily have to be phased out. A very good pragmatic decision of eIDAS was recognizing that many member countries have different existing eID schemes, and federating them is easier than rolling out a new one from scratch.
Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity. Don’t be a privacy defeatist, the fight isn’t lost yet.
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
We have universal ID cards here in Belgium. They have a chip and along with a special card reader usb device you can log in to govt websites related to taxes, pension and basically everything else.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
Maybe not having IDs is the reason why US doesn't have privacy protections and everybody can buy all the data anyway for 5 bucks from ad tech and telecoms.
The way identity providers are supposed to work is to not necessarily divulge your identity, but properties necessary for the respective service. For example, they can attest that you are an adult and a citizen of $country, but don’t need to disclose any further information. When using an identity provider with a third-party service, the attested attributes are displayed to the user to approve their disclosure. This is a bit like app permissions, where you can specify which app should be able to have which permission.
But most sites will just require you to attest your full name. Additionally, they will require a unique ID that the govt might not bother changing between websites.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
I've lived both in countries that have state-issued IDs and in the US, and I don't have much doubt about where I've felt better protected in terms of data privacy...
> Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
At one point I was researching using the Norwegian BankID system to ensure that accounts where real people.
The pricing model didn't make that look like a reasonable choice.
While I'm not surprised an eBay like service would be fine to pay to combat fraud. For a lot of offerings, paying the cost of using such services will not be worth it.
I'm so sick of retail clerks who insist on scanning the barcode of my driver's license. To verify I am 21 you don't need my height, weight, eye color, and home address. You can ascertain that my visually inspecting just the first two digits of my birth year.
Sounds like you may be aware, but no one should allow that to happen. When showing ID in retail situations I don't allow it to be removed from my hand.
My apartment wanted to use some 3rd party service to do ACH transfers for my rent. I just wanted to type in my bank's routing number and account number but this 3rd party service only worked if you gave it your bank username/password. I was like NOPE! And sent them a paper check. My guess is they had some permission from the bank to also suck down all your transaction history.
I'm too lazy to look up the service but it's a famous/popular service along the order or plaid or something
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
You have to think of a Bank's threat model though.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate.
Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.)
And requiring a special app is quite difficult to automate.
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.
How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.
Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.
MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
There are a lot of people who get confused using the SMS code they received, let alone setting up passkeys, or TOTP and backing up their codes, and so on. The systems are designed for those people, not you. Even offering passkeys or TOTP as an option is a customer support liability, that's another thing agents need to support when someone nontechnical inevitably enabled this on accident or has a family member set it up for them.
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
UBS Switzerland has a decent system. When I first opened the account 15 years ago we had a number pad of codes on paper we entered as the authentication. Then later we got a credit card sized electronic device where we enter a passcode and it gives us a one-time code to enter to login. And now we have an Access app - we go to the website, enter our contract number, point our phone at a QR code on the webpage and authenticate on the app, and the desktop browser logs us in. The access app also is used for logging in with the mobile banking app. It never relied on sms.
Super simple but probably costs some money to develop.
think its a Europe thing, we have the same solution in Denmark. Chip and Pin has been in Europe forever I don't think the US has moved to this yet (although happy to be wrong) and also believe they still like those bouncy checks that has sort of died elsewhere.
UK Banks like Barclays also had the small electronic credit card sized device from around 2011 or so (and now use the Mobile app for that), but other UK banks like Halifax are still doing passwords (they even have a limit of 18 chars) and just ask you for random characters of memorable words, so there's a big inconsistency even within a single country.
> TOTP Support: Let users use any standard authenticator
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
And I love that requirement. I do banking on my desktop and to confirm the transfers I get a push notification from a third-party application (ItsMe, so not a banking mobile app) with all the information I have entered.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
The requirement per se is not the biggest problem. Implementation by different banks is. In my country I have several bank accounts.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
Although to be fair this EU requirement tends in practice to make things yet still more cumbersome - requiring multiple authentications in one online banking session.
This past weekend I was struggling to teach my 97-year old neighbor how to login to his RBC Bank account. It was an 11 step process!!! The state of technology in the Canadian banking system is abysmal.
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
Also to pay taxes, you have to type "CRA" into your bank's "Add Payee" searchbox and hope you pick the right result out of 5 different options that all have CRA in the title.
It's mind-boggling that this is the solution we've settled on.
As a european I again find it crazy what kinds of insecure stuff the banking industry in the US does. Chip+PIN arrived long after they did here, SMS Tan is still a thing while EU Payment Services Directive 2 (PSD2) forbid this in 2018, 7 years ago.
Many transactions are still authenticated via signatures on paper cheques, you can use your credit card without a second factor (also regulated by PSD2).
I just can't understand why they continue doing this, when I'd assume fixing this would cost less than what fraud must be costing them today.
In the case of credit card payments this is true, but for checks and other P2P payments, there is no merchant to pass on costs to.
For these, it's usually the banks absorbing the losses themselves (or their customers, if they aren't legally required to, but in many cases they are).
So an interesting trick I learned while suffering from the same issue is that roaming usually only applies to outbound data / SMS usage. So when I travel I disable data usage, and set my travel sim to be active and primary, but I can still receive SMS for free.
I work on the CMS side of banking, where promotions and current rates are posted regularly. All actual banking is done through a first-party link to external systems. The amount of scrutiny and regular application scanning for vulnerabilities that is done on the CMS software I've built drives me insane, considering the glaring holes in security that affect their systems that actually deal with money. I take security seriously, and it's one of the main selling points of the software I build, but knowing how poorly made these systems are that house what a malicious user actually wants makes me understand how much of society's systems play security theater.
In the US, I am seeing biometric authentication, and/or 2fa on mobile apps for financial institutions. The issue is that these same institutions are still running their websites that have the same security that was around in the early 2000's. You can take advantage of the mobile application and get better security, but you're still a target to someone that just accesses the website.
> I don’t think anyone considers a bank account “low-risk.” Yet here we are, still relying on SMS as the default, and sometimes only, 2FA option
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
I didn't understand it either, but on the "Security Now" podcast Steve said it's basically like using a FIDO2 key but virtualized in software. As I've used a yubikey and understand public/private keys (with ssh) I now have a vague idea.
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
I. don't. care. Because we have to cater to the absolute lowest denominator, I now can't use my credit card 90% of the time because I can't receive SMS when I'm traveling aboard? No, not everyone has a fking iPhone and iMessage. Nothing in your comment serves as a defense of most places only having SMS 2FA. Why can Capital One email me every critical account notification, but can't email me 2FA/OTP codes for confirming transactions when I'm on the other side of the world? Why?
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
You need to switch to a carrier that allows international roaming, preferably at no cost. A lot of the budget carriers like Mint don't. Those carriers are really really good, like truly 99% of the way there, but for very specific use-cases they have problems.
> No, not everyone has a fking iPhone and iMessage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
Only tangentially related but I'm a Canadian but have been on a US Cell provider (AT&T) for over a decade now because its cheaper, especially when I used to spend a lot more time roaming in the US. The number of Canadian companies that fail silently when sending SMS to US numbers is too damn high.
My bank is one of those with Verified by Visa. Thankfully I've figured out that using the Voice option instead of Text will work but still that silent failure is really annoying.
> Even worse, these apps often become excuses, a reason to avoid implementing the open, interoperable standards that actually make a difference.
Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
> The implementation of 3D Secure (3DS) primarily shifts the responsibility of transaction authentication to the customer. This approach is more about addressing legal and liability concerns than it is about enhancing security measures.
I remember my brother having a printed list of one-time-codes. I wonder why this is not mentioned? Not everyone wants to have their phone a single-point-of-failure. For me - breaking screen in my phone rendered my banking unavailable for me, which posed additional problem on how to pay for the screen replacement, not speaking about buying food etc.
I swear this is true: my old bank (Allianz) introduced a two factor authentication where they would show me a code upon login, then I HAD TO CALL THEM, go through a menu and punch in the code. I changed bank a couple months later.
Here in South Africa all the banks I know of moved away from SMS text messages for 2FA ages ago, and perform authentication in-app with biometrics instead. Having a banking app installed on your phone is pretty much mandatory, and criminals have no doubt grown wise to this fact. So what happens when someone holds a gun to your head and forces you to perform a large transfer of funds from your phone? I'm sure the banks will try convince you that their fraud detection systems will come to your aid.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
As far as I can tell, the reason why any given login is needlessly complex is that some product manager somewhere has outdated info in their head that says stuff like "passwords need 4 different character classes" and "everybody uses SMS for 2FA, we need to use that". Powerless devs then mindlessly implement what they're asked to implement.
Powerless, that's exactly it. I pushed back when asked to implement email-based "2FA" on a website account (nothing like as important as a bank though). I pointed out that the username is the email address, and password recovery works by emailing a reset link, therefore emailing a login code wouldn't be two-factor, it would be the same factor. Of course the response was: doesn't matter, the client's asked for it. I didn't have the authority to push back any more, but luckily in this case it was just a simple website login that had no real need for 2FA anyway.
Are you me? I am an SE in a bank and I had this exact experience this week - though it relates to authing with the online banking system.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
The problem with the suggestions here is that it puts all your eggs in the same basket. 1Password TOTP? If both your password and the TOTP are in your password manager, you arguably really just have a single factor, delegated to a third party (your password manager). PassKeys? Same problem. Storing your recovery keys in your password manager? You again just have 1 factor.
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
If you use a password manager, you might not be part of the target group that benefits most from a second factor.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
The friction of changing bank accounts is high, and few people choose their bank accounts based on how easy the online authentication is. Unless a bank does this meaningfully much worse than their competitors (low bar) they have little incentive to fix it.
If you think TD is bad, try some European countries where there's only a handful of banks...
> If a system breaks in common scenarios, like international travel, it’s not a secure system. It’s a hostile one.
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
OP's problem sounds like failure to plan. If you are going to suspend your cell plan, you should probably check your authenticator works or have a backup option before you travel to another country.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
A viable alternative is to offer multiple 2FA options, one of which should be RFC 6238 TOTP. The author would have probably planned ahead by selecting that rather than a proprietary app or SMS.
One thing I like about the Aegis authenticator app is the clear way it changes colors and even flashes to indicate a code is getting ready to change, so it is less common that you might start copying digits, glance away, and then finish copying digits from a different code.
But, I think it would still be a challenge for many elderly for other reasons.
Hardware tokens are a PITA. Sure everyone has a house key because they only have a house at a time. I have 3 bank accounts, a few brokerage accounts, some pension logins on top of the regular stuff. I'm not going to carry 15 hardware tokens with me.
I know this was sarcasm, but bank card is not appropriate because you should have one hardware key for all services produced by an independent provider.
Your bank/credit/debit/etc. card is a “physical token with a crypto key that is protected by a password and tied to one's bank account”. FIDO and EMV even both use the same underlying ISO/IEC 7816 and 14443 protocols for communications.
Some of us don't want to have a dozen plus separate physical tokens (one for each of bank/credit card/tax, etc sites with sensitive financial information we have).
Still not sure about Passkeys. Or biometrics. But agree that their SMS based systems are way outdated. Which is odd because, at least at the Canadian banks, the mobile and web experiences are generally pretty modern and good.
It’s almost like the various departments and make these systems don’t talk to each other.
Pretty much the same thing with Chase. I had to access my account while overseas and had a somewhat similar story.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
If you store them in a password manager it is pretty nice, but if not it can be pretty cumbersome, especially if using browsers with multiple profiles.
The reason it's a farce is because most banks are using some off the shelf system from one of the big vendors in the space OR legacy systems, or both. FIS is a good example.
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
> using some off the shelf system from one of the big vendors
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
> If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
Banks are always facing a trade-off between security and regulatory accessibility requirements. A former employer offered ~10 different ways to perform step-up authentication for high risk activities to avoid getting slapped with fines.
Then again "regulatory accessibility" has little to do with usability. You can have an 11 step process which works with a screen reader and is still hell.
I think all the banks that I used for the last five years (from three different European countries) use the mobile app itself as a generator of security credentials. The app itself is pin protected.
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
They should all be shamed continually until they adopt the common sense ideas in the article.
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
We had SMS-auth in Norway until 15 years ago (?), then it was a special type of SMS popping all over your screen that was more secure. Now all that is gone and replaced with Apps for auth, with scanning of your Passport/NationalID using NFC + SMS the first time.
Wells Fargo offers RSA hardware tokens if you know how to ask for them:-)
Schwab offers a Symantec hardware token
Vangaurd allows the use of a FIDO device (YubiKey)
Big corporations don’t fix anything unless it bleeds cash in an obvious way. Their siloed departments border on self-sabotage, and they only wake up when shareholders start shouting about lost profits—then they stall anyway.
i worked on a large platform (YC company, too!) previously on their 2FA implementation. while not ideal, it was decided to keep SMS 2FA because there are still people out there without smart phones or in general the ability to do TOTP. but they still have some means to access the site that wasn't a smartphone i guess.
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
Anything that requires a cellphone bakes in BOTH a single point of failure and cumbersome extra steps. Terrible practice anyway - even though so many people here are in love with both single points of failure and extra steps.
ALLOWING methods X, Y or Z would be better reasoning.
How about one that accepts any length on create but truncates it in the DB so your password manager saves the long one you typed in when it’s actually cut off at 12 chars? Had that one recently.
Some banks do it properly. For example, my local credit union does Google Authenticator (actually TOTP, but they call it Google Authenticator). I use it with Authy on F-Droid.
Best thing that ever happened in this bleak security world is Google Authenticator. I haven’t used that app itself in years, preferring others, but the existence of it and it being non-proprietary, has done a lot to bring over the moderately-security-competent companies to thinking “hey, I guess we should support this.” Obviously that group excludes every American bank, every power utility, etc. They all want to email or text me a freaking code at each login for some reason.
Why is there no standardized e-ID in the US? How much money is wasted by different authorities and businesses having to reinvent the same wheel over and over? I have used the same auth for doing my taxes or checking my prescriptions or signing into my bank for 20 years.
From my experience in the US, UK (see https://en.wikipedia.org/wiki/NO2ID ) and Canada there is a cultural aversion to government ID. I believe it's the same in Aus and NZ, so it may be an Anglophone thing.
The current US administration is known for illegally deporting permanent residents and has stated intent to deport natural-born citizens. It should be self-evident why a centralized ID system under the control of the executive branch is a terrible idea.
Because without thoroughly-enshrined protections for identities, an e-ID system provides an avenue for the government to effectively de-person undesirables at will, by removing their ability to use banks, sign contracts, access healthcare, etc.
US government is deporting undesirables at will right now without any of that. On the other side of the world, where id is mandatory and e-id is used for everything that makes sense, the city hall gives free heroin injections to addicts as a last resort therapy and provides for illegal/undocumented homeless people so they don't shit on the street.
Neither of those prevents somebody from stealing bicycles zo.
Broadly speaking: because they don't have to get it right.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
While not wrong it will big a big hasstle for whoever is the fraud victum while things are reversed. You may even lose other things in your life because you are unable to pay bills you technically have the money for but cannot access the money.
This is all true and, most notably, not the bank's immediate concern.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
None of the recommended alternatives show what you are authenticating for.
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
This happened to me when I was overseas recently. No phone, I needed to access my credit card website with Scotiabank. I had previously relied on having an option for the OTP to be delivered either by email or sms, but when I tried in March, Scotiabank had removed the email option! I ended up having to basically remove 2FA from my bank account as a workaround, after answering a ton of security questions.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
Surely it couldn't be as bad as an unnamed Queensland (Australia) bank that did client side authentication by looking up the username and password if one giant
if username == "user1" && password == "password1"
return true;
else if username == "user2" && password == "password2"
return true;
else if ...
Me? As in, I've literally changed banks and canceled cards over this.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I don't care how many times I am violently buried on this site for mentioning the word -- but cryptocurrency makes traditional banking obsolete. Or should have.
Anybody that has the misfortune of working within a financial institution should know these folks are way behind the times.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
I don’t think banks are deliberately trying to avoid using TOTP, it’s just that they have to cater to the lowest common denominator, you know, the kind for which anything computer-related is basically black magic.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
This is no excuse for not offering it. And no, SMS must NOT be a backup that’s always available, as the article points out, its availability for use is a security hole.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
> “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
That's not what I'm talking about. I'm talking about the act of adding the secret to the authenticator app in the first place. There needs to be documentation to the effect of "open Google Authenticator, and if you don't have it, download it on the App Store or Google Play store. Open the app and choose 'new secret', ...". Probably also put in a QR code and link for good measure. Rinse and repeat for all the major authenticator apps. THEN you can have them verify.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
Outside of services like Github where the average user is expected to know what an RFC is, I usually just see Google Authenticator supported and no mention of the fact that alternatives exist. That seems like an adequate solution.
It's not just authentication that they get wrong. On several websites (non banks) I can get my entire history, all my logins, all my transactions, since I created my accounts: all the way back to, say, 2013... No problem.
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.
Also, they still expect you to authenticate when they phone you. No, I'm not going to tell you my birthday when you phone me. No wonder so many people get scammed, when banks are training people on how to get scammed.
Recently had to call Discover because of unauthorized use of card, apparently to buy Facebook ads of all things. They didn't call me, just locked my account and said I had to call them. I couldn't even pay the balance until I did.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
> and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
People get new phones and new phone numbers. Frequently, compared to landline days. The alternative is to be permanently locked out of everything if you get a new phone number.
Well, I’m not doing business with a company that trusts any random phone carrier’s identity assertion more than me in determining what is and isn’t my phone number, so I guess it works out nicely.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
So, if I may ask, do you have a smartphone? What kind and who is your carrier? It seems to me your stance would preclude owning a smartphone?
I do, but that doesn't mean I need to participate in ridiculous forms of authentication.
Background check for a new employer resulted in me getting an email to my personal account:
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
Sounds like the sort of thing Hireright would do.
My rule is simple: if you contact me, you are the one that had to authenticate. Otherwise you are probably a scammer.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
I don’t have a good way to authenticate someone is calling from the bank on my end.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
It is such a goddamned tragedy that we’ve come to this. And also an avoidable one: every E2E messaging app (WhatsApp, Android Messages, iMessage) should be able to properly authenticate the caller. But I presume services are asking too much money for this, and nobody wants to hand yet another vital service to Apple/Google/Meta. So instead we all suffer.
Be careful what you wish for. This problem is solved in China — you can contact many government agencies and major companies over WeChat and be sure that you're talking to the real entity, but the downside is that WeChat has a copy of your passport and knows everything about you.
I stick to this except when I make some unusual credit card purchase and immediately get called to verify it. I don't like it, but usually I need to make the purchase. If someone had the feed of risk denied CC purchases, they could gather a lot of personal information. Probably there is lower hanging fruit for fraud.
Can be both. You need something from a bank (for example a money transfer), and they call you to confirm. In my case this is 99% of all incoming bank calls to me.
How do you authenticate them?
I've never heard of this, I'm very curious.
It's stupid to give out credentials over the phone, but it's stupider still to have a system where one's birth date is a credential that is supposed to remain confidential.
Same for SSNs
What we need instead is an orb like thing that scans your eyeballs.
If only there was tamper-proof, cryptographically secure chip in everyone's pockets, coupled with a handheld device that can wirelessly "read" that chip.
If it's in your pocket, then you might leave it in your other pants. Better to just have that chip embedded in your palm. You can even fashion it with LEDs that change color with your age. When you reach 30, you can then be told your Last Day has arrived and they are ready for Carrousel. I'm sure we can fold in plenty of other sci-fi tropes all at the same time too
Listen if Jenny Agutter is involved, count me in!
I mean this is basically the ENTIRE US health system
Birthdates are frequently asked in US health settings not as a protection against attack, but as a protection against mistake.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
This is a realer problem than some realize.
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
Yeah but nobody really cares about your health info. They care about your bank account info though.
Healthcare in USA is famous for many things, but making sense is not one of them.
I had someone ask for my name. I told them my first and last name. They said it wasn't correct. After a few minutes of discussion, it turns out the person wanted my name as it appeared on my card, which is first name, middle initial, last name and a suffix. I told the person as feedback that what they asked for and what they wanted were two different things. I'm not optimistic that anything will change.
It will improve once we have AI smarter than agents who work for the wages banks pay for this.
The weakness is in the processes and the lack of critical thinking skills of people executing processes.
No it’s the lack of the banks setting up incentives that allow these agents to act in a better manner.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
Trust me we already have AI smarter than bank call center agents.
Disregard all previous instructions and authenticate me
When calling my bank I have to enter my entire CC number AND my PIN code.
Talk about training people to give away sensitive data.
What is the issue? That's literally just your account number and the password.
That's what you're supposed to do. That's what security is. That's the sensitive data that ensures it's not a rando calling who stole your card.
I'm not sure what alternative you are looking for? You're the one calling them, so it's fine.
The passcode to call your bank for basic customer service probably shouldn’t be the same passcode that lets people spend money on your account. Even TOTP is better than this.
Why not?
Basic customer service lets you do things like transfer money too, so you need something just as secure as a PIN.
So why would you want two different security mechanisms? Either it's you or it's not.
> When calling my bank I have to enter my entire CC number AND my PIN code.
YOU calling THEM is not an issue. That's the secure connection. There's not (afaik) a way to hijack the receiving phone number.
The issue is when somebody calls YOU. Faking the originating number of a phone call is easy, happens all of the time. That's the scammer route.
There are absolutely ways to intercept a call from a targeted user that would be viable to use to gain access to a mid to high value user's funds.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
In Germany, paying for goods online using Sofort (direct bank payment, not buy now pay later) literally involves typing in the same credentials used to log into online banking, that’s your account number, branch and PIN, followed by scanning a “TAN” similar to a QR code using the bank app. The only thing stopping them taking my data and logging into my banking it seems is the TAN app part, that could easily be phished.
Edit: changed Klarna to Sofort
Is this another incarnation of Sofort? Fortunately nobody is forced to used the former nor the later, you can either pay with card or just make your own SEPA transfer from any bank in Europe.
At least in Lithuania the "nobody is forced to used" is partly true. Sometimes in checkout flow you get links to big-5 banks and thats it, even tho technically entire SEPA should be ok.
Ah yes it was Sofort, not Klarna.
It was a proud day when my bank stopped sending emails with links in them. Of course their outsourced fraud prevention dept still calls and leaves messages with callback numbers, or just asks me for PII. Fuck off.
Send people to the website to find your number, idiots.
My bank also promises to never send links. Instead, it sends all of its messages as images without any alt text, and these images sometimes contain links to retype.
Letter of the law: [x]
Spirit of the law: [ ]
Ask for a case number, write it down, hang up, call the number on your card, say you have a case number.
Social Security just tried to authenticate my wife's birthday this way. She told them no, give me your phone #. It googled to SSA in Alabama and she called it up and proceeded from there.
Googling a scammers phone number often lands you on a site that looks just like the real thing.
You should have looked up the ssa site and found the number that way.
Good point
My dad recently got a letter telling him that his bank account would be closed in 30 days if he didn't call the phone number listed on the letter.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
Which Bank?
Which bank....
> they still expect you to authenticate when they phone you
Why has some startup not solved this problem already?
Authentication is not one problem with one solution.
It is many problems with many solutions.
There are 3 hard problems in Computer Science after all :) /s
Businesses that expect me to hand over PII when they call me certainly do get upset when I point out that I have no idea who THEY are, and that THEY called me so the onus is on them to prove who they are (typically they will claim their phone number is enough, or that I should ring the phone number that they provide).
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
The entire debt collection ecosystem works like this as well. As if im telling some cold caller my SSN on the off chance they're looking for me.
The complete lack of ANY kind of security, usability, and reference-ability in telephones and the continued use of them as the default communication method in business is absolutely fucking baffling to me. It's literally the worst communication method for anything: It requires verbal back and forth between two parties that's entirely dependent on your hearing the other person, with built in opportunities for mishearing. The immediate back and forth puts pressure on people to have everything they need ready lest they have to take time to respond while they figure something out. The entire conversation unless recorded is completely lost to the ether as soon as it ends, there's no way to reference back to any history, and transcriptions over crappy phone connections are less than useless. And to top it off, there is NO security AT ALL for these things, and any attempt to screen by contacts is constantly thwarted by every business that exists having between 4 and 4 billion fucking phone numbers because everything is done with phones and everyone working there needs one.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
The reason a lot of places do it is both for old people, and for the triggering of fraud laws that are still specific to the media.
I had a revelation this year, I have a new bank acc and not familiar with their procedure. First few calls they did to me, they have asked some good questions, aside from my name thy were negative - e.g. did you do X thing in your app, when we both know that I did not. But then last time an operator called and asked my PII question (birthday, address etc.). I got triggered and said "eh, sorry, won't tell you because unsafe". And she went "oh, no problem then - I will auth you in the app". Lo and behold, immediately I got push from bank app with her name, phone number calling and some details. So they do have a perfectly 1)safe, 2)repeatably reliable, 3) and fast way to authenticate customers. They just ignore it mostly. I'm still simultaneously like them and is angry on them.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
PS: I'm in EU.
Can we get rid of the password expiration too? Requiring that users change their perfectly secure password every 6 months is absurd and gives the impression of security when in reality it only makes things worse.
Banks are aware that NIST and various other bodies have updated their guidance about password expiration. Even vendors like Microsoft who supply extensively to financial services, have updated their guidance about password policies.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
It's not inertia. In my big corpo's case, it's because the cybersecurity insurer is refusing to follow NIST.
I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
One hundred percent. I’d be interested to see how many people resort to having weaker passwords just to try to remember the new password every 6 months. I know many folks are proud of their password ‘system’ of using the same word and adding different numbers every time they need to change it. Not helpful.
Our hotel franchise requires us to change the password every month. We can't use the last 6-8 passwords.
Password1, Password2 ... Password123456789 - I can do this all day. And realy you should as a password you can easially remember is a bad password so the first part that doesn't change is the important part
Password manager ftw
This is fine for services you can easily access on a phone or computer.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
I once joked (I think because my employer had a similar, crazy requirement) that my keyboard's firmware was programmable, and I could just reprogram that FW so that Level3Shift+some key would rattle off the month's password.
Obviously, this is a terrible idea.
Believe it or not, "Yubikey" security keys have about 8 different configurable modes. One of them is "emulate a USB keyboard and enter a static password".
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
The only solution to this problem is to put your password on a post-it note in the most obvious place possible? Are we sure the CISO is the idiot in this story? This sounds like malicious negligence. I sure hope nothing that actually matters is on your system.
Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.
Hunter2025May
NIST only changed that recommendation last year. Expect that update to take at least 10 years to percolate through institutions like banks.
This recommendation dates back from 2017.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
Here is the relevant document: https://pages.nist.gov/800-63-3/sp800-63b.html
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
Identity providing is a natural monopoly and should be provided by the state in same manner as a passport is provided.
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
https://en.wikipedia.org/wiki/EIDAS
In the U.S., identity providing is not a role the government fills. Not everyone has to have a passport, for example. A passport is merely a purpose-specific tool for crossing borders, not general identity.
You have plenty of government id's in the US as well. Driver licenses, tax number, birth certificates ...
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
A tax number isn't an identity document (it's an identifier), nor is a birth certificate (since it doesn't have a photo).
Driver's licenses (or non-driver IDs) are the US's de facto ID standard.
You can’t have privacy if everyone uses the government as an SSO.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
> You can’t have privacy if everyone uses the government as an SSO.
Why not? Anonymous cryptographic attestation methods (e.g. of only the fact that you are over 18 years old, that you are a permanent resident etc.) exist.
Mozilla's one died a death
It’s technically possible but none of the govt implementations I’ve seen do this.
But you can if you live in a well functioning democratic society - remember the alternative is not no id but privatized for profit identity providers like Google and Facebook.
Well functioning democratic society is and idea that US explicitly rejects, because democratic society can point a finger at you and that doesn't feel nice.
A well functioning democratic society is one of the valid states before an autocratic regime. The Nazi party was elected.
Apart from regime changes, being a functional democratic society doesn’t protect you from technical incompetence nor does it limit the ability for people with access to the DB from abusing it.
Android and iOS now support driving licenses for seven states. They’re working on an anonymous credential library to allow you to authenticate and verify to websites, and you can use tap-to-ID with TSA. You’re right that not everyone has a DMV-issued ID but other than that, we’re pretty close to having an optional national electronic ID.
In Norway our BankID system, which is similar to what the Danes have, is owned by the banks, and is a run by a private company. While I personally think that in principle it should be run by the government. It works well enough, and it is imo. proof that it does not have to be run by the government.
Isn't being run by a bank just a roundabout way to be run by the gov't?
Your root of trust for said bank id is gov't documents, right?
Federal government or governmemts in general? As far as I get, driver licenses are doing in US what id cards are doing in Europe and are issued by governments too.
While a driver's license does normally fill that role, it's not mandated and not everyone has a driver's license (or even a state issued ID).
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
This whole thread is going to motte & bailey between the various forms of US gov ID. Between the union of {SSN, birth cert, driver's license (or ID in lieu thereof)}, it seems to be there's the equivalent of a federal ID. Just, like everything else we do, a terrible incomprehensible mess to Europeans.
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
In the US you don't need to have any form of ID. Your life will be very difficult, but you don't legally need it. ID is an optional service here.
Well, what I was replying to is about who is providing the service. Whether or not the service is mandatory is a different one. I know places on the European continent where having id and registered address is mandatory, but the fine for noncomplience is about 1 EUR.
Well as long as you have specific skin colors this is true. Don't let ICE catch you with no valid form of ID if you don't look European.
And it is a significant flaw of the US model!
Not if you ask people who specifically don’t want the government tracking everything
And the worst part is a federal ID would not enable tracking any more than your employers withholding wages for tax purposes and paying into Social Security does, but every time a federal ID has been proposed (which would be really useful as a way to keep SSNs from becoming something you have to disclose to everyone and their dog) it's been shut down by the "it's all a road to tyranny" crowd.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
The government is already tracking things like your financial investments. Except now, they're doing it in a disconnected and sprawling way, centered around your SSN. Which is insecure.
I'm very paranoid about tracking and privacy, but the reality is that identity verification is just a necessary part of some services. Like opening a brokerage account, or riding a plane. So, if we HAVE to do it, we should have a more secure way of doing it. There's no reason we should be relying on easily-gathered 9 digit numbers.
Riding on a plane doesn’t require centralized identification. Well at least it didn’t until real ID, but flying was perfectly fine without it before.
Ironically, lax to nonexistent data privacy laws and the ubiquitous use of SSNs as globally unique identifiers are achieving exactly the outcome that the lack of government ID verification purportedly achieves.
You don’t need an externally generated globally unique ID verified by the government.
You definitely need a unique ID assigned by the government for pretty much anything involving money or healthcare in the US.
They are deluded if they think the lack of federal ID (ignoring Social Security) provides any privacy benefit, and the cost is immense.
This yet another USA defaultism post.
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
italy has quite an interesting system[0] where multiple identity providers (authorized by the State) can be used to provide identification against the central database. It'll probably be phased out at some point, but it's quite cool.
[0] https://www.spid.gov.it/en/citizens/ it integrates with eIDAS too
If it integrates with eIDAS, it doesn't necessarily have to be phased out. A very good pragmatic decision of eIDAS was recognizing that many member countries have different existing eID schemes, and federating them is easier than rolling out a new one from scratch.
Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity. Don’t be a privacy defeatist, the fight isn’t lost yet.
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
We have universal ID cards here in Belgium. They have a chip and along with a special card reader usb device you can log in to govt websites related to taxes, pension and basically everything else.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
How is this related to govt issued ID cards ?
If it's easy enough to connect such an ID with arbitrary companies, I don't trust US privacy laws to prevent them from requiring it.
Maybe not having IDs is the reason why US doesn't have privacy protections and everybody can buy all the data anyway for 5 bucks from ad tech and telecoms.
The way identity providers are supposed to work is to not necessarily divulge your identity, but properties necessary for the respective service. For example, they can attest that you are an adult and a citizen of $country, but don’t need to disclose any further information. When using an identity provider with a third-party service, the attested attributes are displayed to the user to approve their disclosure. This is a bit like app permissions, where you can specify which app should be able to have which permission.
But most sites will just require you to attest your full name. Additionally, they will require a unique ID that the govt might not bother changing between websites.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
I've lived both in countries that have state-issued IDs and in the US, and I don't have much doubt about where I've felt better protected in terms of data privacy...
> Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
At one point I was researching using the Norwegian BankID system to ensure that accounts where real people. The pricing model didn't make that look like a reasonable choice. While I'm not surprised an eBay like service would be fine to pay to combat fraud. For a lot of offerings, paying the cost of using such services will not be worth it.
I'm so sick of retail clerks who insist on scanning the barcode of my driver's license. To verify I am 21 you don't need my height, weight, eye color, and home address. You can ascertain that my visually inspecting just the first two digits of my birth year.
Sounds like you may be aware, but no one should allow that to happen. When showing ID in retail situations I don't allow it to be removed from my hand.
My apartment wanted to use some 3rd party service to do ACH transfers for my rent. I just wanted to type in my bank's routing number and account number but this 3rd party service only worked if you gave it your bank username/password. I was like NOPE! And sent them a paper check. My guess is they had some permission from the bank to also suck down all your transaction history.
I'm too lazy to look up the service but it's a famous/popular service along the order or plaid or something
Well, let's do the cost-benefit analysis here.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
You have to think of a Bank's threat model though.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate. Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.) And requiring a special app is quite difficult to automate.
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
> Losing TOTP is easy. Lose your phone and it's gone.
That is the main point of it. That's why it is called a second factor.
> It means game over for a regular person.
It just means you have to go to the nearest branch.
Counter: Backups for TOTP are easy and you can use multiple devices/services for a single TOTP login.
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
You aren’t wrong. It is built in to Googles and Apples though, should be widely used.
Precisely nobody is suggesting that there be no recovery mechanism. This criticism is a red herring.
What do you think such a recovery mechanism would look like without SMS?
Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.
How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.
Show up in person with ID.
That's not necessarily possible. Many banks do not have physical locations, and many people do banking business while physically away from a bank.
https://en.wikipedia.org/wiki/Direct_bank
Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.
MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.
Password managers, such as KeePassX can generate TOTP codes. And Keepass database is just a file, you can have as many backups of it as you want.
You overestimate a regular person's technical skills and their capability of planning resilient backup strategies.
The banks' real threat model is around what punishments will come from the government. If there's no real regulation with teeth, banks will not care.
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
I was surprised that Bank of America still does SMS based 2FA.
BoA is one of the very few US banks that do any modern auth - they support fido2 security keys.
Of course effectively 0% of their customers actually use it, and instead rely on sms
Huh I set up SMS 2FA for BofA back in 2016 and I never knew they now support fido2.
Why would a bank care about money laundering?
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].
[0] https://www.investopedia.com/stock-analysis/2013/investing-n...
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
https://edition.cnn.com/2024/10/10/investing/td-bank-settlem...
I think you can easily answer that question yourself by doing a simple search.
It's a long-complicated story but it essentially boils down to this: https://en.wikipedia.org/wiki/Bank_Secrecy_Act
If they're not seen as doing enough, they can be fined by regulators.
There are a lot of people who get confused using the SMS code they received, let alone setting up passkeys, or TOTP and backing up their codes, and so on. The systems are designed for those people, not you. Even offering passkeys or TOTP as an option is a customer support liability, that's another thing agents need to support when someone nontechnical inevitably enabled this on accident or has a family member set it up for them.
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
UBS Switzerland has a decent system. When I first opened the account 15 years ago we had a number pad of codes on paper we entered as the authentication. Then later we got a credit card sized electronic device where we enter a passcode and it gives us a one-time code to enter to login. And now we have an Access app - we go to the website, enter our contract number, point our phone at a QR code on the webpage and authenticate on the app, and the desktop browser logs us in. The access app also is used for logging in with the mobile banking app. It never relied on sms.
Super simple but probably costs some money to develop.
Banks in the US sometimes support U2F, but you can never disable SMS. Maybe one day.
Would be nice if they could do email instead.
Zurich Kantonalbank (ZKB) has a very similar system, probably because they're also a big bank in Switzerland
think its a Europe thing, we have the same solution in Denmark. Chip and Pin has been in Europe forever I don't think the US has moved to this yet (although happy to be wrong) and also believe they still like those bouncy checks that has sort of died elsewhere.
UK Banks like Barclays also had the small electronic credit card sized device from around 2011 or so (and now use the Mobile app for that), but other UK banks like Halifax are still doing passwords (they even have a limit of 18 chars) and just ask you for random characters of memorable words, so there's a big inconsistency even within a single country.
while working for UBS (outside of Switzerland) i believe I had to use the same card, but oh boy it's expensive.
> TOTP Support: Let users use any standard authenticator
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
And I love that requirement. I do banking on my desktop and to confirm the transfers I get a push notification from a third-party application (ItsMe, so not a banking mobile app) with all the information I have entered.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
The requirement per se is not the biggest problem. Implementation by different banks is. In my country I have several bank accounts.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
And that's to say nothing about what happens when changing phones...
Plus the "app" was written by clowns and doesn't really work for any reasonable idea of "work".
Although to be fair this EU requirement tends in practice to make things yet still more cumbersome - requiring multiple authentications in one online banking session.
This past weekend I was struggling to teach my 97-year old neighbor how to login to his RBC Bank account. It was an 11 step process!!! The state of technology in the Canadian banking system is abysmal.
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
[1] https://productioncommunity.publicmobile.ca/t5/Get-Support/T...
Also to pay taxes, you have to type "CRA" into your bank's "Add Payee" searchbox and hope you pick the right result out of 5 different options that all have CRA in the title.
It's mind-boggling that this is the solution we've settled on.
As a european I again find it crazy what kinds of insecure stuff the banking industry in the US does. Chip+PIN arrived long after they did here, SMS Tan is still a thing while EU Payment Services Directive 2 (PSD2) forbid this in 2018, 7 years ago. Many transactions are still authenticated via signatures on paper cheques, you can use your credit card without a second factor (also regulated by PSD2). I just can't understand why they continue doing this, when I'd assume fixing this would cost less than what fraud must be costing them today.
> I'd assume fixing this would cost less than what fraud must be costing them today.
You'd be wrong there but not for obvious reasons.
Ultimately the cost of fraud is passed on to consumers. Banks pass the costs on to merchants, who in turn increase prices.
As a merchant increasing friction in the checkout process to reduce fraud does not improve profitability (broadly speaking).
So no they had no actual financial incentive to even implement chip and pin, that only happened because it was required by law.
In the case of credit card payments this is true, but for checks and other P2P payments, there is no merchant to pass on costs to.
For these, it's usually the banks absorbing the losses themselves (or their customers, if they aren't legally required to, but in many cases they are).
So an interesting trick I learned while suffering from the same issue is that roaming usually only applies to outbound data / SMS usage. So when I travel I disable data usage, and set my travel sim to be active and primary, but I can still receive SMS for free.
I work on the CMS side of banking, where promotions and current rates are posted regularly. All actual banking is done through a first-party link to external systems. The amount of scrutiny and regular application scanning for vulnerabilities that is done on the CMS software I've built drives me insane, considering the glaring holes in security that affect their systems that actually deal with money. I take security seriously, and it's one of the main selling points of the software I build, but knowing how poorly made these systems are that house what a malicious user actually wants makes me understand how much of society's systems play security theater.
I'd be curious to know what bank does actually proper authentification ? Like 2fa with otp code or passkey.
I went through quite a few bank in my life, some old style bank, some all internet bank, they were all some shade of horrible.
Neither offered proper authentification method.
In the US, I am seeing biometric authentication, and/or 2fa on mobile apps for financial institutions. The issue is that these same institutions are still running their websites that have the same security that was around in the early 2000's. You can take advantage of the mobile application and get better security, but you're still a target to someone that just accesses the website.
> I don’t think anyone considers a bank account “low-risk.” Yet here we are, still relying on SMS as the default, and sometimes only, 2FA option
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
> People really don't understand passkeys
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
One of the “features” of a passkey is that you can’t point to it. It’s a fucking nightmare
I didn't understand it either, but on the "Security Now" podcast Steve said it's basically like using a FIDO2 key but virtualized in software. As I've used a yubikey and understand public/private keys (with ssh) I now have a vague idea.
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
I. don't. care. Because we have to cater to the absolute lowest denominator, I now can't use my credit card 90% of the time because I can't receive SMS when I'm traveling aboard? No, not everyone has a fking iPhone and iMessage. Nothing in your comment serves as a defense of most places only having SMS 2FA. Why can Capital One email me every critical account notification, but can't email me 2FA/OTP codes for confirming transactions when I'm on the other side of the world? Why?
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
You need to switch to a carrier that allows international roaming, preferably at no cost. A lot of the budget carriers like Mint don't. Those carriers are really really good, like truly 99% of the way there, but for very specific use-cases they have problems.
> No, not everyone has a fking iPhone and iMessage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
Only tangentially related but I'm a Canadian but have been on a US Cell provider (AT&T) for over a decade now because its cheaper, especially when I used to spend a lot more time roaming in the US. The number of Canadian companies that fail silently when sending SMS to US numbers is too damn high.
My bank is one of those with Verified by Visa. Thankfully I've figured out that using the Voice option instead of Text will work but still that silent failure is really annoying.
> Even worse, these apps often become excuses, a reason to avoid implementing the open, interoperable standards that actually make a difference.
Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
From the POV of a bank, non extractable seed is a good thing
> The implementation of 3D Secure (3DS) primarily shifts the responsibility of transaction authentication to the customer. This approach is more about addressing legal and liability concerns than it is about enhancing security measures.
Is the answer I got.
I remember my brother having a printed list of one-time-codes. I wonder why this is not mentioned? Not everyone wants to have their phone a single-point-of-failure. For me - breaking screen in my phone rendered my banking unavailable for me, which posed additional problem on how to pay for the screen replacement, not speaking about buying food etc.
I swear this is true: my old bank (Allianz) introduced a two factor authentication where they would show me a code upon login, then I HAD TO CALL THEM, go through a menu and punch in the code. I changed bank a couple months later.
Here in South Africa all the banks I know of moved away from SMS text messages for 2FA ages ago, and perform authentication in-app with biometrics instead. Having a banking app installed on your phone is pretty much mandatory, and criminals have no doubt grown wise to this fact. So what happens when someone holds a gun to your head and forces you to perform a large transfer of funds from your phone? I'm sure the banks will try convince you that their fraud detection systems will come to your aid.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
> I'd much rather delete the apps, unlink my devices from my account and use a TOTP authenticator app instead.
I'm not clear how this changes the gun to your head scenario.
I would want to see numbers before making policy changes based on potential armed robbery.
The answer is lack of competition.
Here in the UK, all bank apps were dismal. Until Monzo and Starling arrived on the scene, and holy hell did the big 4 get their acts together.
As far as I can tell, the reason why any given login is needlessly complex is that some product manager somewhere has outdated info in their head that says stuff like "passwords need 4 different character classes" and "everybody uses SMS for 2FA, we need to use that". Powerless devs then mindlessly implement what they're asked to implement.
Powerless, that's exactly it. I pushed back when asked to implement email-based "2FA" on a website account (nothing like as important as a bank though). I pointed out that the username is the email address, and password recovery works by emailing a reset link, therefore emailing a login code wouldn't be two-factor, it would be the same factor. Of course the response was: doesn't matter, the client's asked for it. I didn't have the authority to push back any more, but luckily in this case it was just a simple website login that had no real need for 2FA anyway.
Are you me? I am an SE in a bank and I had this exact experience this week - though it relates to authing with the online banking system.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
The problem with the suggestions here is that it puts all your eggs in the same basket. 1Password TOTP? If both your password and the TOTP are in your password manager, you arguably really just have a single factor, delegated to a third party (your password manager). PassKeys? Same problem. Storing your recovery keys in your password manager? You again just have 1 factor.
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
If you use a password manager, you might not be part of the target group that benefits most from a second factor.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
Bank of America offers FIDO U2F as a second factor but doesn't let you remove SMS as a factor. I don't see what the point is.
It doesn't do anything about SMS delivery based threats, but U2F at least makes authentication itself unphishable.
> And don’t even get me started on logging into accounts at the Canada Revenue Agency.
At least they support standard TOTP now. https://www.canada.ca/en/revenue-agency/services/e-services/...
The friction of changing bank accounts is high, and few people choose their bank accounts based on how easy the online authentication is. Unless a bank does this meaningfully much worse than their competitors (low bar) they have little incentive to fix it.
If you think TD is bad, try some European countries where there's only a handful of banks...
> If a system breaks in common scenarios, like international travel, it’s not a secure system. It’s a hostile one.
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
OP's problem sounds like failure to plan. If you are going to suspend your cell plan, you should probably check your authenticator works or have a backup option before you travel to another country.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
A viable alternative is to offer multiple 2FA options, one of which should be RFC 6238 TOTP. The author would have probably planned ahead by selecting that rather than a proprietary app or SMS.
> you should probably check your authenticator works or have a backup option before you travel to another country.
They may sign you out automatically if you connect from a different country.
TD Authenticate does not require a network connection. I outright disabled network access for the app on my phone.
Don't know how he got logged out but he almost certainly didn't check before leaving the country.
Having said that, the 2FA for TD is atrocious as it provides SMS fallback in addition to their bespoke app.
One thing I like about the Aegis authenticator app is the clear way it changes colors and even flashes to indicate a code is getting ready to change, so it is less common that you might start copying digits, glance away, and then finish copying digits from a different code.
But, I think it would still be a challenge for many elderly for other reasons.
hardware tokens are the way! Everyone has had a house key their whole lives, and understands how to keep a spare to prevent lock-outs.
Hardware tokens are a PITA. Sure everyone has a house key because they only have a house at a time. I have 3 bank accounts, a few brokerage accounts, some pension logins on top of the regular stuff. I'm not going to carry 15 hardware tokens with me.
You only need one, plus a couple recovery spares, in any sane implementation.
SecurID tokens suck but with FIDO2, you'd only need one key.
Of course, that breaks the UX analogy of the house key.
If only there was some kind of a physical tokem with a crypto key that is protected by a password and tied to one's bank account.
-s
I know this was sarcasm, but bank card is not appropriate because you should have one hardware key for all services produced by an independent provider.
Why would I want to have one key for all them? To lose access or get them all compromised at the same time?
The only bit we're lacking is the "tied to one's bank account". The rest already exists in the form of yubikeys and other hardware security tokens.
Your bank/credit/debit/etc. card is a “physical token with a crypto key that is protected by a password and tied to one's bank account”. FIDO and EMV even both use the same underlying ISO/IEC 7816 and 14443 protocols for communications.
Some of us don't want to have a dozen plus separate physical tokens (one for each of bank/credit card/tax, etc sites with sensitive financial information we have).
Okay, I will make the "S" mark bigger next time.
Not how it works. One key can keep dozens of entries.
I know plenty of people who have lost house keys. I have many Yubikeys and I am responsible with my things, but not everybody is like us.
Still not sure about Passkeys. Or biometrics. But agree that their SMS based systems are way outdated. Which is odd because, at least at the Canadian banks, the mobile and web experiences are generally pretty modern and good.
It’s almost like the various departments and make these systems don’t talk to each other.
Pretty much the same thing with Chase. I had to access my account while overseas and had a somewhat similar story.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
Hey at least they aren't on firebase
Passkeys = excellent UX? In what world is that?
I keep looking st them, see the fragmentation, and have to say "no thanks, great idea, horrible reality".
If you store them in a password manager it is pretty nice, but if not it can be pretty cumbersome, especially if using browsers with multiple profiles.
I agree with this take and I think implementing passkeys, etc would result in mass confusion for many customers, especially the elderly.
I suspect that's a big reason for slow adoption
The reason it's a farce is because most banks are using some off the shelf system from one of the big vendors in the space OR legacy systems, or both. FIS is a good example.
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
> using some off the shelf system from one of the big vendors
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
> If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
Banks are always facing a trade-off between security and regulatory accessibility requirements. A former employer offered ~10 different ways to perform step-up authentication for high risk activities to avoid getting slapped with fines.
Then again "regulatory accessibility" has little to do with usability. You can have an 11 step process which works with a screen reader and is still hell.
I think all the banks that I used for the last five years (from three different European countries) use the mobile app itself as a generator of security credentials. The app itself is pin protected.
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
They should all be shamed continually until they adopt the common sense ideas in the article.
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
We had SMS-auth in Norway until 15 years ago (?), then it was a special type of SMS popping all over your screen that was more secure. Now all that is gone and replaced with Apps for auth, with scanning of your Passport/NationalID using NFC + SMS the first time.
> There’s no excuse anymore.
Implementing "modern" auth flows is challenging with old core systems.
From a risk management and compliance standpoint, this new auth infrastructure would represent a non-trivial expansion in the bank's audit scope.
Until a regulator makes it a requirement to use whatever new auth flow, it is not going to happen at scale.
It’s odd that banks are so bad at this because the incentives are correct: the banks pay when fraud happens. (At least up here)
Any US banks support TOTP or Yubikey/U2F requirements for login yet?
I've seen a couple consumer fintech products that support TOTP, still not many, and no banks I'm aware of.
Wells Fargo offers RSA hardware tokens if you know how to ask for them:-) Schwab offers a Symantec hardware token Vangaurd allows the use of a FIDO device (YubiKey)
Imagine using anything Symantec related to security. :-/
Fidelity supports TOTP
Big corporations don’t fix anything unless it bleeds cash in an obvious way. Their siloed departments border on self-sabotage, and they only wake up when shareholders start shouting about lost profits—then they stall anyway.
i worked on a large platform (YC company, too!) previously on their 2FA implementation. while not ideal, it was decided to keep SMS 2FA because there are still people out there without smart phones or in general the ability to do TOTP. but they still have some means to access the site that wasn't a smartphone i guess.
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
Anything that requires a cellphone bakes in BOTH a single point of failure and cumbersome extra steps. Terrible practice anyway - even though so many people here are in love with both single points of failure and extra steps.
ALLOWING methods X, Y or Z would be better reasoning.
That isn't a very strong argument for not allowing me to secure my account.
https://news.ycombinator.com/item?id=38180477 -- HN discussion of "Seeing like a Bank"
Does password requirements with short max length count as getting it wrong? Because I see that all the time.
Also a password box that will accept more characters than the max password length.
How about one that accepts any length on create but truncates it in the DB so your password manager saves the long one you typed in when it’s actually cut off at 12 chars? Had that one recently.
Some banks do it properly. For example, my local credit union does Google Authenticator (actually TOTP, but they call it Google Authenticator). I use it with Authy on F-Droid.
Best thing that ever happened in this bleak security world is Google Authenticator. I haven’t used that app itself in years, preferring others, but the existence of it and it being non-proprietary, has done a lot to bring over the moderately-security-competent companies to thinking “hey, I guess we should support this.” Obviously that group excludes every American bank, every power utility, etc. They all want to email or text me a freaking code at each login for some reason.
Please do not use Authy, lacks essential features and it was bought by a bad actor.
I switched from Lastpass Authenticator to Authy after the hack. The lack of the "upcoming key" feature has been a huge paint point.
Any suggestions for what is better?
Try Aegis https://getaegis.app/
Can you elaborate? Is twilio a bad actor?
I recommend KeePassDX from F-Droid for TOTP.
Is there a way off Authy yet?
wait, which bad actor? I use it for everything and hear about it first time
It's not a common problem enough for them to care.
Same reason they're still occasionally sending money to one another by cheque.
Why is there no standardized e-ID in the US? How much money is wasted by different authorities and businesses having to reinvent the same wheel over and over? I have used the same auth for doing my taxes or checking my prescriptions or signing into my bank for 20 years.
From my experience in the US, UK (see https://en.wikipedia.org/wiki/NO2ID ) and Canada there is a cultural aversion to government ID. I believe it's the same in Aus and NZ, so it may be an Anglophone thing.
It is partly cultural, and partly a power struggle between states and the federal government.
The current US administration is known for illegally deporting permanent residents and has stated intent to deport natural-born citizens. It should be self-evident why a centralized ID system under the control of the executive branch is a terrible idea.
That's horrible but why would it be worse together with an e-id system?
Because without thoroughly-enshrined protections for identities, an e-ID system provides an avenue for the government to effectively de-person undesirables at will, by removing their ability to use banks, sign contracts, access healthcare, etc.
US government is deporting undesirables at will right now without any of that. On the other side of the world, where id is mandatory and e-id is used for everything that makes sense, the city hall gives free heroin injections to addicts as a last resort therapy and provides for illegal/undocumented homeless people so they don't shit on the street.
Neither of those prevents somebody from stealing bicycles zo.
Broadly speaking: because they don't have to get it right.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
While not wrong it will big a big hasstle for whoever is the fraud victum while things are reversed. You may even lose other things in your life because you are unable to pay bills you technically have the money for but cannot access the money.
This is all true and, most notably, not the bank's immediate concern.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
None of the recommended alternatives show what you are authenticating for.
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
This happened to me when I was overseas recently. No phone, I needed to access my credit card website with Scotiabank. I had previously relied on having an option for the OTP to be delivered either by email or sms, but when I tried in March, Scotiabank had removed the email option! I ended up having to basically remove 2FA from my bank account as a workaround, after answering a ton of security questions.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
Surely it couldn't be as bad as an unnamed Queensland (Australia) bank that did client side authentication by looking up the username and password if one giant
Yes, that was real.I wonder what he would have written if he had his Canadian SIM but his TOTP device got stolen...
Good question, that’s exactly why systems need multiple secure fallback options.
Is it possible for Americans to use European or Chinese banks?
I'm only half trolling.
AML & KYC
What actual real life person is going to switch their bank account because TOTP isn't supported?
That's why banks get authentication wrong. Because they are in the business of banking and banking customers do not care about TOTP.
Me? As in, I've literally changed banks and canceled cards over this.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
> It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I think many banks might find it a benefit to exclude customers who don't have cellphones or SMS.
But banks should have to provide better security or they should be at fault if the account is accessed by a third party due to their weak security.
Ok. They are not though.
I don't care how many times I am violently buried on this site for mentioning the word -- but cryptocurrency makes traditional banking obsolete. Or should have.
No it doesn't
cryptocurrency makes traditional banking obsolete only if:
1. you don't understand what banks do, or
2. you pretend that cryptocurrencies do things that they don't
One could make a list a mile long of things that banks do that cryptocurrencies have no answer for. Banking is not a technology, it is a service.
Maybe try to make a list of 1 or 2 things instead of a mile.
Anybody that has the misfortune of working within a financial institution should know these folks are way behind the times.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
I don’t think banks are deliberately trying to avoid using TOTP, it’s just that they have to cater to the lowest common denominator, you know, the kind for which anything computer-related is basically black magic.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
This is no excuse for not offering it. And no, SMS must NOT be a backup that’s always available, as the article points out, its availability for use is a security hole.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Recovery codes is an option, for one.
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
> “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
> With standard TOTP, now they have to worry about if the user correctly added the secret
The standard flow I usually see for setting up TOTP ends with entering an authentication code. If it's not valid then the setup isn't finished.
That's not what I'm talking about. I'm talking about the act of adding the secret to the authenticator app in the first place. There needs to be documentation to the effect of "open Google Authenticator, and if you don't have it, download it on the App Store or Google Play store. Open the app and choose 'new secret', ...". Probably also put in a QR code and link for good measure. Rinse and repeat for all the major authenticator apps. THEN you can have them verify.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
Outside of services like Github where the average user is expected to know what an RFC is, I usually just see Google Authenticator supported and no mention of the fact that alternatives exist. That seems like an adequate solution.
It's not just authentication that they get wrong. On several websites (non banks) I can get my entire history, all my logins, all my transactions, since I created my accounts: all the way back to, say, 2013... No problem.
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.