When I log into gmail, the system texts me a one-time key which I use to verify that it's me trying to get in and not some jerk who got my login info from a password dump. You'd think my bank would have the same level of protection to make sure bad guys can't get a good whiff of my money. Nope.
Despite being accepted as a simple but effective method of protecting online accounts, several major banks don't use two-factor authentication to prevent unauthorized logins to your account. Why not?
So what is two-factor authentication
Every time an online service accidentally loses a trove of username and password credentials, the cry rises again: Everybody secure your shit with two-factor authentication! For those unfamiliar, two-factor, or multi-factor authentication is a security measure that requires more than simply your username and password to gain access to your accounts. You should definitely use it!
The two-factor methodology you're most likely familiar with is an SMS one-time password. After you enter your username and password for a service in a web browser, you get a text message containing a randomized code. Enter that code into a prompt in your browser, and then you get access to your account.
A similarly flexible method is called time-based one-time password solutions, which generate a random password and require that you enter it within a tight time window. This type of password generated by both Google's Authenticator app and the Code Generator in the Facebook app. In some situations, services distribute a discreet physical device like a key fob that has a password generator built-in it. Most top online services—Dropbox, Evernote, Twitter, Microsoft Hotmail, and countless others—offer some form of two-step identification.
Banks are woefully insecure
Banks, however, are behind. Some financial giants have seen the light and have been offering customers the option to secure their logins with meaningful two-factor authentication: Bank of America and Chase both offer SMS notifications for every login, the baseline for good security. But many other banks fail to go further: U.S Bank, American Express, HSBC, PNC, Bank, Capital One, Suntrust, TD Bank, Simple, and Wells Fargo don't offer two-factor authentication at every login.
Many of these do provide additional security throughout the banking process, but none of them offer a the level of login security that you can get with your email.
Here's a brief rundown of what were able to surmise about each bank's security based on their online documentation and comments from spokespeople. Most banks were very evasive about their security policies and procedures. We'll update if we learn more.
According to a spokesperson, American Express only asks for additional authentication in the event that a request or activity seems unusual. This additional authentication can include two-factor in the form of a one-time password sent over SMS.
The spokesperson adds, amazingly, "We do not wish to inconvenience all our website users with a two-factor authentication for every login."
According to a spokesperson:
As part of our layered security program, we use a variety of methods to determine a customer's identity, including challenge questions and two-factor authentication. They are not controlled by the customer but automatically applied based on risk triggers associated with customer requests.
Still, according to anecdotal research and documentation posted online, the company doesn't regularly ask for two-factor authentication.
Citibank refused to comment beyond the information posted on its website, which saya that "When you perform sensitive online banking transactions, such as money transfers, Citi will sometimes ask you additional questions to verify your identity." According to several Citi customers we talked to this security amounts to mother's maiden name-type security questions.
According to a spokesman:
HSBC uses two factor authentication globally as our preferred secure technology. As you know, it is standard in a large number of the markets where we operate, including across Europe and Asia.
Important to note that two factor authentication is only required for transactions involving funds leaving an account. It is not needed to check a balance or moving funds between HSBC accounts.
According to a spokesman:
PNC provides multi-factor (layered) security for our online banking customers. For security reasons, we do not provide further information related to our security practices or on our business decisions related to security.
However, according to our anecdotal research, and information posted online, PNC Bank relies heavily on security questions and doesn't regularly require two-factor authentication. PNC declined to elaborate or clarify its policies. Note: Their response to comment came after after this post was published, after repeated requests for comment were ignored.
According to a spokesman:
Simple does indeed use SMS-based two-factor authentication. It's required for a number of our banking functionalities — including making payments greater than $1,000, sending payment to a new contact, approving instant transfers, and changing personal contact information.
A spokesman declined to comment beyond the company's "extensive mulilayered security protocols and processes." According to information posted online, the company only ever asks for security questions.
The company has an "Advanced Access" procedure involving a one time password. However, according to a spokesman: "Advanced Access may be required at login to verify a customer's identity if we notice account activity that is out of pattern for that customer. But it's not something that's necessarily required for every login."
Why don't all banks do it?
As you can see there is there's a lot of variety in how banks use different layers of security. There's no uniform response. If your transaction meets certain criteria or a bank's algorithm detects something odd, a red flag goes off and you might be prompted for a one-time password, or simply for the answer that a security question will provide. At the very least, though, a username and password will get someone access to your account balance, and in many cases other pieces of personal information.
You'll notice the language of "risk" throughout the above descriptions. That's because that's the language of the Federal Financial Institutions Examination Council, whose guidance on "authentication in an internet banking environment" concludes:
Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The agencies consider single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties.
So it's up to the banks to evaluate risk in put security in place to meet those risks. In the words of Duo Security CTO Jon Oberheide:
Due to the weak guidance, banks instead did the bare minimum and offered security questions/answers and "security images". You probably see this on your accounts today when you log in: a security image and phrase pre-chosen by the user that is supposed to make you confident that your login is secure. In reality, those mechanisms offer little to no protection against phishing and other credential theft threats.
In other words, the banks aren't doing more because they don't have to. And so as long as they maintain zero-loss guarantees against fraud, and the amount lost to fraud remains relatively small compared to their deep pockets, the banks won't do anything more to protect you.
But as Oberheide points out this is a risky way to look at things:
More and more, attackers are becoming indistinguishable from legitimate users, and are becoming more sophisticated in their ability to evade detection and launder fraudulent gains through networks of money mules.
Instead of relying on complex fraud analytics models, it's much more effective to offer strong authentication for the end user and have the ability to simply ask them: "did you intend to do this?"
It's also worth noting that two-factor authentication isn't infallible, and indeed, some researchers have illustrated that there are several methods that might be used to compromise two-factor in a banking situation. One study that got some press claimed that Android malware was so prevalent that two-factor authentication was too risky to reliable.
Still, given the option of using an extra layer of practical security can only be a good thing. Even if your attackers have battering rams, you're better off if they have to break through two doors. And according to security expert Per Thorsheim, who organizes the annual Password Con in Las Vegas, concerns about the security of two factor authentication are overblown.
"It makes you a lot safer, as blind—automated—large-scale attacks are no longer really possible," said Thorsheim. "You would have to be closer to a targeted attack, which lowers the chances of successful access." Importantly, it also increases the likelihood that an attack will be detected.
It's so easy to implement tighter security. If Gmail can do it, why can't your bank?
Illustration by Tara Jacoby