Should I Change Banks?

[sapphirescales]

It's come to my attention that my bank only supports 2FA through either SMS or email. I ordered an RSA SecureID device but SMS and email authentication options are still available and according to them you can't disable these options. Of course, they don't support Google Authenticator or anything else. You guys know of any other banks that don't allow 2FA through SMS or email? I mean, hell, I'd even be comfortable if they still allowed email, but it's just too easy for criminals to use social engineering to call up your cell phone provider and get a replacement SIM shipped to them (or even activate a SIM they already have over the phone). I called up my phone provider and all someone would need to transfer service to another SIM are:

- My name
- My address
- Last 4 # of my billing CC on file

I'm thinking of using a virtual phone number but my current bank said that would be a red flag, so I'm also looking for cell phone providers with better call-in security (a custom call-in PIN or password at the very least). Alternatively I could set up a phone number that I only use for 2FA and set it up under a fake name and address. Unfortunately my bank said they have data sharing agreements with most carriers so that would be a red flag. Of course, she wouldn't tell me which carriers they have this agreement with.

I don't know WTF I'm supposed to do to secure my bank info. I already use a password manager with 100+ characters in every password but I don't feel secure with SMS 2FA or with a cell phone carrier who will transfer my number so easily. Any suggestions?

 

[britechguy]

Most banks still only support what most customers (which doesn't mean the demographic here) can and will use.

If you are happy with your bank otherwise, your quest is unlikely to end in finding another that doesn't use the methods your current bank already does.

Every bank and credit union my household does business with uses either email or SMS 2FA, and to be honest, that's enough if you have a solid password. Banks are way more risk averse on the whole than their customers are, and if the current methods were resulting in huge losses of money on a routine basis they would have been replaced.

 

[nlinecomputers]

Banks are way more risk averse on the whole than their customers are, and if the current methods were resulting in huge losses of money on a routine basis they would have been replaced

They’re not risk adverse at all. They just write off the losses. CC interest rates are so high that writing off the shrink is the cheapest option.

 

[britechguy]

The two industries that are most risk averse, historically and currently, are banking and insurance. No amount of waving of hands will change this.

And for all the hand-wringing about security, when is the last incident you heard of where someone's bank account was emptied without social engineering being involved? [And plenty of other things, too.] People can and do stupidly hand "the keys to their kingdoms" over to nefarious actors. No security method is ultimately going to stop that.

My biggest worry is not that phone based 2FA is going to cause me to lose my entire savings because I have to have entered a strong (in my case) password over an encrypted connection before I ever have that code sent. That's enough, really, more than enough. There is no perfect security, and if we make systems that are too difficult or cumbersome for the majority to use routinely, we've seen the results, and they're worse than somewhat more lax methods that are accepted and followed.

 

[sapphirescales]

writing off the shrink

Yeah. The other thing they do is tell you to get f*cked if someone gets access to your account and steals your money. VISA will stand behind fraudulent purchases. Your bank doesn't do anything to protect you.

 

[alexsmith2709]

Yeah. The other thing they do is tell you to get f*cked if someone gets access to your account and steals your money. VISA will stand behind fraudulent purchases. Your bank doesn't do anything to protect you.

Wow, banks must be different in the US than they are here in the UK. I had a customer who had their account hacked (i knew it would be a pointless exercise asking how so i didnt bother!) and they phoned the bank and they gave them the money back and seemed to say something along the lines of "be more careful next time". In some cases if it were my decision i'd not give them money back to teach them a lesson, most people only learn through their wallet.

I would tend to agree with @britechguy on this one, if banks were losing millions they would act, they are well aware most of the problem is the user and ultimately they will get the blame whoever's fault it is (customer compalints, bad press etc) so its in their interest to reduce these losses.

Most UK banks have been using their own MFA devices for years, you have a device which is linked to your account by its serial number and when you login you enter a pin and it generates a code much like any other MFA. In recent years you can now you the banking app on your phone to do the same thing.

 

[nlinecomputers]

Wow, banks must be different in the US than they are here in the UK. I had a customer who had their account hacked (i knew it would be a pointless exercise asking how so i didnt bother!) and they phoned the bank and they gave them the money back and seemed to say something along the lines of "be more careful next time". In some cases if it were my decision i'd not give them money back to teach them a lesson, most people only learn through their wallet.

I would tend to agree with @britechguy on this one, if banks were losing millions they would act, they are well aware most of the problem is the user and ultimately they will get the blame whoever's fault it is (customer compalints, bad press etc) so its in their interest to reduce these losses.

Most UK banks have been using their own MFA devices for years, you have a device which is linked to your account by its serial number and when you login you enter a pin and it generates a code much like any other MFA. In recent years you can now you the banking app on your phone to do the same thing.

That’s because the UK has better banking laws. Credit Card or Debit Card fraud is protected by Visa/MC. Banks have very little obligations on any other forms of fraud. You are the victim, not the bank. Now many banks do have more security like PIN numbers that you have to know. But a PIN number is just a convoluted second password. It’s no more secure than a single password and people will write down such information in the same location so as a security measure it is pretty useless.

And some banks do offer funds replacement bonds ( insurance) but it’s not required and it’s usually paid for with higher bank fees. And in the case of a password theft it’s your word against the bank to prove your claim. Again you are the victim not the bank.

 

[britechguy]

It’s no more secure than a single password and people will write down such information in the same location so as a security measure it is pretty useless.

So, when is the last time you know of, and can cite a report of, fraud where the end user didn't "hand over" this information? That's how it happens. There are not cat burglars breaking into homes looking for password notebooks then going to empty accounts.

The problem here is not with existing security methods, it lies with the users in almost every case.

The hand-wringing here about potential bank fraud, if you follow your own best practices related to security, is utterly uncalled for. If you keep your strong password safe, and have 2FA of any kind on top of it, the probability of a third party getting at your funds without your direct assistance is, for all practical intents and purposes, zero.

Credit/Debit card fraud is a thing of its own, and requires less ingenuity.

The only way to remedy problems, of any kind, is to accurately identify the root causes and address them. These days, most people who have their life savings stolen are the victim of scams - social engineering - not some drive-by login and transfer by an unknown actor.

 

[nlinecomputers]

It happens with family members more often than you think. If you have access to a family members home you can steal information if you know the habits of the person you are stealing from. Children of elderly parents for example.

And key logging malware is a thing. Saw it many times in virus attacks back during Xp’s hay day. Ransomware has pretty much replaced that attack method.

And phishing attacks are very real as is the stupid practice of reusing passwords. Both are prime methods of the social engineering attacks you mentioned. 2FA helps protect you when you fall for a S.E. deception. PIN numbers don’t change. TOTP is only valid for 30 seconds.

 

[britechguy]

@nlinecomputers,

Most of what you've written confirms my thesis.

The fixes for "family theft" is not technological. Attack surfaces, as you've noted, change with time and some old ones die off entirely (not key logging, though, which does still exist but is less frequently used).

Phishing nor password reuse are solved by technological means.

And the probability that your random nefarious actor engaging in a social engineering scam has cloned your phone is just tiny in the vast majority of cases.

I am concerned about protecting against the probable, and frequent, much more than I am about the remotely possible and highly unlikely. What exists now is way more than adequate protection. If someone is an active participant in their own credentials being shared, or just falls for a scam and does all the "heavy lifting" themselves, that's not going to be solved by 10-factor-authentication. The garden path can be short, or long, but certain people will be led down it.

 

[nlinecomputers]

Phishing nor password reuse are solved by technological means.

Solved, no. Greatly mitigated can be. Banks adopted PIN numbers in part because people reuse passwords. So if I manage to steal your email password and you use the same password for your bank you have a stumbling block to full access to the account. TOTP key fobs, or authentications apps are to combat key logging or family members gaining access to Grandpa’s passwords and PIN numbers book at the thanksgiving visit.

 

[britechguy]

Greatly mitigated can be.

We're just going to have to agree to disagree here, at least if you insist that one-time codes delivered via anything other than key fobs or authentication apps "are insufficient."

The fact of the matter is the the vast majority of the computer user base out there is not ever going to adopt either one of those two technologies, and they do have the right to have a *reasonably* secure, and easy to use, method to get at their funds.

SMS codes fill that bill, admirably and way more than adequately, in the vast majority of cases.

Security people need to understand that you absolutely do have to meet users somewhere in the middle. "Ultimate security" is just too darned inconvenient, and generally unnecessary.

Realistic risk assessment seems to have gone out the window in many cases, and requiring an authenticator app or fob-based 2FA as a requirement is a direct result of an unrealistic risk assessment for the vast majority of cases.

 

[nlinecomputers]

SMS codes fill that bill, admirably and way more than adequately, in the vast majority of cases.

Sadly most banks don't even do that. Banks believe that a password breach is a theft from YOU, not the bank so they are not motivated to protect you. I would prefer keyfobs or apps but most banks just don't offer that. Some are starting to do SMS text and push notifications to their banking apps on the phone. Those apps usually force you to set up a pin and or fingerprint reader so that you can lock the phone. That is an excellent way to handle it but many people don't opt-in.

 

[britechguy]

@nlinecomputers

Both of the credit unions I do business with have recently gone to 2FA where you can choose how the message is sent to you (email or SMS) or use a challenge question.

Both also started out with your login ID being your account number, and only one, so far, has changed that to require the creation of a userid.

My partner's bank used SMS 2FA and it may have an e-mail option as well. But I think both of us are using our Google Voice numbers as where those SMSes land so that we need not have our phones right next to us, since Google Voice SMS shows up on our computer as well as our phones.

I felt (and still would feel) perfectly safe with nothing more than a password. But when you add in the need to enter a code (one uses six digits, the other, six characters) that's sent by SMS, I feel way more than adequately protected. No one knows my passwords to begin with, but even if someone did the need for a code sent by SMS to be entered, and promptly, and from the machine where the password itself was entered, cuts down the probability of any unauthorized access (unless I were to cooperate with it) to virtual zero.

 

[britechguy]

I called up my phone provider and all someone would need to transfer service to another SIM are:

- My name
- My address
- Last 4 # of my billing CC on file

If they really are this lax in what's required to transfer service to a different SIM, then it makes a lot more sense to look for another mobile service provider.

And that's even though it's highly improbable that many people have the last 4 digits of your CC immediately at hand.

I'd feel more secure with last 4 of SSN, as you pretty much have to supply this to all mobile service providers (USA) and most of us to not "whip out our Social Security card" in nearly as many instances as we do a credit card where shoulder surfing is easy. But someone has to really, really want to target *you* in order to even have the three things your carrier asks for. While the first two are a cinch for anyone to obtain, the last is not, particularly since most of us have multiple credit cards and who could guess which one of those one used and obtain the correct last 4 without access that's entirely unlikely to be available?

It all comes down to what most people, and businesses, think are *reasonable* measures. Most would consider that combination of those particular three to be pretty hard to put together unless you already have them.

 

[Metanis]

In the USA the banks tend to cover consumer losses while letting business accounts fend for themselves.

So first, keep your business account as close to zero balance as possible.

Second, setup a personal account that does not offer on-line access. If you're truly paranoid use multiple accounts in order to spread the risk around.

Pay yourself frequently via old fashioned check drawn on the business account and deposit to personal account via postal mail or personal visit.

 

[britechguy]

Second, setup a personal account that does not offer on-line access.

If such exists (and I'm sure it does) it's got to be incredibly rare these days. But I don't know of any that do offer it that do not also require you to set it up if you want to use it. If you never configure it then it had might as well not exist.

[And, no, I am not going to entertain the "stealing relative" here. If you don't have physical security you don't have *any* security.]

 

[nlinecomputers]

I felt (and still would feel) perfectly safe with nothing more than a password.

And you are living with a false sense of security. Anyone can fall victim to a sophisticated phishing attack. Or not so sophisticated if you have a “blonde moment “. I once clicked on a fake UPS delivery message got infected with a virus which my antivirus only partially protected me from. My excuse was that I was probably slightly tipsy and not being as vigilant as I normally would be. A simple password is not enough anymore for anyone. My own stupidity has convinced me of that.

 

[britechguy]

A simple password is not enough anymore for anyone. My own stupidity has convinced me of that.

I don't know how you can see these two sentences as remotely compatible.

The fact that you (or anyone, including myself) on occasion do something really stupid means that the thing we've done is the problem.

I don't believe in indulging in the proverbial, "solution in search of a problem," approach, which is precisely what this is. And that's not saying that 2FA on bank accounts is not an excellent idea.

But people doing stupid things, no matter what they are, is the problem to be solved. And, as we all know here, it's likely intractable. As one of my books on The Peter Principle and its variants observed, "Nothing can be made foolproof because fools are just so darned ingenious!"

 

[nlinecomputers]

But people doing stupid things, no matter what they are, is the problem to be solved. And, as we all know here, it's likely intractable

That’s a contradiction. You can’t say that you must solve the problem of stupidity and admit that you can’t prevent it and then say that it is pointless to provide protections against it.

That’s like building a staircase with no handrails. 99 times out of a hundred I can climb up it just fine. But day 100 comes along and it is too bad for you?