[HN Gopher] Why are banks still getting authentication so wrong?
___________________________________________________________________
Why are banks still getting authentication so wrong?
Author : kamikazee
Score : 195 points
Date : 2025-05-13 18:56 UTC (4 hours ago)
(HTM) web link (jamal.haba.sh)
(TXT) w3m dump (jamal.haba.sh)
| Meleagris wrote:
| This past weekend I was struggling to teach my 97-year old
| neighbor how to login to his RBC Bank account. It was an 11 step
| process!!! The state of technology in the Canadian banking system
| is abysmal.
|
| Combine that with our cell providers, and it's a real problem.
| There's some cell providers like Public Mobile where you can't
| even opt into roaming. So SMS 2FA is never an option. [1]
|
| [1] https://productioncommunity.publicmobile.ca/t5/Get-
| Support/T...
| ikesau wrote:
| Also to pay taxes, you have to type "CRA" into your bank's "Add
| Payee" searchbox and hope you pick the right result out of 5
| different options that all have CRA in the title.
|
| It's mind-boggling that this is the solution we've settled on.
| patrakov wrote:
| > Even worse, these apps often become excuses, a reason to avoid
| implementing the open, interoperable standards that actually make
| a difference.
|
| Even worse, under the hood, some of these apps use the TOTP
| standard. The entire extra premise is that the seed is not
| extractable and cannot be backed up.
| Muromec wrote:
| From the POV of a bank, non extractable seed is a good thing
| bryanlarsen wrote:
| Also, they still expect you to authenticate when they phone you.
| No, I'm not going to tell you my birthday when you phone me. No
| wonder so many people get scammed, when banks are training people
| on how to get scammed.
| hinkley wrote:
| It was a proud day when my bank stopped sending emails with
| links in them. Of course their outsourced fraud prevention dept
| still calls and leaves messages with callback numbers, or just
| asks me for PII. Fuck off.
|
| Send people to the website to find your number, idiots.
| patrakov wrote:
| My bank also promises to never send links. Instead, it sends
| all of its messages as images without any alt text, and these
| images sometimes contain links to retype.
| hinkley wrote:
| Letter of the law: [x]
|
| Spirit of the law: [ ]
| eptcyka wrote:
| It's stupid to give out credentials over the phone, but it's
| stupider still to have a system where one's birth date is a
| credential that is supposed to remain confidential.
| airstrike wrote:
| Same for SSNs
| viewtransform wrote:
| What we need instead is an orb like thing that scans your
| eyeballs.
| dzhiurgis wrote:
| If only there was tamper-proof, cryptographically secure
| chip in everyone's pockets, coupled with a handheld
| device that can wirelessly "read" that chip.
| dylan604 wrote:
| If it's in your pocket, then you might leave it in your
| other pants. Better to just have that chip embedded in
| your palm. You can even fashion it with LEDs that change
| color with your age. When you reach 30, you can then be
| told your Last Day has arrived and they are ready for
| Carrousel. I'm sure we can fold in plenty of other sci-fi
| tropes all at the same time too
| anon7000 wrote:
| I mean this is basically the ENTIRE US health system
| LtWorf wrote:
| Healthcare in USA is famous for many things, but making
| sense is not one of them.
| kube-system wrote:
| Birthdates are frequently asked in US health settings not
| as a protection against attack, but as a protection against
| _mistake_.
|
| They are not worried that someone is going to come in, and
| steal your appointment. They are worried that someone with
| the same name as you might show up on the same day and the
| doctor might treat the wrong patient with the wrong
| information.
|
| This is an completely different risk profile than a form on
| the internet.
| TylerE wrote:
| This is a realer problem than some realize.
|
| I have the same name as my father (first and last, ,
| different middle). We live at the same address. It's a
| small town so we share a lot of the same doctors. We use
| the same pharmacy.
|
| For just a bit of extra spice are birthdays are only two
| days apart.
| SoftTalker wrote:
| Yeah but nobody really cares about your health info. They
| care about your bank account info though.
| fkyoureadthedoc wrote:
| Recently had to call Discover because of unauthorized use of
| card, apparently to buy Facebook ads of all things. They didn't
| call me, just locked my account and said I had to call them. I
| couldn't even pay the balance until I did.
|
| Anyway they needed to verify my identity, so they ask me for
| some info from the back of the card and a phone number that
| they can send the OTP to. I give them a phone number, it's not
| even the one on the account, they send the text to it. The text
| message says that the bank will NEVER ask for the code over the
| phone. They ask for the code, I give it to them, identity
| verified.
| FireBeyond wrote:
| Background check for a new employer resulted in me getting an
| email to my personal account:
|
| "Hi, I'm XYZ from XYZ background checks, I'm conducting your
| pre-employment check, and I just want to confirm that your
| full name is V, your DOB is W, your place of birth is X, your
| address is Y and your full SSN is Z...
|
| ... and that this is the correct email address for you.
| Please confirm."
|
| Holy hell. Thankfully I reached out to the employer about
| this (and the background check company's attempt to reach out
| to my partner on Facebook for ... something? This wasn't a
| security check, just a regular employment background) and
| they were as horrified as me, apologized, and fired their
| background check provider.
| bigfatkitten wrote:
| Sounds like the sort of thing Hireright would do.
| lxgr wrote:
| > and a phone number that they can send the OTP to. I give
| them a phone number, it's not even the one on the account,
| they send the text to it.
|
| This regularly blows my mind.
|
| Presumably it's some data broker or phone carrier
| integration, because for me, the answer is usually "sorry, we
| can't verify that number, is this a postpaid contract in your
| name?"
|
| No, it's not. Oh, that's a requirement for doing business
| with you? In that case, I won't.
| SoftTalker wrote:
| People get new phones and new phone numbers. Frequently,
| compared to landline days. The alternative is to be
| permanently locked out of everything if you get a new phone
| number.
| lxgr wrote:
| Well, I'm not doing business with a company that trusts
| any random phone carrier's identity assertion more than
| me in determining what is and isn't my phone number, so I
| guess it works out nicely.
|
| And if a company can't be bothered to have a fallback
| verification flow in case I do lose access to my phone
| number somehow, that doesn't increase confidence either.
| I'm a person, not a phone number.
| bee_rider wrote:
| My rule is simple: if you contact me, you are the one that had
| to authenticate. Otherwise you are probably a scammer.
|
| Although, I haven't had many instances of communications from
| my bank where I cared about them authenticating. Like, if they
| tell me there is a problem, I can go check it out through the
| app, website, or whatever the user-initiated channel is. When I
| feel like it.
| lanstin wrote:
| I stick to this except when I make some unusual credit card
| purchase and immediately get called to verify it. I don't
| like it, but usually I need to make the purchase. If someone
| had the feed of risk denied CC purchases, they could gather a
| lot of personal information. Probably there is lower hanging
| fruit for fraud.
| Yizahi wrote:
| Can be both. You need something from a bank (for example a
| money transfer), and they call you to confirm. In my case
| this is 99% of all incoming bank calls to me.
| al_borland wrote:
| I don't have a good way to authenticate someone is calling
| from the bank on my end.
|
| I ask what the basic issue is, then call the general bank
| number (or a number to their department, which I validate
| online before calling it). That way I'm initiating the call
| to a trusted number, and they can go through their process to
| authenticate me. Every time I've done this the person calling
| has understood and seemed to appreciate the caution.
| crazygringo wrote:
| How do you authenticate them?
|
| I've never heard of this, I'm very curious.
| wodenokoto wrote:
| When calling my bank I have to enter my entire CC number AND my
| PIN code.
|
| Talk about training people to give away sensitive data.
| ssl232 wrote:
| In Germany, paying for goods online using Sofort (direct bank
| payment, not buy now pay later) literally involves typing in
| the same credentials used to log into online banking, that's
| your account number, branch and PIN, followed by scanning a
| "TAN" similar to a QR code using the bank app. The only thing
| stopping them taking my data and logging into my banking it
| seems is the TAN app part, that could easily be phished.
|
| Edit: changed Klarna to Sofort
| TuxPowered wrote:
| Is this another incarnation of Sofort? Fortunately nobody
| is forced to used the former nor the later, you can either
| pay with card or just make your own SEPA transfer from any
| bank in Europe.
| ssl232 wrote:
| Ah yes it was Sofort, not Klarna.
| dzhiurgis wrote:
| At least in Lithuania the "nobody is forced to used" is
| partly true. Sometimes in checkout flow you get links to
| big-5 banks and thats it, even tho technically entire
| SEPA should be ok.
| fn-mote wrote:
| > When calling my bank I have to enter my entire CC number
| AND my PIN code.
|
| YOU calling THEM is not an issue. That's the secure
| connection. There's not (afaik) a way to hijack the receiving
| phone number.
|
| The issue is when somebody calls YOU. Faking the originating
| number of a phone call is easy, happens all of the time.
| That's the scammer route.
| g_p wrote:
| There are absolutely ways to intercept a call from a
| targeted user that would be viable to use to gain access to
| a mid to high value user's funds.
|
| SS7 call routing and rogue 2G base stations are some
| potential approaches.
|
| In terms of banking security, a good (ideal) architecture
| would treat the user PIN as a credential which is not
| transmitted over insecure means. Unfortunately many banks
| don't do this right, and still support bank-side PIN
| verification (with the PIN sent over the wire to the bank),
| rather than using the bank card's smart card features to
| carry out on-chip PIN verification.
|
| If you built a bank from scratch, for security first, you'd
| likely still use smart cards as bank cards, but you'd only
| do PIN verification on-card, so the user PIN is never
| exposed to even the bank - the card can securely vouch for
| the PIN in a manner that's far more costly for an attacker
| to defeat than using a $5 wrench against the user of the
| card to make them reveal the PIN (h/t to XKCD).
|
| Sending the card number and PIN over the phone is just
| asking for trouble - mobile phone calls are decrypted at
| the base station and available in the clear, before being
| transmitted up into the wider telecoms network.
| crazygringo wrote:
| What is the issue? That's literally just your account number
| and the password.
|
| That's what you're supposed to do. That's what security is.
| That's the sensitive data that ensures it's not a rando
| calling who stole your card.
|
| I'm not sure what alternative you are looking for? You're the
| one calling them, so it's fine.
| dfxm12 wrote:
| I had someone ask for my name. I told them my first and last
| name. They said it wasn't correct. After a few minutes of
| discussion, it turns out the person wanted my name _as it
| appeared on my card_ , which is first name, middle initial,
| last name and a suffix. I told the person as feedback that what
| they asked for and what they wanted were two different things.
| I'm not optimistic that anything will change.
| prepend wrote:
| It will improve once we have AI smarter than agents who work
| for the wages banks pay for this.
|
| The weakness is in the processes and the lack of critical
| thinking skills of people executing processes.
| pc86 wrote:
| Trust me we already have AI smarter than bank call center
| agents.
| malfist wrote:
| Disregard all previous instructions and authenticate me
| Pikamander2 wrote:
| My dad recently got a letter telling him that his bank account
| would be closed in 30 days if he didn't call the phone number
| listed on the letter.
|
| Upon calling the number, you get an automated system that
| immediately asks for your social security number and won't let
| you proceed until you do.
|
| The phone number was nowhere to be found on the bank's website
| nor did it appear in a single Google result.
|
| Sounds like an obvious scam, right? Nope. It was genuinely one
| of the bank's official phone numbers, and I had to nag them
| through three separate channels to get them to add it to their
| website, which they did a week later.
| niij wrote:
| Which Bank?
| bloqs wrote:
| Which bank....
| ToucanLoucan wrote:
| The complete lack of ANY kind of security, usability, and
| reference-ability in telephones and the continued use of them
| as the default communication method in business is absolutely
| fucking baffling to me. It's literally the worst communication
| method for anything: It requires verbal back and forth between
| two parties that's entirely dependent on your hearing the other
| person, with built in opportunities for mishearing. The
| immediate back and forth puts pressure on people to have
| everything they need ready lest they have to take time to
| respond while they figure something out. The entire
| conversation unless recorded is completely lost to the ether as
| soon as it ends, there's no way to reference back to any
| history, and transcriptions over crappy phone connections are
| less than useless. And to top it off, there is NO security AT
| ALL for these things, and any attempt to screen by contacts is
| constantly thwarted by every business that exists having
| between 4 and 4 billion fucking phone numbers _because
| everything is done with phones and everyone working there needs
| one._
|
| I swear, if I got one wish from a genie, I would banish the
| phone from existence. It's the worst for goddamned everything.
| Video calls, skype calls, discord, email, texts, messaging,
| literally everything is better than the shitty old phone.
| ikiris wrote:
| The reason a lot of places do it is both for old people, and
| for the triggering of fraud laws that are still specific to
| the media.
| howard941 wrote:
| Social Security just tried to authenticate my wife's birthday
| this way. She told them no, give me your phone #. It googled to
| SSA in Alabama and she called it up and proceeded from there.
| ted_dunning wrote:
| Googling a scammers phone number often lands you on a site
| that looks just like the real thing.
|
| You should have looked up the ssa site and found the number
| that way.
| howard941 wrote:
| Good point
| blitzar wrote:
| > they still expect you to authenticate when they phone you
|
| Why has some startup not solved this problem already?
| kube-system wrote:
| Authentication is not one problem with one solution.
|
| It is many problems with many solutions.
| Yizahi wrote:
| There are 3 hard problems in Computer Science after all :) /s
| ikiris wrote:
| The entire debt collection ecosystem works like this as well.
| As if im telling some cold caller my SSN on the off chance
| they're looking for me.
| Yizahi wrote:
| I had a revelation this year, I have a new bank acc and not
| familiar with their procedure. First few calls they did to me,
| they have asked some good questions, aside from my name thy
| were negative - e.g. did you do X thing in your app, when we
| both know that I did not. But then last time an operator called
| and asked my PII question (birthday, address etc.). I got
| triggered and said "eh, sorry, won't tell you because unsafe".
| And she went "oh, no problem then - I will auth you in the
| app". Lo and behold, immediately I got push from bank app with
| her name, phone number calling and some details. So they do
| have a perfectly 1)safe, 2)repeatably reliable, 3) and fast way
| to authenticate customers. They just ignore it mostly. I'm
| still simultaneously like them and is angry on them.
|
| tl;dr - bank calling you can do auth digitally on phone, but
| don't do it and don't advertise it to clients.
|
| PS: I'm in EU.
| awesome_dude wrote:
| Businesses that expect me to hand over PII when they call me
| certainly do get upset when I point out that I have no idea who
| THEY are, and that THEY called me so the onus is on them to
| prove who they are (typically they will claim their phone
| number is enough, or that I should ring the phone number that
| they provide).
|
| The actual truth is, though, that the security theatre that
| they put on is about all that can be done when two strangers
| meet to prove identity.
|
| Hey you do you know a secret that we know about you? Here's a
| secret about us that you are supposed to know.
| comrade1234 wrote:
| UBS Switzerland has a decent system. When I first opened the
| account 15 years ago we had a number pad of codes on paper we
| entered as the authentication. Then later we got a credit card
| sized electronic device where we enter a passcode and it gives us
| a one-time code to enter to login. And now we have an Access app
| - we go to the website, enter our contract number, point our
| phone at a QR code on the webpage and authenticate on the app,
| and the desktop browser logs us in. The access app also is used
| for logging in with the mobile banking app. It never relied on
| sms.
|
| Super simple but probably costs some money to develop.
| FredFS456 wrote:
| Zurich Kantonalbank (ZKB) has a very similar system, probably
| because they're also a big bank in Switzerland
| Huntsecker wrote:
| think its a Europe thing, we have the same solution in
| Denmark. Chip and Pin has been in Europe forever I don't
| think the US has moved to this yet (although happy to be
| wrong) and also believe they still like those bouncy checks
| that has sort of died elsewhere.
| pixelesque wrote:
| UK Banks like Barclays also had the small electronic credit
| card sized device from around 2011 or so (and now use the
| Mobile app for that), but other UK banks like Halifax are
| still doing passwords (they even have a limit of 18 chars)
| and just ask you for random characters of memorable words,
| so there's a big inconsistency even within a single
| country.
| fullstop wrote:
| Banks in the US sometimes support U2F, but you can never
| disable SMS. Maybe one day.
| notpushkin wrote:
| Would be nice if they could do email instead.
| p0w3n3d wrote:
| while working for UBS (outside of Switzerland) i believe I had
| to use the same card, but oh boy it's expensive.
| john01dav wrote:
| Some banks do it properly. For example, my local credit union
| does Google Authenticator (actually TOTP, but they call it Google
| Authenticator). I use it with Authy on F-Droid.
| poisonborz wrote:
| Please do not use Authy, lacks essential features and it was
| bought by a bad actor.
| gtkspert wrote:
| Is there a way off Authy yet?
| johnisgood wrote:
| I recommend KeePassDX from F-Droid for TOTP.
| hackeman300 wrote:
| Can you elaborate? Is twilio a bad actor?
| Muromec wrote:
| wait, which bad actor? I use it for everything and hear about
| it first time
| clay10 wrote:
| I switched from Lastpass Authenticator to Authy after the
| hack. The lack of the "upcoming key" feature has been a huge
| paint point.
|
| Any suggestions for what is better?
| error503 wrote:
| Try Aegis https://getaegis.app/
| xp84 wrote:
| Best thing that ever happened in this bleak security world is
| Google Authenticator. I haven't used that app itself in years,
| preferring others, but the existence of it and it being non-
| proprietary, has done a lot to bring over the moderately-
| security-competent companies to thinking "hey, I guess we
| should support this." Obviously that group excludes every
| American bank, every power utility, etc. They all want to email
| or text me a freaking code at each login for some reason.
| TacticalCoder wrote:
| It's not just authentication that they get wrong. On several
| websites (non banks) I can get my entire history, all my logins,
| all my transactions, since I created my accounts: all the way
| back to, say, 2013... No problem.
|
| But banking websites only allow to go a few years back. But now
| with the KYC/AML madness where every real-estate agent, notary,
| etc. is forced to snitch for the intrusive government, they ask
| for "proofs of the source of funds" for things that can go back
| many, many, many years.
|
| _" I sold an appartment I bought in 2013"_
|
| _" Source of funds you used to buy the apartment in 2013
| please"_
|
| And you're sorry out of luck with traditional banks.
|
| My banks then typically charge 25 EUR per month, per account, to
| get past history. So say you have 3 accounts, that's 900 EUR _per
| year_ for your history.
|
| And to add insult to injury, it's all dog slow of course.
|
| Back in the days it wasn't like that: it didn't feel like the
| Gestapo was watching your every move and asking honest citizens
| proofs of everything. So I didn't know that for my private
| account I had to carefully save every single wire transfer for it
| may be needed 15 years in the future.
|
| Just screw that entire system. Fuck it.
|
| P.S: my mom still have one banking website where geniuses decided
| that a PIN had to be entered by using the mouse to click on
| digits that are randomly placed on the screen. Major french bank.
| In 2025.
| delusional wrote:
| What actual real life person is going to switch their bank
| account because TOTP isn't supported?
|
| That's why banks get authentication wrong. Because they are in
| the business of banking and banking customers do not care about
| TOTP.
| Geebs wrote:
| But banks should have to provide better security or they should
| be at fault if the account is accessed by a third party due to
| their weak security.
| delusional wrote:
| Ok. They are not though.
| idontcareatall wrote:
| Me? As in, I've literally changed banks and canceled cards over
| this.
|
| I can't get SMS when I'm traveling which is 95% of my time.
| It's such an entirely ignorant US-centric view to assume that
| everyone has a phone, has SMS plans, has cell service at all,
| etc.
| kube-system wrote:
| > It's such an entirely ignorant US-centric view to assume
| that everyone has a phone, has SMS plans, has cell service at
| all, etc.
|
| I think many banks might find it a _benefit_ to exclude
| customers who don 't have cellphones or SMS.
| dddddaviddddd wrote:
| > And don't even get me started on logging into accounts at the
| Canada Revenue Agency.
|
| At least they support standard TOTP now.
| https://www.canada.ca/en/revenue-agency/services/e-services/...
| bberenberg wrote:
| So an interesting trick I learned while suffering from the same
| issue is that roaming usually only applies to outbound data / SMS
| usage. So when I travel I disable data usage, and set my travel
| sim to be active and primary, but I can still receive SMS for
| free.
| nottorp wrote:
| I wonder what he would have written if he had his Canadian SIM
| but his TOTP device got stolen...
| jamalhabash wrote:
| Good question, that's exactly why systems need multiple secure
| fallback options.
| kokonoko wrote:
| Can we get rid of the password expiration too? Requiring that
| users change their perfectly secure password every 6 months is
| absurd and gives the impression of security when in reality it
| only makes things worse.
| Geebs wrote:
| One hundred percent. I'd be interested to see how many people
| resort to having weaker passwords just to try to remember the
| new password every 6 months. I know many folks are proud of
| their password 'system' of using the same word and adding
| different numbers every time they need to change it. Not
| helpful.
| brazzy wrote:
| NIST only changed that recommendation last year. Expect that
| update to take at least 10 years to percolate through
| institutions like banks.
| GuB-42 wrote:
| This recommendation dates back from 2017.
|
| > Verifiers SHOULD NOT require memorized secrets to be
| changed arbitrarily (e.g., periodically). However, verifiers
| SHALL force a change if there is evidence of compromise of
| the authenticator.
|
| 8 years later, no one seems to care. Other things that the
| NIST doesn't recommend is rules such as "letters + numbers +
| special characters". What it _does_ recommend is checking for
| known weak passwords, such as passwords that are present in
| dictionaries and leaks or relate to the user name.
|
| Here is the relevant document:
| https://pages.nist.gov/800-63-3/sp800-63b.html
| jermaustin1 wrote:
| And expect people to still implement it in the future, based
| on documentation from some consultancy that hasn't
| disseminated the new recommendation internally to their
| implementation engineers.
| signal11 wrote:
| Banks are aware that NIST and various other bodies have updated
| their guidance about password expiration. Even vendors like
| Microsoft who supply extensively to financial services, have
| updated their guidance about password policies.
|
| At this point -- barring edge cases of operating in geographies
| where regulations haven't caught up -- it's just inertia, aka
| "inaction doesn't get you fired (usually)".
| delfinom wrote:
| It's not inertia. In my big corpo's case, it's because the
| cybersecurity insurer is refusing to follow NIST.
| technion wrote:
| I have been in three different organisations now with this
| same excuse, and actually called their insurer to clarify.
| In all cases, the insurer asks the password policy such as
| expirations. Complete absence of a written policy is a
| problem. Non expiring passwords was not.
|
| Someone in management took the application form and
| justified their own belief on security and two of those
| three companies still tell staff "it's because of our
| insurerer" even after given the facts.
| newhotelowner wrote:
| Our hotel franchise requires us to change the password every
| month. We can't use the last 6-8 passwords.
| rrr_oh_man wrote:
| Password manager ftw
| pc86 wrote:
| This is fine for services you can easily access on a phone
| or computer.
|
| My employer requires I change my laptop password every 60
| days, it stores the last _2 years_ of passwords to prevent
| reuse.
|
| I am not opening up LastPass and plugging in a 32 character
| random string every time I want to start my computer up. My
| password at any given point is either a few random words
| and a number, or a short (8-12 character) alphanumeric
| string without symbols. But you know what it always is? On
| a post-it note stuck to the inside of my laptop.
|
| My employer is consciously choosing to make my laptop less
| secure because the CISO is an idiot.
| hamburglar wrote:
| The only solution to this problem is to put your password
| on a post-it note in the most obvious place possible? Are
| we sure the CISO is the idiot in this story? This sounds
| like malicious negligence. I sure hope nothing that
| actually matters is on your system.
| bluGill wrote:
| Password1, Password2 ... Password123456789 - I can do this
| all day. And realy you should as a password you can easially
| remember is a bad password so the first part that doesn't
| change is the important part
| arccy wrote:
| Hunter2025May
| Phui3ferubus wrote:
| > TOTP Support: Let users use any standard authenticator
|
| How many of them allow to generate a code related to specific
| operation (provide a context for what is being "confirmed")? This
| is the EU requirement that killed everything but SMS and bank
| mobile apps.
| 878654Tom wrote:
| And I love that requirement. I do banking on my desktop and to
| confirm the transfers I get a push notification from a third-
| party application (ItsMe, so not a banking mobile app) with all
| the information I have entered.
|
| I can confirm the transaction from a complete separate device
| while doing a second check if all details are correct.
| Detrytus wrote:
| The requirement per se is not the biggest problem.
| Implementation by different banks is. In my country I have
| several bank accounts.
|
| One bank allows me to install mobile app on up to 5
| smartphones, all I need is connect the smartphone to the
| Internet (e.g. through Wi-Fi).
|
| Another bank allows me to have up to 3 smartphones, but
| identifies them by phone number, so it forces me to have 3
| difrerent SIM cards
|
| Yet another bank will only allow me to have mobile app only
| on one device. To activate on another device I need to
| receive SMS code, and if I lose my SIM card I need to show up
| at a branch in person.
| creer wrote:
| Plus the "app" was written by clowns and doesn't really
| work for any reasonable idea of "work".
| creer wrote:
| Although to be fair this EU requirement tends in practice to
| make things yet still more cumbersome - requiring multiple
| authentications in one online banking session.
| pnw wrote:
| OP's problem sounds like failure to plan. If you are going to
| suspend your cell plan, you should probably check your
| authenticator works or have a backup option before you travel to
| another country.
|
| I don't know what the viable alternative is. Passkeys have just
| as many issues when phones are stolen, lost or broken. You cannot
| expect consumers to store recovery codes. I do agree support of
| TOTP authenticators would help savvy consumers, but probably
| still too complicated for seniors etc. Watching my elderly
| relatives with poor vision enter a TOTP code was quite
| instructive. The UI of Google Authenticator made no sense to them
| and they didn't understand why it kept changing and getting
| rejected. They were barely able to enter six numbers in a 30
| second window.
| fullstop wrote:
| > you should probably check your authenticator works or have a
| backup option before you travel to another country.
|
| They may sign you out automatically if you connect from a
| different country.
| coppsilgold wrote:
| TD Authenticate does not require a network connection. I
| outright disabled network access for the app on my phone.
|
| Don't know how he got logged out but he almost certainly
| didn't check before leaving the country.
|
| Having said that, the 2FA for TD is atrocious as it provides
| SMS fallback in addition to their bespoke app.
| Zak wrote:
| A viable alternative is to offer multiple 2FA options, one of
| which should be RFC 6238 TOTP. The author would have probably
| planned ahead by selecting that rather than a proprietary app
| or SMS.
| nmca wrote:
| hardware tokens are the way! Everyone has had a house key their
| whole lives, and understands how to keep a spare to prevent
| lock-outs.
| Muromec wrote:
| If only there was some kind of a physical tokem with a crypto
| key that is protected by a password and tied to one's bank
| account.
|
| -s
| craftkiller wrote:
| The only bit we're lacking is the "tied to one's bank
| account". The rest already exists in the form of yubikeys
| and other hardware security tokens.
| FateOfNations wrote:
| Your bank/credit/debit/etc. card is a "physical token
| with a crypto key that is protected by a password and
| tied to one's bank account". FIDO and EMV even both use
| the same underlying ISO/IEC 7816 and 14443 protocols for
| communications.
| pasttense01 wrote:
| Some of us don't want to have a dozen plus separate
| physical tokens (one for each of bank/credit card/tax, etc
| sites with sensitive financial information we have).
| Muromec wrote:
| Okay, I will make the "S" mark bigger next time.
| mixmastamyk wrote:
| Not how it works. One key can keep dozens of entries.
| nmca wrote:
| I know this was sarcasm, but bank card is not appropriate
| because you should have one hardware key for all services
| produced by an independent provider.
| fullstop wrote:
| I know plenty of people who have lost house keys. I have many
| Yubikeys and I am responsible with my things, but not
| everybody is like us.
| rr808 wrote:
| Hardware tokens are a PITA. Sure everyone has a house key
| because they only have a house at a time. I have 3 bank
| accounts, a few brokerage accounts, some pension logins on
| top of the regular stuff. I'm not going to carry 15 hardware
| tokens with me.
| kube-system wrote:
| SecurID tokens suck but with FIDO2, you'd only need one
| key.
|
| Of course, that breaks the UX analogy of the house key.
| nmca wrote:
| You only need one, plus a couple recovery spares, in any
| sane implementation.
| saltcured wrote:
| One thing I like about the Aegis authenticator app is the clear
| way it changes colors and even flashes to indicate a code is
| getting ready to change, so it is less common that you might
| start copying digits, glance away, and then finish copying
| digits from a different code.
|
| But, I think it would still be a challenge for many elderly for
| other reasons.
| waltbosz wrote:
| Does password requirements with short max length count as getting
| it wrong? Because I see that all the time.
|
| Also a password box that will accept more characters than the max
| password length.
| idontwantthis wrote:
| How about one that accepts any length on create but truncates
| it in the DB so your password manager saves the long one you
| typed in when it's actually cut off at 12 chars? Had that one
| recently.
| xienze wrote:
| I don't think banks are deliberately trying to avoid using TOTP,
| it's just that they have to cater to the lowest common
| denominator, you know, the kind for which anything computer-
| related is basically black magic.
|
| SMS is an easy target because ~everyone has a cell phone and with
| things like Apple's verification code auto-complete, the amount
| of friction is greatly reduced.
|
| With standard TOTP, now they have to worry about if the user
| correctly added the secret information to whatever authenticator
| app. And write corresponding documentation explaining how to do
| so, for every major authenticator app.
|
| There also has to be a backup flow for when the user loses their
| authenticator app which is probably just going to be SMS. So why
| not stick with just SMS in the first place?
|
| I hate using SMS for 2FA, but I understand the business decisions
| around it. I think as engineers we forget, to be frank, just how
| bad most people are with technology.
| xp84 wrote:
| This is no excuse for not offering it. And no, SMS must NOT be
| a backup that's always available, as the article points out,
| its availability for use is a security hole.
|
| If you can't access your actual 2FA there should be an option
| for the bank to have it call that registered number and ask you
| "Hey this is (Bank). Are you trying to log in right now from
| Moscow on a Windows 10 PC using Firefox? If so, please call the
| number on the back of your card, hit 9, put in your SSN, then
| we'll turn off 2FA for one login and let you add a new one. Btw
| if it is not you, your password is definitely compromised."
| xienze wrote:
| > "Hey this is (Bank). Are you trying to log in right now
| from Moscow on a Windows 10 PC using Firefox? If so, please
| call the number on the back of your card, hit 9, put in your
| SSN, then we'll turn off 2FA for one login and let you add a
| new one. Btw if it is not you, your password is definitely
| compromised."
|
| Stop, do not pass Go, do not collect $200. Having someone
| call and ask for your SSN is a non-starter.
|
| And in what world is SMS not available but being able to call
| that same phone is?
| error503 wrote:
| Recovery codes is an option, for one.
|
| Since we're talking about a legacy bank here, going to a
| branch and proving your identity is an option.
|
| Worst case, you could always call and speak to a human who
| will do whatever verification they do if you forgot your
| password, which is functionally equivalent.
| Zak wrote:
| > _With standard TOTP, now they have to worry about if the user
| correctly added the secret_
|
| The standard flow I usually see for setting up TOTP ends with
| entering an authentication code. If it's not valid then the
| setup isn't finished.
| xienze wrote:
| That's not what I'm talking about. I'm talking about the act
| of adding the secret to the authenticator app in the first
| place. There needs to be documentation to the effect of "open
| Google Authenticator, and if you don't have it, download it
| on the App Store or Google Play store. Open the app and
| choose 'new secret', ...". Probably also put in a QR code and
| link for good measure. Rinse and repeat for all the major
| authenticator apps. THEN you can have them verify.
|
| It adds up to a decent amount of supporting documentation
| that the bank is responsible for providing.
| Zak wrote:
| Outside of services like Github where the average user is
| expected to know what an RFC is, I usually just see Google
| Authenticator supported and no mention of the fact that
| alternatives exist. That seems like an adequate solution.
| chvid wrote:
| Identity providing is a natural monopoly and should be provided
| by the state in same manner as a passport is provided.
|
| We can discuss the implementation but in Denmark and quite a few
| other countries, the login problem in online government services
| and banking is solved by a single state run identity provider
| (MitID) and hopefully the EU will be succesful with their EIDAS
| initiative and provide a solution that works across country
| boundaries.
|
| https://en.wikipedia.org/wiki/EIDAS
| snowwrestler wrote:
| In the U.S., identity providing is not a role the government
| fills. Not everyone has to have a passport, for example. A
| passport is merely a purpose-specific tool for crossing
| borders, not general identity.
| Muromec wrote:
| Federal government or governmemts in general? As far as I
| get, driver licenses are doing in US what id cards are doing
| in Europe and are issued by governments too.
| Workaccount2 wrote:
| In the US you don't need to have any form of ID. Your life
| will be very difficult, but you don't legally need it. ID
| is an optional service here.
| ikiris wrote:
| Well as long as you have specific skin colors this is
| true. Don't let ICE catch you with no valid form of ID if
| you don't look European.
| Muromec wrote:
| Well, what I was replying to is about who is providing
| the service. Whether or not the service is mandatory is a
| different one. I know places on the European continent
| where having id and registered address is mandatory, but
| the fine for noncomplience is about 1 EUR.
| Brybry wrote:
| While a driver's license does normally fill that role, it's
| not mandated and not everyone has a driver's license (or
| even a state issued ID).
|
| Some stuff like voting you can use something like a utility
| bill. Some stuff will want your birth certificate. Some
| stuff will want multiple types of documents.
|
| Americans have historically been against mandated
| government IDs (though mostly with the concept of a
| federal/national ID).
| deathanatos wrote:
| This whole thread is going to motte & bailey between the
| various forms of US gov ID. Between the union of {SSN,
| birth cert, driver's license (or ID in lieu thereof)}, it
| seems to be there's the equivalent of a federal ID. Just,
| like everything else we do, a terrible incomprehensible
| mess to Europeans.
|
| My employer requires an SSN when I start a job. TSA keeps
| alleging they're going to require Real ID _any day now_.
| Voting, if I have my jurisdiction 's requirements right,
| requires an SSN, though most people will experience that
| in the form of driver's license, since getting a license
| is usually automatic voter registration where I've lived.
| chvid wrote:
| You have plenty of government id's in the US as well. Driver
| licenses, tax number, birth certificates ...
|
| I think often people mess up the subjects of privacy, freedom
| and a government provided id. You can have privacy and
| freedom even if you have a government issued id. And you can
| have your privacy and freedom taken away from you without the
| government giving you standardized way of proving your id.
| kortilla wrote:
| You can't have privacy if everyone uses the government as
| an SSO.
|
| People might be more amenable if SSO wasn't implemented as
| these stupid OIDC flows where the govt gets to know every
| time you login to your bank and what IP you're using, etc.
| chvid wrote:
| But you can if you live in a well functioning democratic
| society - remember the alternative is not no id but
| privatized for profit identity providers like Google and
| Facebook.
| Muromec wrote:
| Well functioning democratic society is and idea that US
| explicitly rejects, because democratic society can point
| a finger at you and that doesn't feel nice.
| loeg wrote:
| And it is a significant flaw of the US model!
| kortilla wrote:
| Not if you ask people who specifically don't want the
| government tracking everything
| loeg wrote:
| They are deluded if they think the lack of federal ID
| (ignoring Social Security) provides any privacy benefit,
| and the cost is immense.
| tart-lemonade wrote:
| And the worst part is a federal ID would not enable
| tracking any more than your employers withholding wages
| for tax purposes and paying into Social Security does,
| but every time a federal ID has been proposed (which
| would be really useful as a way to keep SSNs from
| becoming something you have to disclose to everyone and
| their dog) it's been shut down by the "it's all a road to
| tyranny" crowd.
|
| I could get a Real ID that reads "1060 W Addison St"
| today. All I have to do is pirate Acrobat, change the
| addresses on PDFs downloaded from the websites of my bank
| and power company, and walk into an Illinois Secretary of
| State office, as that's enough for the residency portion
| of a Real ID. They do not double-check any of this
| information, and I know this works because I had to edit
| a power bill PDF so my SO would have a second document
| for proof of residency. All it would take is one phone
| call to find out I'm the only one listed on the account,
| but it was never verified.
|
| Why anyone thinks a federal ID would enable mass
| surveillance and tracking is beyond me. The NSA doesn't
| need a unified federal ID to track us, and law
| enforcement isn't exactly foiled by people who hold fake
| IDs or who have no IDs whatsoever (unless being
| undocumented or Amish is some magical "get out of jail
| free" card).
| einarfd wrote:
| In Norway our BankID system, which is similar to what the
| Danes have, is owned by the banks, and is a run by a private
| company. While I personally think that in principle it should
| be run by the government. It works well enough, and it is
| imo. proof that it does not have to be run by the government.
| riffraff wrote:
| italy has quite an interesting system[0] where multiple
| identity providers (authorized by the State) can be used to
| provide identification against the central database. It'll
| probably be phased out at some point, but it's quite cool.
|
| [0] https://www.spid.gov.it/en/citizens/ it integrates with
| eIDAS too
| sneak wrote:
| Absolutely not! The moment you have universal state-issued
| identity, you will be expected to provide it for _everything_ ,
| including tons of stuff that doesn't require identity. Don't be
| a privacy defeatist, the fight isn't lost yet.
|
| Resist every single effort to make it easier for merchants and
| private entities to strongly identify users. The rows go into
| databases and they never go away.
|
| State-issued identity is one of the fundamental building blocks
| of a totalitarian police state that has universal surveillance.
| stef25 wrote:
| We have universal ID cards here in Belgium. They have a chip
| and along with a special card reader usb device you can log
| in to govt websites related to taxes, pension and basically
| everything else.
|
| If you have a smartphone you can use an app to scan a QR and
| log in that way. It's super convenient.
|
| Where is the privacy problem if you use this system to
| consult your own civil data ? Privacy is a thing in the EU
| and it's a complex issue mainly because of these tech
| behemoths that need to know your shoe size before you can use
| their todo list app.
|
| > Resist every single effort to make it easier for merchants
| and private entities to strongly identify users
|
| How is this related to govt issued ID cards ?
| Dylan16807 wrote:
| If it's easy enough to connect such an ID with arbitrary
| companies, I don't trust US privacy laws to prevent them
| from requiring it.
| Muromec wrote:
| Maybe not having IDs is the reason why US doesn't have
| privacy protections and everybody can buy all the data
| anyway for 5 bucks from ad tech and telecoms.
| hosteur wrote:
| > Absolutely not! The moment you have universal state-issued
| identity, you will be expected to provide it for everything,
| including tons of stuff that doesn't require identity.
|
| Indeed this has happened in Denmark already where for example
| DBA (Danish version of ebay) started soft-mandating MitID
| verification. Soon to be actually mandatory.
| einarfd wrote:
| At one point I was researching using the Norwegian BankID
| system to ensure that accounts where real people. The
| pricing model didn't make that look like a reasonable
| choice. While I'm not surprised an eBay like service would
| be fine to pay to combat fraud. For a lot of offerings,
| paying the cost of using such services will not be worth
| it.
| layer8 wrote:
| The way identity providers are supposed to work is to not
| necessarily divulge your identity, but properties necessary
| for the respective service. For example, they can attest that
| you are an adult and a citizen of $country, but don't need to
| disclose any further information. When using an identity
| provider with a third-party service, the attested attributes
| are displayed to the user to approve their disclosure. This
| is a bit like app permissions, where you can specify which
| app should be able to have which permission.
| kortilla wrote:
| But most sites will just require you to attest your full
| name. Additionally, they will require a unique ID that the
| govt might not bother changing between websites.
|
| Real name and central ID requirements are anti privacy and
| have the tracking problems OP highlighted.
| patja wrote:
| I'm so sick of retail clerks who insist on scanning the
| barcode of my driver's license. To verify I am 21 you don't
| need my height, weight, eye color, and home address. You can
| ascertain that my visually inspecting just the first two
| digits of my birth year.
| mixmastamyk wrote:
| Sounds like you may be aware, but no one should allow that
| to happen. When showing ID in retail situations I don't
| allow it to be removed from my hand.
| k4rli wrote:
| This yet another USA defaultism post.
|
| I have developed for several banks in Europe and EIDAS + other
| national ID based systems are the standard. Some also allow
| authentication with their own apps, but still having alternate
| options smartcard with reader or smartcard based national app.
|
| Most seem to favour using apereo CAS for it even though it
| seems overkill and overly complicated (especially upgrading it,
| lacking documentation) most of the time.
| xp84 wrote:
| They should all be shamed continually until they adopt the common
| sense ideas in the article.
|
| Sadly I have to conclude from evidence that these incompetent
| buffoons think you can compute "how secure our site is" by asking
| "is it a f*cking pain in the ass for everyone to log in, almost
| all the time?" If yes, then secure.
|
| Bonus points for "is it impossible to log in when you don't have
| your cell phone that you registered with us?"
| bob1029 wrote:
| > There's no excuse anymore.
|
| Implementing "modern" auth flows is challenging with old core
| systems.
|
| From a risk management and compliance standpoint, this new auth
| infrastructure would represent a non-trivial expansion in the
| bank's audit scope.
|
| Until a regulator makes it a requirement to use whatever new auth
| flow, it is not going to happen at scale.
| gtkspert wrote:
| You have to think of a Bank's threat model though.
|
| Account compromise is one threat, but the use of valid accounts
| for money laundering is another. In my view the reason they "get
| it wrong" is because they don't want you to be able to automate
| transactions, as that makes money laundering easier...
|
| Therefore, they don't want to use standard TOTP because that's
| easy to automate. Requiring SMS based 2FA is harder (but not
| impossible, use a modem or maybe a SMS service.) And requiring a
| special app is quite difficult to automate.
| sedatk wrote:
| Also, people usually underestimate the problems of TOTP. Losing
| TOTP is easy. Lose your phone and it's gone. It means game over
| for a regular person. SMS is light years ahead in terms of ease
| of recovery. Even after losing your phone, you can stop by a
| store, activate your SIM back again with your ID. Not the case
| with TOTP.
|
| Yes, some of the SMS recovery scenarios can make hackers hijack
| your account easily too, but cell operators have workarounds in
| place for that. It's getting better.
|
| I don't even know how recovery scenarios work for passkeys.
| sneak wrote:
| Precisely nobody is suggesting that there be no recovery
| mechanism. This criticism is a red herring.
| sedatk wrote:
| What do you think such a recovery mechanism would look like
| without SMS?
| Uvix wrote:
| Syncing the TOTP credentials from a cloud account of some
| sort (iCloud/Google for the masses, Bitwarden or another
| password manager for more technical users) to the device.
|
| As a fallback recovery mechanism, offline backup codes
| generated at the time the TOTP is applied to the account.
| sedatk wrote:
| Then you make Google/iCloud the point of entry to
| someone's bank account. That completely changes the
| threat model for customers, and possibly for worse than
| SMS.
|
| Offline backup codes, when printed, isn't such a bad
| idea. But when you lose that piece of paper, again, game
| over.
|
| SMS is fantastically resilient to these scenarios.
| There's a reason banks insist on using it.
| Uvix wrote:
| SMS isn't resilient to the worker at the local retail
| store for the phone carrier giving someone else a SIM for
| my phone number. That's a much bigger threat vector than
| Google/iCloud/a sync target I manage storing an encrypted
| version of the TOTP credentials.
| kbolino wrote:
| How realistic is this threat? I would think that the
| employees would have to jump through hoops that require
| you to be present (or at least a lot more of your info to
| be stolen than just your name and number) and that the
| home network would detect a duplicate E.164 number with
| conflicting IMEI/IMSI numbers and locations pretty
| quickly.
| Detrytus wrote:
| Password managers, such as KeePassX can generate TOTP
| codes. And Keepass database is just a file, you can have
| as many backups of it as you want.
| sedatk wrote:
| You overestimate a regular person's technical skills and
| their capability of planning resilient backup strategies.
| loeg wrote:
| Show up in person with ID.
| sedatk wrote:
| Yes, but remember, the original scenario was person
| leaving Canada, and trying to use their Canadian bank
| account from the US. There is nowhere to show up. But, if
| they could swallow SMS roaming costs temporarily, they
| could access to their account easily.
| kube-system wrote:
| That's not necessarily possible. Many banks do not have
| physical locations, and many people do banking business
| while physically away from a bank.
|
| https://en.wikipedia.org/wiki/Direct_bank
| mixmastamyk wrote:
| MFA is more than 2FA. You'll typically mandate several
| ways to get in, ahead of time. Whether a third logical
| device or printing out recovery codes. For something as
| important as a bank, folks will comply.
| sir_brickalot wrote:
| Counter: Backups for TOTP are easy and you can use multiple
| devices/services for a single TOTP login.
| kube-system wrote:
| Whether it is easy or possible is irrelevant. For the 99.7%
| of the world that isn't a software developer, the real-
| world observed use case will predominantly be the least-
| friction commoditized workflow. People mostly have one
| phone with one authenticator app, and that's what they'll
| use.
| TingPing wrote:
| You aren't wrong. It is built in to Googles and Apples
| though, should be widely used.
| dfxm12 wrote:
| The banks' real threat model is around what punishments will
| come from the government. If there's no real regulation with
| teeth, banks will not care.
| charcircuit wrote:
| Why would a bank care about money laundering?
| gruez wrote:
| If they're not seen as doing enough, they can be fined by
| regulators.
| jszymborski wrote:
| HSBC determined its retail banking operations in NA were not
| worth it any longer due to the liability they faced after
| their high-profile money laundering scandal [0].
|
| [0] https://www.investopedia.com/stock-
| analysis/2013/investing-n...
| josephthejoe wrote:
| It's a long-complicated story but it essentially boils down
| to this: https://en.wikipedia.org/wiki/Bank_Secrecy_Act
| hiatus wrote:
| Because look at what happens when the government thinks you
| don't care enough about money laundering. TD Bank recently
| got hit with a $3 billion fine.
|
| > More than 90% of transactions went unmonitored between
| January 2018 to April 2024, which "enabled three money
| laundering networks to collectively transfer more than $670
| million through TD Bank accounts," according to a legal
| filing.
|
| https://edition.cnn.com/2024/10/10/investing/td-bank-
| settlem...
| rs186 wrote:
| I think you can easily answer that question yourself by doing
| a simple search.
| Muromec wrote:
| Because the government said so. Why did the government say so
| -- because the bank is the only place that can see your
| transactions and has a profile on you and has a dedicated
| person to call you and ask about that cash withdrawal on the
| Turkish side of the Syrian border or regular cash deposits of
| 100k each week in addition to your cop salary.
|
| Alternatively you can just not do anything with money
| laundering and all that or let the government do the
| monitoring itself.
| gruez wrote:
| The biggest hurdle to money laundering is getting past KYC at
| the creation stage, which requires you to have stolen
| identities and/or identity documents, getting past the anti-
| fraud gauntlet, and probably intercepting any documents/cards
| that get mailed. Setting up a device farm that can receive SMS
| OTPs is simple by comparison. All you need as a $60 android
| phone and an app with SMS access.
| speckx wrote:
| I was surprised that Bank of America still does SMS based 2FA.
| dmoy wrote:
| BoA is one of the very few US banks that do any modern auth -
| they support fido2 security keys.
|
| Of course effectively 0% of their customers actually use it,
| and instead rely on sms
| kccqzy wrote:
| Huh I set up SMS 2FA for BofA back in 2016 and I never knew
| they now support fido2.
| dfboyd wrote:
| https://news.ycombinator.com/item?id=38180477 -- HN discussion of
| "Seeing like a Bank"
| martinald wrote:
| The reason it's a farce is because most banks are using some off
| the shelf system from one of the big vendors in the space OR
| legacy systems, or both. FIS is a good example.
|
| They have basically no real motive to improve anything (the lock
| in is utterly extreme) and no doubt will charge through the
| eyeballs for any improvements - especially ones that are
| regulatory related.
|
| You can see the difference between a legacy bank and some of the
| neobanks in the UK. It's absolutely night and day when they own
| their own modern tech stack.
| pwg wrote:
| > using some off the shelf system from one of the big vendors
|
| This also gives the bank 'cover' should an exploit be uncovered
| in "big vendors" system. They (the bank) are safe liability
| wise (or at least they think they are) because they used
| "approved vendor Y" for their authentication system.
|
| If they created their own system, then they would be unable to
| offload the liability onto someone else.
| FireBeyond wrote:
| > If they created their own system, then they would be unable
| to offload the liability onto someone else.
|
| In a sense. The big banks in the US created Zelle with one of
| the specific outcomes being to offload liability for
| unauthorized transactions more on to the consumer than
| themselves.
| bouncing wrote:
| The problem with the suggestions here is that it puts all your
| eggs in the same basket. 1Password TOTP? If both your password
| and the TOTP are in your password manager, you arguably really
| just have a single factor, delegated to a third party (your
| password manager). PassKeys? Same problem. Storing your recovery
| keys in your password manager? You again just have 1 factor.
|
| SMS is bad and should go away, but it isn't so clear what the
| replacement needs to be for most people.
| Hackbraten wrote:
| If you use a password manager, you might not be part of the
| target group that benefits most from a second factor.
|
| A decent password manager nudges you into using unique
| passwords per service. Good password managers also offer you a
| browser extension, which injects the password directly into the
| DOM instead of using the clipboard, and checks the domain, too.
| It's not 100% secure, but at that point, 2FA may be a
| diminishing return already.
| kirubel01 wrote:
| It's not a common problem enough for them to care.
| shadowgovt wrote:
| Broadly speaking: because they don't have to get it right.
|
| Banks are generally protected from fraud not by up-front
| security, but by auditing. If someone mis-applies funds, they
| have a chain of transactions they can back out. And, if someone
| does it maliciously, they have a disproportionate support of the
| force of law to discourage such behavior.
|
| Contrast most software companies, where theft of data is not a
| reversible issue, so they are heavily incentivized to make it
| technically infeasible.
| bluGill wrote:
| While not wrong it will big a big hasstle for whoever is the
| fraud victum while things are reversed. You may even lose other
| things in your life because you are unable to pay bills you
| technically have the money for but cannot access the money.
| shadowgovt wrote:
| This is all true and, most notably, not the bank's immediate
| concern.
|
| The financial sector has sheltered itself / been sheltered
| from the immediate consequences of fraud perpetrated upon it
| regarding its customers. The customers catch most of the
| consequences in terms of opportunity costs and some of the
| bookkeeping labor.
|
| (... in the large, of course, too much fraud runs the bank
| out of customers and then the bank suffers. But that has to
| be a _lot_ of fraud, and that 's where the governmental big
| stick that the banks and other financial operators get to
| wield by proxy come back into play. Try to steal $100 via
| credit card fraud and you probably get away with it [once],
| with the cost being borne by a credit card company having to
| write off couch-cushion money and an individual consumer
| being heinously inconvenienced in having to rotate all their
| auto-deduction numbers. Try to steal $1,000,000? The FBI has
| some questions, friend, if you'd be willing to come with
| these nice men down to the branch office).
| Muromec wrote:
| I think all the banks that I used for the last five years (from
| three different European countries) use the mobile app itself as
| a generator of security credentials. The app itself is pin
| protected.
|
| Recovery paths vary -- from sms and hardware code generator
| (funny terminal to slot bank card into) to government-managed PKI
| or id carda.
|
| I think only one of them is still using sms as a fallback for
| normal transaction confirmations.
| ilaksh wrote:
| I don't care how many times I am violently buried on this site
| for mentioning the word -- but cryptocurrency makes traditional
| banking obsolete. Or should have.
| Muromec wrote:
| No it doesn't
| kube-system wrote:
| cryptocurrency makes traditional banking obsolete only if:
|
| 1. you don't understand what banks do, or
|
| 2. you pretend that cryptocurrencies do things that they don't
|
| One could make a list a mile long of things that banks do that
| cryptocurrencies have no answer for. Banking is not a
| technology, it is a service.
| xyst wrote:
| Anybody that has the misfortune of working within a financial
| institution should know these folks are way behind the times.
|
| They will hire contractors from the bottom of the barrel, claim
| "rEgUlAtIoNs sToP uS", load up on middle management --- thinking
| they will ~~whip~~ manage those bottom dollar contractors into
| performing like well paid folks --- then decry about asinine shit
| (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the
| initiative(s) fall flat and projects are behind by _years_.
|
| This rinses and repeats for a few years, maybe they get a half
| ass implementation out to meet minimum spec for MFA. Maybe they
| spend millions in consultants and contractors before it gets off
| the ground.
| kirubel01 wrote:
| Big corporations don't fix anything unless it bleeds cash in an
| obvious way. Their siloed departments border on self-sabotage,
| and they only wake up when shareholders start shouting about lost
| profits--then they stall anyway.
| alkonaut wrote:
| Why is there no standardized e-ID in the US? How much money is
| wasted by different authorities and businesses having to reinvent
| the same wheel over and over? I have used the same auth for doing
| my taxes or checking my prescriptions or signing into my bank for
| 20 years.
| throwaway562if1 wrote:
| The current US administration is known for illegally deporting
| permanent residents and has stated intent to deport natural-
| born citizens. It should be self-evident why a centralized ID
| system under the control of the executive branch is a terrible
| idea.
| alkonaut wrote:
| That's horrible but why would it be worse together with an
| e-id system?
| throwaway562if1 wrote:
| Because without thoroughly-enshrined protections for
| identities, an e-ID system provides an avenue for the
| government to effectively de-person undesirables at will,
| by removing their ability to use banks, sign contracts,
| access healthcare, etc.
| Muromec wrote:
| US government is deporting undesirables at will right now
| without any of that. On the other side of the world,
| where id is mandatory and e-id is used for everything
| that makes sense, the city hall gives free heroin
| injections to addicts as a last resort therapy and
| provides for illegal/undocumented homeless people so they
| don't shit on the street.
|
| Neither of those prevents somebody from stealing bicycles
| zo.
| SpecialistK wrote:
| From my experience in the US, UK (see
| https://en.wikipedia.org/wiki/NO2ID ) and Canada there is a
| cultural aversion to government ID. I believe it's the same in
| Aus and NZ, so it may be an Anglophone thing.
| kube-system wrote:
| It is partly cultural, and partly a power struggle between
| states and the federal government.
| DamonHD wrote:
| > If a system breaks in common scenarios, like international
| travel, it's not a secure system. It's a hostile one.
|
| I have spent many hours on the phone over the last few days
| fighting tooth and nail to get my savings back to my account with
| British bank A from British bank B (just recently bought by A, as
| it happens) in small chunks because reasons.
|
| I have explicitly raised the point "if this punishes the innocent
| so hard in a simple legit case like this, wasting hours of
| everyone's time, is it actually working?"
|
| In response to the first of three (!) complaints that I have
| filed during this trauma, the bank conceded on all the points and
| awarded me a significant compensation sum ... which I may never
| be able to get at!
|
| Plus people _possibly_ from the bank keep trying to call me and
| ask me to prove who _I_ am with data that would let a phisher
| into my accounts, and are effectively unreachable if I try to
| contact them through a safe route... Including the fraud and
| complaints people... Duh.
| p0w3n3d wrote:
| I remember my brother having a printed list of one-time-codes. I
| wonder why this is not mentioned? Not everyone wants to have
| their phone a single-point-of-failure. For me - breaking screen
| in my phone rendered my banking unavailable for me, which posed
| additional problem on how to pay for the screen replacement, not
| speaking about buying food etc.
| kbar13 wrote:
| i worked on a large platform (YC company, too!) previously on
| their 2FA implementation. while not ideal, it was decided to keep
| SMS 2FA because there are still people out there without smart
| phones or in general the ability to do TOTP. but they still have
| some means to access the site that wasn't a smartphone i guess.
|
| so, it's a bit of a compatibility issue, i guess there will be
| some portion of the population who will be very upset that they
| need to buy a whole new smartphone just to securely access their
| banking details
| ted_dunning wrote:
| That isn't a very strong argument for not allowing me to secure
| _my_ account.
| creer wrote:
| Anything that requires a cellphone bakes in BOTH a single point
| of failure and cumbersome extra steps. Terrible practice anyway
| - even though so many people here are in love with both single
| points of failure and extra steps.
|
| ALLOWING methods X, Y or Z would be better reasoning.
| tadzikpk wrote:
| The friction of changing bank accounts is high, and few people
| choose their bank accounts based on how easy the online
| authentication is. Unless a bank does this meaningfully much
| worse than their competitors (low bar) they have little incentive
| to fix it.
|
| If you think TD is bad, try some European countries where there's
| only a handful of banks...
| tgsovlerkhgsel wrote:
| None of the recommended alternatives show _what_ you are
| authenticating for.
|
| The proprietary auth solution as well as SMS will show "To
| authorize a transaction of $12,345.67 to account ..., enter code
| 123456". SMS isn't secure because there are various ways for the
| attacker to get the code aside from phishing.
|
| The apps are a royal pain for the user, but they enable this
| flow, and they are secure for the bank.
|
| The bank has limited incentive to make the user happy, but a lot
| of incentive to a) minimize fraud, b) be able to blame the user
| for the remaining fraud.
|
| That's why you will keep getting shitty, user-hostile
| authentication apps, and that's why banks will keep losing some
| (but probably not enough to make them care) customers to neobanks
| that are prioritizing user experience. And why neobanks will
| enshittify once they are no longer willing to buy adoption by
| accepting more fraud.
| physhster wrote:
| Bank of America offers FIDO U2F as a second factor but doesn't
| let you remove SMS as a factor. I don't see what the point is.
| punnerud wrote:
| We had SMS-auth in Norway until 15 years ago (?), then it was a
| special type of SMS popping all over your screen that was more
| secure. Now all that is gone and replaced with Apps for auth,
| with scanning of your Passport/NationalID using NFC + SMS the
| first time.
| cypherpunks01 wrote:
| Any US banks support TOTP or Yubikey/U2F requirements for login
| yet?
|
| I've seen a couple consumer fintech products that support TOTP,
| still not many, and no banks I'm aware of.
| samwise_i wrote:
| Wells Fargo offers RSA hardware tokens if you know how to ask
| for them:-) Schwab offers a Symantec hardware token Vangaurd
| allows the use of a FIDO device (YubiKey)
| mixmastamyk wrote:
| Imagine using anything Symantec related to security. :-/
| kube-system wrote:
| Fidelity supports TOTP
| bradley13 wrote:
| Passkeys = excellent UX? In what world is that?
|
| I keep looking st them, see the fragmentation, and have to say
| "no thanks, great idea, horrible reality".
| hiatus wrote:
| If you store them in a password manager it is pretty nice, but
| if not it can be pretty cumbersome, especially if using
| browsers with multiple profiles.
| noleary wrote:
| > I don't think anyone considers a bank account "low-risk." Yet
| here we are, still relying on SMS as the default, and sometimes
| only, 2FA option
|
| > Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based
| login using biometrics. Excellent UX and security.
|
| In response to the complaints about SMS MFA, yeah, it has its
| issues (we don't even support it in our auth software) but it's
| not totally indefensible. It makes it much, much easier to push
| MFA.
|
| When I talk to end users about auth flows, they almost invariably
| complain about MFA. People _hate_ MFA. They will avoid it if they
| can. With that in mind, while SMS 2FA has problems, we should
| recognize that it 's minimally disruptive to users. It's
| familiar. People understand how it works. In this sense, it has
| major advantages over alternatives.
|
| People really don't understand passkeys. I even meet professional
| software developers fairly often who -- at least to their
| knowledge -- have never used passkeys. It will take a very long
| time before this is well-understood by the average consumer.
|
| Lots of people complain about TOTPs too. Downloading
| authenticator apps sucks and is confusing to many people. Even
| sending codes to people's email addresses causes problems; many
| people have several email addresses for which they forget
| passwords routinely. By contrast, mostly everyone has no problem
| opening a text message on their phone (which is pretty much
| always within reach).
|
| We can't design software for the way we hope users will behave
| (e.g., telling people _just use a password manager_ ). Especially
| if you're making mass market consumer software, you really have
| to meet people where they are.
| taco_emoji wrote:
| > People really don't understand passkeys
|
| Passkey UX is absolutely terrible. It's unclear what is
| happening, what is being stored where (do you have my passkey?
| do I? is it in my browser? is it on my phone?), how
| communication is happening between devices, etc. Also nobody
| seems to explain what exactly a passkey _is_. Where 's the
| thing I can point at and say "that's your passkey"?
| kortilla wrote:
| One of the "features" of a passkey is that you can't point to
| it. It's a fucking nightmare
| mixmastamyk wrote:
| I didn't understand it either, but on the "Security Now"
| podcast Steve said it's basically like using a FIDO2 key but
| virtualized in software. As I've used a yubikey and
| understand public/private keys (with ssh) I now have a vague
| idea.
|
| As the sibiling comment alludes, FLOSS projects have been
| threatened for allowing (part of?) the key to be exported!
| idontcareatall wrote:
| I. don't. care. Because we have to cater to the absolute lowest
| denominator, I now can't use my credit card 90% of the time
| because I can't receive SMS when I'm traveling aboard? No, not
| everyone has a fking iPhone and iMessage. Nothing in your
| comment serves as a defense of most places only having SMS 2FA.
| Why can Capital One email me every critical account
| notification, but can't email me 2FA/OTP codes for confirming
| transactions when I'm on the other side of the world? Why?
|
| It is flatly absurd that my Xbox account can be more secure
| than most of my bank accounts. I am tired of hearing people
| justify the utter laziness of US financial institutions.
| Everything about dealing with money in the US has become
| increasingly incredibly user hostile. Fidelity won't allow ANY
| integration with apps like Lunch Money and have some impressive
| automation detection that blocks headless Chrome usage better
| than anyone else. I'm completely at their mercy, and cannot
| sanely manage my money because of them. It's complete god damn
| garbage.
| Zak wrote:
| > _No, not everyone has a fking iPhone and iMessage._
|
| I don't think iMessage solves the problem of receiving an SMS
| from your bank where your SIM card is inactive or disabled
| due to roaming costs.
|
| A VOIP number like Google Voice can solve that problem, but
| some services that do SMS-based verification reject phone
| numbers that a database says are VOIP.
| focusgroup0 wrote:
| AML & KYC
| lenerdenator wrote:
| Well, let's do the cost-benefit analysis here.
|
| Authentication, insofar as making sure that only signatories on
| the account can access it and debit/credit from it, is something
| you have to pay someone something to do, and not something that
| those in charge of the bank really understand.
|
| If someone does breach an account, it's incredibly difficult to
| pin _on the bank_.
|
| If you are unlikely to face a financial penalty for a failure,
| you don't work to avoid the failure.
|
| I had an e-checking account broken into a few years back. Someone
| in Atlanta wrote themselves a check for $9k, and it didn't even
| come close to matching my signature. I'm in Kansas City. I have
| never been to Atlanta in my life, nor do I regularly do business
| with anyone in Atlanta. I didn't find out until the next week. It
| was on me to file a police report and do all of the mitigation. I
| was reimbursed, but I don't know how the bank came up with that
| money, maybe they carry insurance for this sort of thing? In
| order to resume use of online banking, the 1337 h4x0rz in their
| security department made me do a _virus scan_ of my devices. It
| 's still 2005 there.
|
| There are several obvious things that they could have done -
| signature comparison using OCR, warnings about unusual logins,
| warnings about checks being written outside of the usual
| geographic area I do business in - that they just _don 't_ do. If
| it's obvious and they don't do it, it's because they aren't
| losing money for this.
| etskinner wrote:
| As far as I can tell, the reason why any given login is
| needlessly complex is that some product manager somewhere has
| outdated info in their head that says stuff like "passwords need
| 4 different character classes" and "everybody uses SMS for 2FA,
| we need to use that". Powerless devs then mindlessly implement
| what they're asked to implement.
| abanana wrote:
| Powerless, that's exactly it. I pushed back when asked to
| implement email-based "2FA" on a website account (nothing like
| as important as a bank though). I pointed out that the username
| is the email address, and password recovery works by emailing a
| reset link, therefore emailing a login code wouldn't be two-
| factor, it would be _the same factor_. Of course the response
| was: doesn 't matter, the client's asked for it. I didn't have
| the authority to push back any more, but luckily in this case
| it was just a simple website login that had no real need for
| 2FA anyway.
| 000ooo000 wrote:
| Are you me? I am an SE in a bank and I had this exact
| experience this week - though it relates to authing with the
| online banking system.
|
| As I see it, it's an unfortunate combination of an extremely
| risk-averse enviroment, a total lack of trust in their IT
| staff, and - if I can be pointed - unqualified product teams.
| I can explain the the inadvertent drop from 2FA to 1FA, I can
| back it up with NIST, OWASP and Gov references explaining why
| it's a bad idea, but I am simply ignored because they are
| bent on execution of their 'vision'. At this point, I raise
| my concerns just to have my biases confirmed.
|
| It's really frustrating and obviously as a banking customer I
| want sensible security features too, but if I can generalise,
| we devs are not driving the bus. We're stuffed in the luggage
| compartment, wheeled out as necessary.
| quintu5 wrote:
| Banks are always facing a trade-off between security and
| regulatory accessibility requirements. A former employer offered
| ~10 different ways to perform step-up authentication for high
| risk activities to avoid getting slapped with fines.
| creer wrote:
| Then again "regulatory accessibility" has little to do with
| usability. You can have an 11 step process which works with a
| screen reader and is still hell.
| actinium226 wrote:
| Pretty much the same thing with Chase. I had to access my account
| while overseas and had a somewhat similar story.
|
| The mobile app doesn't require a second factor, so I was able to
| log in there, but I couldn't transfer funds or something on
| mobile, and buried in a deep section of the settings I found a
| way to get the OTP via email.
|
| Really disturbing the banks still haven't secured this.
| Waterluvian wrote:
| It's odd that banks are so bad at this because the incentives are
| correct: the banks pay when fraud happens. (At least up here)
| cccs-kevin2 wrote:
| This happened to me when I was overseas recently. No phone, I
| needed to access my credit card website with Scotiabank. I had
| previously relied on having an option for the OTP to be delivered
| either by email or sms, but when I tried in March, Scotiabank had
| removed the email option! I ended up having to basically remove
| 2FA from my bank account as a workaround, after answering a ton
| of security questions.
|
| Therefore for the entire time I was overseas after having done
| this, my bank account had no 2FA enabled... smh
| warrenski wrote:
| Here in South Africa all the banks I know of moved away from SMS
| text messages for 2FA ages ago, and perform authentication in-app
| with biometrics instead. Having a banking app installed on your
| phone is pretty much mandatory, and criminals have no doubt grown
| wise to this fact. So what happens when someone holds a gun to
| your head and forces you to perform a large transfer of funds
| from your phone? I'm sure the banks will try convince you that
| their fraud detection systems will come to your aid.
|
| One bank here recently introduced a duress-PIN, which when
| entered, will commence monitoring and send help, but they still
| don't offer any guarantee of a refund. Another bank allows you to
| change their app's icon and name, in an effort to masquerade as
| something less recognisable.
|
| I'd much rather delete the apps, unlink my devices from my bank
| accounts and use a TOTP authenticator app instead.
| fn-mote wrote:
| > I'd much rather delete the apps, unlink my devices from my
| account and use a TOTP authenticator app instead.
|
| I'm not clear how this changes the gun to your head scenario.
|
| I would want to see numbers before making policy changes based
| on potential armed robbery.
| 6510 wrote:
| Is it possible for Americans to use European or Chinese banks?
|
| I'm only half trolling.
| agentultra wrote:
| Still not sure about Passkeys. Or biometrics. But agree that
| their SMS based systems are way outdated. Which is odd because,
| at least at the Canadian banks, the mobile and web experiences
| are generally pretty modern and good.
|
| It's almost like the various departments and make these systems
| don't talk to each other.
| homeonthemtn wrote:
| I agree with this take _and_ I think implementing passkeys, etc
| would result in mass confusion for many customers, especially the
| elderly.
|
| I suspect that's a big reason for slow adoption
| ziofill wrote:
| I swear this is true: my old bank (Allianz) introduced a two
| factor authentication where they would show me a code upon login,
| then I HAD TO CALL THEM, go through a menu and punch in the code.
| I changed bank a couple months later.
| frenchtoast8 wrote:
| There are a lot of people who get confused using the SMS code
| they received, let alone setting up passkeys, or TOTP and backing
| up their codes, and so on. The systems are designed for those
| people, not you. Even offering passkeys or TOTP as an option is a
| customer support liability, that's another thing agents need to
| support when someone nontechnical inevitably enabled this on
| accident or has a family member set it up for them.
|
| > Think of the person from your grade school classes who had the
| most difficulty at everything. The U.S. expects banks to service
| people much, much less intelligent than them. Some customers do
| not understand why a $45 charge and a $32 charge would overdraw
| an account with $70 in it. [...] This customer calls the bank
| much more frequently than you do.
|
| https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
| 1a527dd5 wrote:
| The answer is lack of competition.
|
| Here in the UK, all bank apps were dismal. Until Monzo and
| Starling arrived on the scene, and holy hell did the big 4 get
| their acts together.
| exiguus wrote:
| > The implementation of 3D Secure (3DS) primarily shifts the
| responsibility of transaction authentication to the customer.
| This approach is more about addressing legal and liability
| concerns than it is about enhancing security measures.
|
| Is the answer I got.
| alfiedotwtf wrote:
| Surely it couldn't be as bad as an unnamed Queensland (Australia)
| bank that did client side authentication by looking up the
| username and password if one giant if username
| == "user1" && password == "password1" return true;
| else if username == "user2" && password == "password2"
| return true; else if ...
|
| Yes, that was real.
| h4ckerle wrote:
| As a european I again find it crazy what kinds of insecure stuff
| the banking industry in the US does. Chip+PIN arrived long after
| they did here, SMS Tan is still a thing while EU Payment Services
| Directive 2 (PSD2) forbid this in 2018, 7 years ago. Many
| transactions are still authenticated via signatures on paper
| cheques, you can use your credit card without a second factor
| (also regulated by PSD2). I just can't understand why they
| continue doing this, when I'd assume fixing this would cost less
| than what fraud must be costing them today.
| buckle8017 wrote:
| > I'd assume fixing this would cost less than what fraud must
| be costing them today.
|
| You'd be wrong there but not for obvious reasons.
|
| Ultimately the cost of fraud is passed on to consumers. Banks
| pass the costs on to merchants, who in turn increase prices.
|
| As a merchant increasing friction in the checkout process to
| reduce fraud does not improve profitability (broadly speaking).
|
| So no they had no actual financial incentive to even implement
| chip and pin, that only happened because it was required by
| law.
___________________________________________________________________
(page generated 2025-05-13 23:00 UTC)