Account security has long been a paramount concern of banks. And the Internet era and online banking services have increased the attack surface. See the movie The Shawshank Redemption for an illustration of what it took to heist an account with out an inside co-conspirator, back in the days of paper-based documentation. Today banks need to protect customers without unduly annoying them, or worse, locking them out.
Of course, one can’t feel all that sorry for banks. They discouraged customers from using branches qua branches, as opposed to for their ATMs, when having customers bank in person cuts down on the opportunity for mischief.
A new story at the Wall Street Journal discusses how banks are trying to square this circle. It’s bizarrely incomplete. It fails to mention one approach far too many financial institutions are trying to implement, which is using voiceprints. As I recall, about 20 years ago, it was possible to get enough information about a voice to replicate it with a 30 second recording; the required input length has fallen greatly. Why be so keen on a security method so easily abused? Anyone can find programs that generate voice clones and deepfakes via a web search, so why are bank security mavens kidding themselves?
I have argued with Citi on this issue. If you push them, they say you can opt out of having your voiceprint used for account ID but it still can be used for account security. I’ve tried telling them I don’t allow that since voices can be deepfaked and I’ve been interviewed in the press, so it would be easier to get clean audio for me than most people, but clearly this is stupid policy and I don’t have the time and energy to escalate.
In fact, any biometric ID is problematic. As with facial ID, the system takes enough sites, say of your fingerprints or retina, to make a unique identification. But if someone hacks the files, they can the template for your ID and fool the screening program. And pray tell, how do you get new fingers or eyeballs?
The article does explain how some banks log the device you usually employ when accessing their site and issue challenges, like sending a text or e-mail to you with an ID code, to confirm your identity.
As a frequent customer, I have come across practices that strike me as bizarre. One is that non-PIN protected debit cards are common in the US. Both of my current banks try foisting them on me; the only account card I can get on my business account is one of those horrible debit cards. If anyone got your wallet, they could drain your account.
Similarly, one bank routinely assists readers, even before they show any sign of difficulty, with their security word.
I would imagine a high percentage of account thefts result from a crook succeeding in unlocking a phone and then accessing the banking app, which autofills the password. The banks can prevent the use of autofill. They can also block copying and pasting login information or e-mailed security codes. Of course, there are those among us who only use laptops to access banking information as another preventative measure. But instead they use other methods. From the Journal:
Instead, banks run a lot of software in the background to make sure you’re really you. Among several factors considered during logins are: the time of day, location, device IP address, mobile carrier, and if any links prompted users to open the app. If anything differs from your unique “fingerprint,” your bank might suspect a hacker or a phishing attempt, and prompt you to take more steps to verify your identity….
Now, newer behind-the-scenes measures take precedence, say security experts and banking software providers. Some compare a user’s password-typing speed and cadence with that person’s prior attempts. Others analyze the pressure with which credentials are entered by checking how many pixels are covered when the user taps each key.
This mélange of authentication practices is found largely in banking apps because the stakes are higher. Banks know if customers have any concerns about the safety of their money, they’ll go elsewhere. On top of that, banks must abide by federal regulations to use secure data management practices, such as end-to-end encryption.
Um, what if you try getting to your bank when drunk? Or exhausted? I can barely type when super tired, not that I am a great typist even under normal circumstances. Well that might not be such a good idea anyhow.
Because I am way past my shut-eye time, I not up for a proper rant, so perhaps readers can provide their horror stories of bank/financial services firm security incompetence, both on the too rigorous and too lax side. I am perplexed how some sites, like My Alabama Taxes, always insist on account verification….as if what could someone do? Pay taxes for me? File a bogus report of quarterly taxes due? Are malicious ex-employees with login credential such a problem that this sort of thing is really necessary? Note in keeping, Alabama requires the use of encrypted e-mail for sending medical records, even to patients, even though HIPAA requires records to be e-mailed to the patient upon request. As a result, pretty much all providers here use fax instead.
The Journal provides some additional security options in the apps of the four biggest banks. This was the only one that seemed a wee bit novel:
For extra login protection, you can buy a $25 portable security device from Wells Fargo. It generates and displays unique random passcodes every 60 seconds. But if you lose it, you’ll have to call customer support.
Readers?
My bank in the UK (Nationwide) provided a hardware security device in the early 2000s for online banking. They didn’t charge, it was free.
Like so many things in the US, banking is incredibly sh*te compared to similar countries. Yet people here bizarrely think that the US is normal.
We’re ensconced in our own delusions, what with being separated from the rest of the world by thousands of miles of oceans, a huge continental land mass called the USA and decades of propaganda about being “the greatest nation the world’s ever… blah blah”. This is why we don’t worry about ginning up wars on everyone else’s doorsteps: it won’t happen to us… until those Russian Kinzhals start raining down with precision targeting on DC. Or a Poseidon generates a 500 foot wall of radioactive water to swamp our coastal cities. I do find it entertaining that now the Russians won’t even need to use nukes to destroy the bunker the US govt build under that hotel in DC. A 500kg bomb flying at Mach15 is the monster of all shaped charges. More directed destructive power than a hydrogen bomb apparently. I sure hope we don’t really find out.
I really went OT there but it was fun.
My bank in the UK (HSBC) also provided a hardware security device in the early 2000s for online banking.
But when it needed replacement because dead battery, they tried really hard to move me to the app instead. I said I don’t have a smartphone.
Yes. I currently have three bank security “dongles” which are credit card-sized key fobs which act as numeric token generators made using RSA encryption techniques. All from one UK bank! Their business and personal banking and their internet-only subbrand all have incompatible systems!
These token generators are typically used by pressing the power key to wake it up, inputting the user pin and then receiving a six digit number to enter at the website challenge. To create payments, the pin step is followed by entering the last few digits of the payee account and the amount in pence of the payment. These numbers are then mapped to another six digit code which must be entered on the website to sign the payment.
The whole system works because, when issued, the dongle’s unique id is paired with the account on first logjn. The cryptographic function in the dongle will then predictably generate the correct pass numbers because the bank knows the same cryptographic secret and can compare them to its hidden answer.
Although the way they multiply is annoying if you have personal and business accounts etc, these dongles are rather wonderful. Unless the battery dies after 5-10 years so you need to get a new one and it turns out the internet only brand’s approach was to preemptively revoke my privileges and promise to post me one within 10 days!!! Not exactly online. The branch banking account just handed me over a new dongle from a large cupboard of them and told me the old one would be revoked upon setting up the new one. Simple!
I cannot believe this sort of thing is not standard in the US. I have had this for over twenty years, before chip and PIN. Then again, US banks refuse to implement chip and PIN properly!
My bank nags me every time that I log in that I could replace my dongle with its mobile app. Over my dead body! I only bank through the browser with the hardware two factor authenticator. However, the RSA IP licence is very expensive so I imagine each dongle, given the secure crypto manufacturing and bank logistics and help desk etc. costs double digit pounds to provide. So no doubt the grim cost reaper will come for them in the end and I will have to use an app.
The new compulsory EU “Two factor authentication” where they just send a text to your phone for approving credit card payments is criminally stupid and presumably only for three letter agency surveillance purposes.
Full disclosure, my fund invested the company currently making multifactor biometric authentication for major banks. The demo was cool. CEO hands over his phone and PIN, says “open my phone”. Nobody managed even 0.1% similarity score, taking into account rhythm, angle, duration, accuracy, force etc of key presses, orientation and movement of handset etc. More importantly, these measures are stable, in terms of certain mathematical analyses of them, and can cope with tiredness, drunkenness, sitting awkwardly on sofa, using a mobile versus laptop etc. Plus as you age and the way you type your passphrase changes (the implementation currently asks you to confirm your mail address), the algorithm gradually reweights the expected inputs so the right answer evolves with you as you develop central tenor, arthritis etc. It is much less stupid than giving up your retina scan and much harder to copy because it relies on fine physical performance which is almost unrecordable. Like a 21st century signature that the bank actually checks!
“Yet people here bizarrely think that the US is normal.”
Oh no! We’re exceptional!
Most of those are not resistant to phishing via a real-time proxy, though.The authenticator also needs to authenticate the website, which means a bidirectional connection to the computer and some sort of browser integration.
The only secure solution I know is FIDO U2F (CTAP1) or FIDO2 (CTAP2), as implemented by Yubikey and a number of other USB or NFC keys (SoloKey, Feitian/Google Titan, HyperFIDO, etc), and the new FIDO PassKey as implemented by Apple and Google in their smartphone OSes. Bank of America switched from their security-theater 2FA solution to this a year or two ago, and PayPal recently added it (albeit only one key with no redundancy, which leaves you SOL if you lose it).
You don’t need a $25 portable security device to generate “random” passcodes (they’re not random but only appear so from the user perspective, otherwise the bank couldn’t determine if its an accurate code). You can use software to do the same. Why have a device that you can lose separately from the electronic devices you already have to keep track of? So when the thief steals your bag he gets your phone and your portable “security” device. Pin numbers are far better. Make them 6 digits if 4 aren’t enough. We all used to remember 9 digit phone numbers. I even remember my childhood number, imagine that?
The fundamental problem is almost nobody really likes doing (or perhaps no one likes paying people to do) serious electronic security/encryption/anti-hacking work and so they don’t consider things that should be obvious (as you point out) such as using unchangeable patterns (biometrics for example) — the worst idea out there but apparently the higher ups in the institutions have all seen too many dumb sci-fi films and think its “really cool”. I think its also inertia — everyone wants to roll out the latest new thing and who wants those fuddy-duddy security people slowing things down. Its very much like risk management at banks: they’re a drag until it all blows up in your face.
I think it’s a combination of CYA (it’s not our fault you got hacked, look at our shiny security practices), and not wanting to inconvenience the customers (as Yves pointed out) while still making them feel secure.
Ross Anderson (see weblog written by researchers in the Security Group at the University of Cambridge Computer Laboratory (https://www.lightbluetouchpaper.org) has been expert witness for cases against UK banks who claimed customer dunnit for phantom withdrawals.
https://www.lightbluetouchpaper.org/2012/09/10/chip-and-skim-cloning-emv-cards-with-the-pre-play-attack/
https://www.lightbluetouchpaper.org/2017/01/12/banks-biased-against-black-fraud-victims/
I had a 6 digit pin on my Citibank bank card
a couple of years ago, they made me change it to a 4 digit code
Most of these financial institutions are like cattle; they follow what some other bank does. I don’t think 2FA is a great idea. Sending a temp password by text is so stupid. Even sending it by e-mail is not good if someone’s pbone gets stolen and the victim leaves the app open.
An idiot credit union and many idiot banks want your ID to make a deposit into your own account. Why?
1. Banks will issue an ATM-only code on request. You don’t have to get a debit card, if you have a CC for non-cash payments
2. PLEASE don’t put anything finance related on your phone. Not even a card payment in the wallet
+1. If you are wise you will Never do business of any kind on a “smart” phone.
I don’t do email, banking, or any financial apps on my phone.
I don’t even have a lock code. The idea is not to trust my phone at all with anything important.
That is NOT correct.
First, it is not a matter oF ATM v. not but PIN protection. I have no issue with a PIN protected debit card.
Second, some banks will issue only debit cards on certain types of accounts. My bank, TD, will issue a PIN-protected card on a personal checking account, which for a while worked as a debit card (convenient for making purchase and then getting $20 to $40 cash back to avoid ATM stop) and they changed their settings to make it an ATM-only card.
By contrast, TD will issue ONLY debit cards for corporate accounts. This is piss poor since as we’ve seen with bank meltdowns, businesses are much more likely to keep balances over the insured $250,000 amount due to needing to pay payroll. But if you want to make a deposit at an ATM machine, you have to have that card.
Re: TD, will issue a PIN-protected card on a personal checking account, which for a while worked as a debit card … and they changed their settings to make it an ATM-only card.
Thanks for the heads up. I have a PIN protected debit card on a TD personal checking account, which still works with a PIN number for purchases at stores . When they stop me i suppose i will move to my secondary debit card at a different bank which still works, or wholly to credit cards.
sidd
Are you in Canada? I am at TD in the US and it is for most purposes a separate institution.
No, i am in the USA.
I was a Commerce Bank customer. TD acquired Commerce. Commerce had had PIN-protected ATM cards that you could use at stores for payment. That persisted for a while when TD issued a TD card to replace the Commerce card, then it stopped. The only explanation I could come up with was that they had not fully migrated Commerce customers to TD systems (as in the new TD account #s pointed to old Commerce #s and systems) and the behavior eventually changed due to everything finally being ported over to TD systems.
Did you come to TD via your bank having been acquired?
Same here. I was a commerce bank customer too … but my account number never changed. Yet, anyway.
sidd
>For extra login protection, you can buy a $25 portable security device from Wells Fargo. It generates and displays unique random passcodes every 60 seconds. But if you lose it, you’ll have to call customer support.
This is my favorite method of 2FA. There is of course an open standard for this sort of thing, freely implemented in free-to-download, password-lockable password managers, that no company implements because they can’t harvest your cellphone number for
marketingsecurity purposes if they use it.>They can also block copying and pasting login information or e-mailed security codes. Of course, there are those among us who only use laptops to access banking information as another preventative measure.
This would keep you from using huge, randomly generate passwords very easily. I didn’t realize TreasuryDirect was going to make me enter my password with my mouse when I first set up my account–I had to call customer service to change my password because I couldn’t CtrlC CtrlV it!
>One is that non-PIN protected debit cards are common in the US. Both of my current banks try foisting them on me; the only account card I can get on my business account is one of those horrible debit cards. If anyone got your wallet, they could drain your account.
These also drive me crazy. People point out that the math is very secure, but it doesn’t prevent anyone from using my card if they find it or even just using the number on Amazon, which is the main way my card has been stolen. I’m fond of pointing out to people that the RFID cards will default to chip cards (usually with PIN) if you snip off a corner.
Hard agree on the point about copying in passwords. If the attacker has access to whatever process is allowing you to copy it in (your password manager, or the browser autofill), then they can get the plaintext out of that and enter it manually. Preventing copy/paste doesn’t prevent that behavior, it just makes normal usage harder and very long, random passwords impossible (though, to be “fair”, a lot of banks limit password length to unconscionably low numbers anyway).
Contactless debit cards are the devil’s work. The standard is only secure if the criminal follows the standard! Jack up the power on the transmitter and the gain on the receiver and these can be read many metres away.
The $25 gizmo with the changing numbers is called a TOTP token and they are the right way to authenticate high value logins. There are free phone apps that do the same thing, but the idea is you want the token to be on a separate piece of hardware from your login device. So if you use a TOTP phone app, then login from your laptop and don’t enter your password on your phone. The jargon is “two-factor authentication” (2FA), where you need both a password (factor 1) and a token (factor 2). An attacker seeking to take over your account now has to compromise two different schemes instead of one.
https://en.wikipedia.org/wiki/Time-based_one-time_password
No, they are not. TOTP is not resistant to phishing because the token generator is not authenticating the website and relying on the user not to be fooled, which is too much to ask for most. Even sophisticated users like software developers can be fooled:
https://github.blog/2022-09-21-security-alert-new-phishing-campaign-targets-github-users/
You need a FIDO U2F, FIDO WebAuthn or FIDO Passkey (smartphone) authenticator that will verify the website to be protected.
In principle the site is authenticated by the TLS certificate, though yes, in practice, that is often ignored and can sometimes be faked. Stuff like FIDO2 requires a two way connection to the computer and client side software support and is more stuff to go wrong. If you can use it though, then yes, it is great. Otherwise, TOTP is a huge improvement over plain passwords, SMS messages, voice ID, and stuff like that.
Our simple solution: No online banking whatsoever, no portals, no ATM card. Statements in U.S. mail.
Luddite? You bet, but walking into our branch and speaking with the employees and withdrawing cash is about as simple and secure as you can get. Yes, we still write checks.
If anything were to happen via hacking, we could demonstrate never having signed up for any of those “services.”
This is not viable if you are not able to get to a branch readily. Banks have been cutting bank hours, bank locations, and bank staffing to discourage in person use.
Well then, they don’t get our fairly large deposits. If they close a branch, we close the account. Same thing with retailers, you want our money, we get service with a smile, or we go to a competitor.
Any problems in a bank, or being they attempt to force us to do anything online, go talk to a branch manager and let them make the phone calls.
Want to really play with them?, pay your credit card bill at the branch with cash.
“We’re doing this to keep you working and not replaced with A.I.” Never had an argument yet from a bank employee. They know you are on their side.
Customers don’t have leverage with banks. Your premise is false.
Banks don’t value deposits. They want customers who get mortgages and car loans.
If you think you can get a branch manager to make phone call, you are smoking something very strong. I am the customer from hell and can’t get any waivers because all the stuff that matters is in the systems, as in software, and humans can’t get waivers.
My credit cards are with different banks. And Citi (back when I had a Citi account) would not let you pay a credit card at the branch. They stopped that YEARS ago.
You are also delusional if you think you can easily change banks. Many customers, like my mother before she died, were hostages. Despite having pretty good balances, as a checking account only customer, no one wanted her business. Similarly, with KYC rules, it is very hard to open a business banking account.
Spouse & I do not use debit cards. We use credit cards, checks or cash. The cc’s we use pay us to use them (“rewards” programs) & are paid in full each month (by check thru the USPO).
The cc’s provide better protection than a debit card. We always ask for a receipt for cc purchases and check each statement against the receipts.
May not be ideal for everyone but sure works for us.
You need a card to deposit checks at an ATM. My bank provides only debit cards on corporate checking accounts.
I regularly tell people never to use a debit card for purchases. Zero legal protection in case of a dispute.
It’s a zoo out there. Both bank and brokerage repeatedly give me the chance to ‘remember me’. Oh great, that’s what I want is to stay signed on at all times. What could go wrong?
Yet, they can’t remember that when I type in a username and password, from the same IP address always used, they ‘can’t recognize this device’ and have to send me a secret code. over and over and over. And of course passwords have to change, every time Scotty in Marketing wants the website revamped to be prettier, but even more difficult to use. Somehow in this process, can no longer see transactions in order made, but in reverse order because I guess that’s what’s handy for them. No, it can’t be toggled.
And constantly bugging us to ‘upgrade’ to do everything by smartphone. I do NOT want my banking done on a small device I might lose!
Yet they are determined to force everyone down this path. Covid gave them a wonderful opportunity to close lobbies and fire people, pushing everything onto online ‘platforms’ which, frankly, suck.
So what’s the answer here. When cash goes digital it will just facilitate the heist. So maybe along with making money sovereign digital (that might be the next oxymoron too) we should consider making the mishandling of all those pesky digits a lesser misdemeanor, or none at all – by doing something like “basic liquidity maintenance” which can sense a disturbance in the balance. Just imagine the sensitivity of such a scale. That is the hurdle for finance because it got out so very far over its skis. Because we are definitely living in a world of stranded profits and when we all start to panic it’s known as inflation, or sometimes deflation – the ghost of Minsky. It’s the wine ;-).
An illustration of how easy voice deepfakes have become:
https://nypost.com/2023/04/12/ai-clones-teen-girls-voice-in-1m-kidnapping-scam/
And who doesn’t remember the scene in Sneakers of getting the voice print? And now it’s even easier! My voice IS my passport!
In Australia contactless purchase with a card is called ‘Paywave’. It is limited to $100. So, someone can thief up to that amount. When it came out I noted the banks were deliberate it was so easy for people to steal that amount. It just means more fluidity.
Internet banking makes it possible to toggle card settings. So, you can disable contactless purchase, online purchase, international usage.
Ask at the branch, otherwise. No need to damage the card with scissors :-) But FYI, the RFID is not in the chip.It’s in a coil running around the outside edge of the card.
Some security tips:
* Only use a VPN to access internet banking (Proton VPN is equal to the best in a world of unreliable VPN’s, and its free)
* Use a browser ad-on like U Block Origin to ensure no additional criminal scripts are running on the page
* As others have correctly said – quite simply, don’t use the smart phone for
banking or any transaction. You are no longer the lowest hanging fruit or the slowest runner
* 2FA by email not by phone. If 2FA by phone is forced upon you, use an authenticator app like Authy. The desktop version is more secure than the phone version. 2FA by phone is terribly insecure. It’s SO easy to spoof someones phone number. One approach that might be practical for some, is to get a dumbphone and a new SIM number and use it exclusively for 2FA nothing else. Your own personal authenticator.
It means your 2FA number is not out in the wild.
* Passwords – well banks usually make it not possible to create a secure one.
One approach suggested by Bruce Schneier is to write passwords down
on a piece of paper. He once compared the pros and cons versus an electronic manager – it has some risks but arguably a much smaller attack surface . I think electronic password managers have all manner of issues and in-browser ones are even worse.
I used to have an acquaintance who was into dark web financial scam sorts of things. Once when i saw him he’d recently been invited to some kind of dark web market where one could basically buy packages consisting of individuals’ virtual presence, like all the cookies saved on their devices and what not. Basically you’d purchase the package, then input it into a browser application the owners of the market had made, and the internet would recognize you as if you were the person whose stolen info made up the package. He showed me how it worked and the only thing that he couldn’t get around was if the person had set a particular website to always require 2FA using a phone. But if not, like he went to gmail and was automatically in that person’s email account, from there he could basically get access to any passwords for their accounts he needed (if not auto logged into them), unless phone 2fa was on.
Sorry for my sloppy explanation. This was quite a few years ago so I don’t remember it all precisely.
Oh, I got another one for you; Every bank app I’ve used, “fintech” and old school banks, support auto-login with Face ID on iPhone, if you enable it. It is opt-in, at least, but if someone gets your face and your phone, maybe you’re unconscious, or under duress, they’ve got your account. No further information necessary. And generally no further authentication is required to perform ACH transfers; And you can quickly add a new remote ACH account with most banks today, so an attacker can add their account seamlessly from your device, transfer your money out, and move on; perhaps you’re still breathing after this, perhaps not, who knows? So far the only except I’ve seen is HMBradley, which also wants a 2FA app code when you login, but because that’s on your same phone as Face ID, it doesn’t matter if someone has your phone in their hand. None of these do Face ID + PIN. (But you opt-in to Face ID, so this is kind of an own goal if you allow this.)
The goal of every bank is not necessarily to eliminate fraud. See for example The optimal amount of fraud is non-zero. That is not to say that all banks are competent at assessing risk, but I expect the industry in aggregate is so.
squarecoats thanks for the interesting response.
http://www.schneier.com and search 2FA for posts on the vulnerabilities of 2FA, and the comments (which are usually the best part of a post)
Krebs on Security is another blog. Brian Krebs, a reporter dedicated to fighting and exposing online scammers. I believe he’s been swatted a bunch of times. He’s been instrumental in bringing down some big international groups. Lot of practical information and up to date reports on attacks and arrests. Search 2FA there too :-)
Another practical tip I can add to the list above. After using any site involving credentials, close the browser. Run free Bleach Bit software. It removes all traces of data in memory and extraneous bits of files, persistent cookies, everything.
Just takes an extra 60 seconds but it becomes an automatic hygienic lifestyle habit.
So, each log in, anywhere, is a stand alone session that is closed and cleansed in between. If any dodgy code is attached to a site you visit, it can’t persist on your device afterward. Likewise, your sensitive details can’t persist beyond the session either. Nor are you visiting a site (to meet dodgy code, for example) bringing along data from a previous session.