After using userID/password && (see what I did there?) 2FA to login to my credit union’s online banking website, I got further prompted for security questions upon attempting to make a transaction.
I called and complained, asking why am I not being considered completely authenticated after providing 2FA? Their pathetic response was “Oh, that happens once every six months”. I informed them that my rating of their security just went down a bit.
Geez…
/rant
As poor as the financial industries security is I would just be happy they actually deploy any means of authentication outside a password. So there is that =)
Is 2FA enforced? It’s probably in place for those who don’t care and never activate 2FA. Those questions are probably easy to social engineer anyways.
It is optional. You can either use 2FA/MFA or you can elect to answer the security questions. This is the first time I’ve seen a requirement for 3 levels of authentication.
It’s just weird for anyone to even consider 2FA to be, um, not enough for complete authentication. I guess someone could figure out my userID & password, but the chances of them doing that, and having access to my cell phone or my email account are pretty slim (Bo, that is not an invitation to try).
I’ve always wondered how secure questions are anyways. Every user chooses between the same 10 questions. How many people would just tell you what their first car or their favorite pet was if you asked?
That should be considered as PII (personal identifiable information) and if someone who doesn’t have a valid reason to identify you ever asks you for this you tell them to go pound sand.
YOu should be happy in general if the 2FA isn’t SMS only, and if the system will accept a password longer than 8 characters, or with symbols
Yeah, I would have an issue with SMS-only 2FA. That is yet another tactic companies use to get more data from you. Although, for this use case, if would be hard to open a bank account without providing a phone number.
My bank doesn’t use a password at all. It uses a hardware component that requires your debit card and pin to generate access and signing codes.
That probably saves them a lot of checking password hashes at https://haveibeenpwned.com/
But then I’m Dutch and we’re one of the few countries where most people don’t have credit cards. So we have our own system to safely do payments online.
What is iDEAL? Your guide to the Dutch online payment system – DutchReview
Interesting. I like the hardware component part. I’ve love to see banks issue RSA hardware tokens. I don’t trust software tokens, though, and that is probably what most banks would want to do in order to avoid the expense.
I’ve even be happy to use a Ubikey.
Even though I don’t trust phone-based apps, I did try to go down the path the using a fingerprint reader to access BitWarden to store my password to access this specific banks phone app, but their app interferes with BitWarden and requires that I manually type in my month if the app has not been used for x number of days. That was a deal-breaker for me because my password is too complex to type in on a phone. I discussed this issue with the banks tech support, but they just blamed the issue on my phone and not their app. I could tell from talking with the tech that he didn’t have a clue and could not afford to buy a vowel. I don’t use their app anymore.
Found an English version of the manual for the thing.