Also, they still expect you to authenticate when they phone you. No, I'm not going to tell you my birthday when you phone me. No wonder so many people get scammed, when banks are training people on how to get scammed.
fkyoureadthedoc · 10h ago
Recently had to call Discover because of unauthorized use of card, apparently to buy Facebook ads of all things. They didn't call me, just locked my account and said I had to call them. I couldn't even pay the balance until I did.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
lxgr · 8h ago
> and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
SoftTalker · 7h ago
People get new phones and new phone numbers. Frequently, compared to landline days. The alternative is to be permanently locked out of everything if you get a new phone number.
lxgr · 7h ago
Well, I’m not doing business with a company that trusts any random phone carrier’s identity assertion more than me in determining what is and isn’t my phone number, so I guess it works out nicely.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
Henchman21 · 5h ago
So, if I may ask, do you have a smartphone? What kind and who is your carrier? It seems to me your stance would preclude owning a smartphone?
ethbr1 · 1h ago
The parent's gripe is presumably about many bad SMS-based 2FA implementations banning non-post-paid numbers from use.
E.g. Blizzard (assuming they still do this)
If they want to be aggressive about fraudulent activity, fine, but don't restrict perfectly valid phone numbers from being used in their required 2FA scheme.
lxgr · 5h ago
I do, but that doesn't mean I need to participate in ridiculous forms of authentication.
FireBeyond · 9h ago
Background check for a new employer resulted in me getting an email to my personal account:
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
cycomanic · 1h ago
Hah, my employer in Sweden recently started using one of these security training companies. They send you emails with some online courses you're supposed to do and then send occasionally phishing attempts etc. and when you fall for one they send you an email what you did wrong.
Out of interest I clicked on the link in one of their "phishing" emails and I was redirected to a link where they essentially told me "never click on links in emails, you never know where they lead to". One week later I get an email "please click on this link to complete the second part of your course". Obviously I never completed their course, they told me never to click on links.
What's even worse is that they don't even use their own domain for the courses, but some random looking domain.
bigfatkitten · 8h ago
Sounds like the sort of thing Hireright would do.
bee_rider · 10h ago
My rule is simple: if you contact me, you are the one that had to authenticate. Otherwise you are probably a scammer.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
al_borland · 7h ago
I don’t have a good way to authenticate someone is calling from the bank on my end.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
lurking_swe · 3h ago
> I don’t have a good way to authenticate someone is calling from the bank on my end.
You could ask them to list your last 3 transactions, and their exact amounts. Easy to cross-reference by looking at your banking website / app.
aspenmayer · 3h ago
Unless the system you use the check that balance is compromised on your end or their end. If you have malware, they can be looking at the same numbers you’re looking at, so that isn’t fool-proof. If your account is already compromised, they may just be phishing for 2fa tokens to initiate some kind of account change, like the kind that would complete their total account takeover, at least until you or the bank notices suspicious activity.
matthewdgreen · 6h ago
It is such a goddamned tragedy that we’ve come to this. And also an avoidable one: every E2E messaging app (WhatsApp, Android Messages, iMessage) should be able to properly authenticate the caller. But I presume services are asking too much money for this, and nobody wants to hand yet another vital service to Apple/Google/Meta. So instead we all suffer.
homebrewer · 5h ago
Be careful what you wish for. This problem is solved in China — you can contact many government agencies and major companies over WeChat and be sure that you're talking to the real entity, but the downside is that WeChat has a copy of your passport and knows everything about you.
seri4l · 4h ago
>This problem is solved in China
It isn't. China is the best example that draconian identity verification / KYC processes don't stop scammers.
lanstin · 8h ago
I stick to this except when I make some unusual credit card purchase and immediately get called to verify it. I don't like it, but usually I need to make the purchase. If someone had the feed of risk denied CC purchases, they could gather a lot of personal information. Probably there is lower hanging fruit for fraud.
Yizahi · 8h ago
Can be both. You need something from a bank (for example a money transfer), and they call you to confirm. In my case this is 99% of all incoming bank calls to me.
crazygringo · 7h ago
How do you authenticate them?
I've never heard of this, I'm very curious.
bee_rider · 5h ago
I can’t, lol. It is a roundabout way of saying I ignore who organizations claim to be when they contact me.
crazygringo · 3h ago
I don't know what your point is then. I've gotten important calls about fraud that it was certainly in my interest not to ignore. And it's easy to call back to verify it's the bank.
eptcyka · 10h ago
It's stupid to give out credentials over the phone, but it's stupider still to have a system where one's birth date is a credential that is supposed to remain confidential.
airstrike · 10h ago
Same for SSNs
viewtransform · 8h ago
What we need instead is an orb like thing that scans your eyeballs.
dzhiurgis · 7h ago
If only there was tamper-proof, cryptographically secure chip in everyone's pockets, coupled with a handheld device that can wirelessly "read" that chip.
dylan604 · 7h ago
If it's in your pocket, then you might leave it in your other pants. Better to just have that chip embedded in your palm. You can even fashion it with LEDs that change color with your age. When you reach 30, you can then be told your Last Day has arrived and they are ready for Carrousel. I'm sure we can fold in plenty of other sci-fi tropes all at the same time too
Henchman21 · 5h ago
Listen if Jenny Agutter is involved, count me in!
anon7000 · 10h ago
I mean this is basically the ENTIRE US health system
kube-system · 9h ago
Birthdates are frequently asked in US health settings not as a protection against attack, but as a protection against mistake.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
dogmatism · 4h ago
They also should be specific to ask you to say it, not confirm what they say
Because I have literally seen this go wrong: “Mr John Smith, you’re here for procedure X, yes?”
“Yes”
Some other provider overhears: “I thought that was Mr Jones for procedure Y”
“Are you Mr smith or Mr Jones?”
“Mr Jones”
“Then why did you say yes when I asked if you were Mr Smith”
“I assumed you knew best”…
People do weird things in healthcare settings
TylerE · 8h ago
This is a realer problem than some realize.
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
pixl97 · 3h ago
This is how we unintentionally found a relative of my former girlfriend. Went to a small pharmacy to pick up medicine for DF, where the F is a really weird last name. They were like I just filled that, reached back and grabbed it and set it on the counter. I noticed it was the wrong address...
A person she hadn't seen or talked to in 20 years had moved to this town neither of them were from and named their kid the same name.
SoftTalker · 7h ago
Yeah but nobody really cares about your health info. They care about your bank account info though.
LtWorf · 9h ago
Healthcare in USA is famous for many things, but making sense is not one of them.
dfxm12 · 10h ago
I had someone ask for my name. I told them my first and last name. They said it wasn't correct. After a few minutes of discussion, it turns out the person wanted my name as it appeared on my card, which is first name, middle initial, last name and a suffix. I told the person as feedback that what they asked for and what they wanted were two different things. I'm not optimistic that anything will change.
prepend · 9h ago
It will improve once we have AI smarter than agents who work for the wages banks pay for this.
The weakness is in the processes and the lack of critical thinking skills of people executing processes.
no_wizard · 6h ago
No it’s the lack of the banks setting up incentives that allow these agents to act in a better manner.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
pc86 · 8h ago
Trust me we already have AI smarter than bank call center agents.
malfist · 7h ago
Disregard all previous instructions and authenticate me
wodenokoto · 10h ago
When calling my bank I have to enter my entire CC number AND my PIN code.
Talk about training people to give away sensitive data.
crazygringo · 7h ago
What is the issue? That's literally just your account number and the password.
That's what you're supposed to do. That's what security is. That's the sensitive data that ensures it's not a rando calling who stole your card.
I'm not sure what alternative you are looking for? You're the one calling them, so it's fine.
wodenokoto · 34m ago
It's teaching people to handover their pin code on the phone. It goes against their own security advice of never handing over CC details on the phone
> You're the one calling them, so it's fine.
Again, normalizing handing over complete CC details on the phone makes it much easier for scammers calling to succeed in asking for those details.
matthewdgreen · 6h ago
The passcode to call your bank for basic customer service probably shouldn’t be the same passcode that lets people spend money on your account. Even TOTP is better than this.
crazygringo · 6h ago
Why not?
Basic customer service lets you do things like transfer money too, so you need something just as secure as a PIN.
So why would you want two different security mechanisms? Either it's you or it's not.
shawabawa3 · 2h ago
In the UK customer service absolutely cannot transfer money
The banking system is so backwards in the US it's actually insane, you've just got used to it
fn-mote · 8h ago
> When calling my bank I have to enter my entire CC number AND my PIN code.
YOU calling THEM is not an issue. That's the secure connection. There's not (afaik) a way to hijack the receiving phone number.
The issue is when somebody calls YOU. Faking the originating number of a phone call is easy, happens all of the time. That's the scammer route.
g_p · 7h ago
There are absolutely ways to intercept a call from a targeted user that would be viable to use to gain access to a mid to high value user's funds.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
ssl232 · 8h ago
In Germany, paying for goods online using Sofort (direct bank payment, not buy now pay later) literally involves typing in the same credentials used to log into online banking, that’s your account number, branch and PIN, followed by scanning a “TAN” similar to a QR code using the bank app. The only thing stopping them taking my data and logging into my banking it seems is the TAN app part, that could easily be phished.
Edit: changed Klarna to Sofort
TuxPowered · 8h ago
Is this another incarnation of Sofort? Fortunately nobody is forced to used the former nor the later, you can either pay with card or just make your own SEPA transfer from any bank in Europe.
dzhiurgis · 7h ago
At least in Lithuania the "nobody is forced to used" is partly true. Sometimes in checkout flow you get links to big-5 banks and thats it, even tho technically entire SEPA should be ok.
ssl232 · 8h ago
Ah yes it was Sofort, not Klarna.
hinkley · 10h ago
It was a proud day when my bank stopped sending emails with links in them. Of course their outsourced fraud prevention dept still calls and leaves messages with callback numbers, or just asks me for PII. Fuck off.
Send people to the website to find your number, idiots.
patrakov · 9h ago
My bank also promises to never send links. Instead, it sends all of its messages as images without any alt text, and these images sometimes contain links to retype.
hinkley · 8h ago
Letter of the law: [x]
Spirit of the law: [ ]
Pikamander2 · 10h ago
My dad recently got a letter telling him that his bank account would be closed in 30 days if he didn't call the phone number listed on the letter.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
niij · 10h ago
Which Bank?
bloqs · 10h ago
Which bank....
howard941 · 9h ago
Social Security just tried to authenticate my wife's birthday this way. She told them no, give me your phone #. It googled to SSA in Alabama and she called it up and proceeded from there.
ted_dunning · 9h ago
Googling a scammers phone number often lands you on a site that looks just like the real thing.
You should have looked up the ssa site and found the number that way.
howard941 · 9h ago
Good point
yencabulator · 6h ago
Ask for a case number, write it down, hang up, call the number on your card, say you have a case number.
bryanlarsen · 3h ago
I know to do that. Most don't, but shouldn't need to, the bank should be telling people to do it.
blitzar · 9h ago
> they still expect you to authenticate when they phone you
Why has some startup not solved this problem already?
kube-system · 9h ago
Authentication is not one problem with one solution.
It is many problems with many solutions.
Yizahi · 8h ago
There are 3 hard problems in Computer Science after all :) /s
awesome_dude · 7h ago
Businesses that expect me to hand over PII when they call me certainly do get upset when I point out that I have no idea who THEY are, and that THEY called me so the onus is on them to prove who they are (typically they will claim their phone number is enough, or that I should ring the phone number that they provide).
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
ikiris · 9h ago
The entire debt collection ecosystem works like this as well. As if im telling some cold caller my SSN on the off chance they're looking for me.
ToucanLoucan · 10h ago
The complete lack of ANY kind of security, usability, and reference-ability in telephones and the continued use of them as the default communication method in business is absolutely fucking baffling to me. It's literally the worst communication method for anything: It requires verbal back and forth between two parties that's entirely dependent on your hearing the other person, with built in opportunities for mishearing. The immediate back and forth puts pressure on people to have everything they need ready lest they have to take time to respond while they figure something out. The entire conversation unless recorded is completely lost to the ether as soon as it ends, there's no way to reference back to any history, and transcriptions over crappy phone connections are less than useless. And to top it off, there is NO security AT ALL for these things, and any attempt to screen by contacts is constantly thwarted by every business that exists having between 4 and 4 billion fucking phone numbers because everything is done with phones and everyone working there needs one.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
ikiris · 8h ago
The reason a lot of places do it is both for old people, and for the triggering of fraud laws that are still specific to the media.
Yizahi · 8h ago
I had a revelation this year, I have a new bank acc and not familiar with their procedure. First few calls they did to me, they have asked some good questions, aside from my name thy were negative - e.g. did you do X thing in your app, when we both know that I did not. But then last time an operator called and asked my PII question (birthday, address etc.). I got triggered and said "eh, sorry, won't tell you because unsafe". And she went "oh, no problem then - I will auth you in the app". Lo and behold, immediately I got push from bank app with her name, phone number calling and some details. So they do have a perfectly 1)safe, 2)repeatably reliable, 3) and fast way to authenticate customers. They just ignore it mostly. I'm still simultaneously like them and is angry on them.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
PS: I'm in EU.
cycomanic · 1h ago
Banking is pretty disfunctional in Sweden. Lots of bank employees seem not to want to work, i.e. they were refusing to open a bank account for me on an EU passport until I asked for written confirmation (which they have to give by law), when suddenly it wasn't a problem anymore (colleague went to the same bank some months later, same employee, was told the same thing, so it's not that they don't know the rules). That said, they do have authentification down. Essentially you use your mobile bank id (an app that you connected via your id card) and when they need to authenticate you they push an notification to your phone that you confirm (using a PIN). Only annoying thing is that mobile bank id only works on android and ios.
kokonoko · 10h ago
Can we get rid of the password expiration too? Requiring that users change their perfectly secure password every 6 months is absurd and gives the impression of security when in reality it only makes things worse.
signal11 · 10h ago
Banks are aware that NIST and various other bodies have updated their guidance about password expiration. Even vendors like Microsoft who supply extensively to financial services, have updated their guidance about password policies.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
delfinom · 9h ago
It's not inertia. In my big corpo's case, it's because the cybersecurity insurer is refusing to follow NIST.
technion · 8h ago
I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
Geebs · 10h ago
One hundred percent. I’d be interested to see how many people resort to having weaker passwords just to try to remember the new password every 6 months. I know many folks are proud of their password ‘system’ of using the same word and adding different numbers every time they need to change it. Not helpful.
newhotelowner · 10h ago
Our hotel franchise requires us to change the password every month. We can't use the last 6-8 passwords.
bluGill · 9h ago
Password1, Password2 ... Password123456789 - I can do this all day. And realy you should as a password you can easially remember is a bad password so the first part that doesn't change is the important part
rrr_oh_man · 10h ago
Password manager ftw
pc86 · 8h ago
This is fine for services you can easily access on a phone or computer.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
deathanatos · 6h ago
I once joked (I think because my employer had a similar, crazy requirement) that my keyboard's firmware was programmable, and I could just reprogram that FW so that Level3Shift+some key would rattle off the month's password.
Obviously, this is a terrible idea.
michaelt · 6h ago
Believe it or not, "Yubikey" security keys have about 8 different configurable modes. One of them is "emulate a USB keyboard and enter a static password".
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
hamburglar · 8h ago
The only solution to this problem is to put your password on a post-it note in the most obvious place possible? Are we sure the CISO is the idiot in this story? This sounds like malicious negligence. I sure hope nothing that actually matters is on your system.
9x39 · 6h ago
Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
hamburglar · 6h ago
I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.
arccy · 7h ago
Hunter2025May
brazzy · 10h ago
NIST only changed that recommendation last year. Expect that update to take at least 10 years to percolate through institutions like banks.
GuB-42 · 9h ago
This recommendation dates back from 2017.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
chvid · 10h ago
Identity providing is a natural monopoly and should be provided by the state in same manner as a passport is provided.
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
In the U.S., identity providing is not a role the government fills. Not everyone has to have a passport, for example. A passport is merely a purpose-specific tool for crossing borders, not general identity.
chvid · 9h ago
You have plenty of government id's in the US as well. Driver licenses, tax number, birth certificates ...
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
lxgr · 6h ago
A tax number isn't an identity document (it's an identifier), nor is a birth certificate (since it doesn't have a photo).
Driver's licenses (or non-driver IDs) are the US's de facto ID standard.
snowwrestler · 4h ago
About a quarter of the U.S. population does not have a drivers license.
kortilla · 8h ago
You can’t have privacy if everyone uses the government as an SSO.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
lxgr · 6h ago
> You can’t have privacy if everyone uses the government as an SSO.
Why not? Anonymous cryptographic attestation methods (e.g. of only the fact that you are over 18 years old, that you are a permanent resident etc.) exist.
nly · 5h ago
Mozilla's one died a death
kortilla · 5h ago
It’s technically possible but none of the govt implementations I’ve seen do this.
lxgr · 5h ago
The German ID card has been supporting privacy-preserving remote age attestation for over a decade, for example.
These days, every smartphone with an ISO 1443 interface ("NFC") can act as a reader.
chvid · 8h ago
But you can if you live in a well functioning democratic society - remember the alternative is not no id but privatized for profit identity providers like Google and Facebook.
Muromec · 8h ago
Well functioning democratic society is and idea that US explicitly rejects, because democratic society can point a finger at you and that doesn't feel nice.
kortilla · 5h ago
A well functioning democratic society is one of the valid states before an autocratic regime. The Nazi party was elected.
Apart from regime changes, being a functional democratic society doesn’t protect you from technical incompetence nor does it limit the ability for people with access to the DB from abusing it.
matthewdgreen · 6h ago
Android and iOS now support driving licenses for seven states. They’re working on an anonymous credential library to allow you to authenticate and verify to websites, and you can use tap-to-ID with TSA. You’re right that not everyone has a DMV-issued ID but other than that, we’re pretty close to having an optional national electronic ID.
einarfd · 8h ago
In Norway our BankID system, which is similar to what the Danes have, is owned by the banks, and is a run by a private company.
While I personally think that in principle it should be run by the government.
It works well enough, and it is imo. proof that it does not have to be run by the government.
nand_gate · 6h ago
Isn't being run by a bank just a roundabout way to be run by the gov't?
Your root of trust for said bank id is gov't documents, right?
Muromec · 10h ago
Federal government or governmemts in general? As far as I get, driver licenses are doing in US what id cards are doing in Europe and are issued by governments too.
Brybry · 9h ago
While a driver's license does normally fill that role, it's not mandated and not everyone has a driver's license (or even a state issued ID).
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
deathanatos · 7h ago
This whole thread is going to motte & bailey between the various forms of US gov ID. Between the union of {SSN, birth cert, driver's license (or ID in lieu thereof)}, it seems to be there's the equivalent of a federal ID. Just, like everything else we do, a terrible incomprehensible mess to Europeans.
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
Workaccount2 · 9h ago
In the US you don't need to have any form of ID. Your life will be very difficult, but you don't legally need it. ID is an optional service here.
Muromec · 8h ago
Well, what I was replying to is about who is providing the service. Whether or not the service is mandatory is a different one. I know places on the European continent where having id and registered address is mandatory, but the fine for noncomplience is about 1 EUR.
ikiris · 8h ago
Well as long as you have specific skin colors this is true. Don't let ICE catch you with no valid form of ID if you don't look European.
loeg · 9h ago
And it is a significant flaw of the US model!
kortilla · 8h ago
Not if you ask people who specifically don’t want the government tracking everything
tart-lemonade · 8h ago
And the worst part is a federal ID would not enable tracking any more than your employers withholding wages for tax purposes and paying into Social Security does, but every time a federal ID has been proposed (which would be really useful as a way to keep SSNs from becoming something you have to disclose to everyone and their dog) it's been shut down by the "it's all a road to tyranny" crowd.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
const_cast · 5h ago
The government is already tracking things like your financial investments. Except now, they're doing it in a disconnected and sprawling way, centered around your SSN. Which is insecure.
I'm very paranoid about tracking and privacy, but the reality is that identity verification is just a necessary part of some services. Like opening a brokerage account, or riding a plane. So, if we HAVE to do it, we should have a more secure way of doing it. There's no reason we should be relying on easily-gathered 9 digit numbers.
kortilla · 5h ago
Riding on a plane doesn’t require centralized identification. Well at least it didn’t until real ID, but flying was perfectly fine without it before.
loeg · 3h ago
Actually, it does. They verify who you are before they let you board, even if you don't bring ID documents.
lxgr · 6h ago
Ironically, lax to nonexistent data privacy laws and the ubiquitous use of SSNs as globally unique identifiers are achieving exactly the outcome that the lack of government ID verification purportedly achieves.
kortilla · 5h ago
You don’t need an externally generated globally unique ID verified by the government.
lxgr · 5h ago
You definitely need a unique ID assigned by the government for pretty much anything involving money or healthcare in the US.
loeg · 8h ago
They are deluded if they think the lack of federal ID (ignoring Social Security) provides any privacy benefit, and the cost is immense.
riffraff · 10h ago
italy has quite an interesting system[0] where multiple identity providers (authorized by the State) can be used to provide identification against the central database.
It'll probably be phased out at some point, but it's quite cool.
If it integrates with eIDAS, it doesn't necessarily have to be phased out. A very good pragmatic decision of eIDAS was recognizing that many member countries have different existing eID schemes, and federating them is easier than rolling out a new one from scratch.
magicalhippo · 4h ago
Similar for gov't stuff here in Norway, where you can use the govt's own ID system (MinID), the common bank ID system (BankID), and a couple of commercial smart card solutions (Comfides, Buypass).
k4rli · 7h ago
This yet another USA defaultism post.
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
sneak · 10h ago
Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity. Don’t be a privacy defeatist, the fight isn’t lost yet.
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
stef25 · 9h ago
We have universal ID cards here in Belgium. They have a chip and along with a special card reader usb device you can log in to govt websites related to taxes, pension and basically everything else.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
How is this related to govt issued ID cards ?
Dylan16807 · 9h ago
If it's easy enough to connect such an ID with arbitrary companies, I don't trust US privacy laws to prevent them from requiring it.
Muromec · 8h ago
Maybe not having IDs is the reason why US doesn't have privacy protections and everybody can buy all the data anyway for 5 bucks from ad tech and telecoms.
sneak · 4h ago
The moment private entities can avoid spending money on auth and anti-sybil, they will simply default to using the government IdP, because auth is hard and fixing exceptions is expensive (CSRs, etc).
Then, you will simply have to provide full government ID to every business for every transaction. Instant surveillance state (given that they can access all business records).
This is not a world in which you wish to live. It is very important that you be able to transact without ID.
layer8 · 9h ago
The way identity providers are supposed to work is to not necessarily divulge your identity, but properties necessary for the respective service. For example, they can attest that you are an adult and a citizen of $country, but don’t need to disclose any further information. When using an identity provider with a third-party service, the attested attributes are displayed to the user to approve their disclosure. This is a bit like app permissions, where you can specify which app should be able to have which permission.
kortilla · 8h ago
But most sites will just require you to attest your full name. Additionally, they will require a unique ID that the govt might not bother changing between websites.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
hosteur · 9h ago
> Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
einarfd · 8h ago
At one point I was researching using the Norwegian BankID system to ensure that accounts where real people.
The pricing model didn't make that look like a reasonable choice.
While I'm not surprised an eBay like service would be fine to pay to combat fraud. For a lot of offerings, paying the cost of using such services will not be worth it.
lxgr · 6h ago
I've lived both in countries that have state-issued IDs and in the US, and I don't have much doubt about where I've felt better protected in terms of data privacy...
patja · 8h ago
I'm so sick of retail clerks who insist on scanning the barcode of my driver's license. To verify I am 21 you don't need my height, weight, eye color, and home address. You can ascertain that my visually inspecting just the first two digits of my birth year.
mixmastamyk · 8h ago
Sounds like you may be aware, but no one should allow that to happen. When showing ID in retail situations I don't allow it to be removed from my hand.
lenerdenator · 8h ago
Well, let's do the cost-benefit analysis here.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
gtkspert · 10h ago
You have to think of a Bank's threat model though.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate.
Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.)
And requiring a special app is quite difficult to automate.
sedatk · 10h ago
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
raron · 5h ago
> Losing TOTP is easy. Lose your phone and it's gone.
That is the main point of it. That's why it is called a second factor.
> It means game over for a regular person.
It just means you have to go to the nearest branch.
sir_brickalot · 8h ago
Counter:
Backups for TOTP are easy and you can use multiple devices/services for a single TOTP login.
kube-system · 8h ago
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
TingPing · 7h ago
You aren’t wrong. It is built in to Googles and Apples though, should be widely used.
sneak · 10h ago
Precisely nobody is suggesting that there be no recovery mechanism. This criticism is a red herring.
sedatk · 10h ago
What do you think such a recovery mechanism would look like without SMS?
Uvix · 9h ago
Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
sedatk · 9h ago
Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
Uvix · 9h ago
SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.
kbolino · 7h ago
How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.
loeg · 9h ago
Show up in person with ID.
kube-system · 8h ago
That's not necessarily possible. Many banks do not have physical locations, and many people do banking business while physically away from a bank.
We're talking about recovery mechanisms, not day to day regular banking interactions. Ultimately, if there isn't a physical branch you can show up to easily, your access recovery time might be pretty inconvenient. This would be a good thing to consider when selecting a bank.
kube-system · 2h ago
Online only banking is fairly popular for traditional banking services, and wildly popular when you consider money transmitters, lenders, and investment brokerages.
Whatever the problem you think they have with authentication resets -- much of the financial market seems to have solved the problem well enough without in-person resets to have successful mainstream businesses.
sedatk · 9h ago
Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.
loeg · 3h ago
> There is nowhere to show up.
There's Canada. And yes, re-enabling a SIM and paying a handful of roaming SMS charges might easily be more convenient than traveling to Canada.
mixmastamyk · 7h ago
MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.
Detrytus · 9h ago
Password managers, such as KeePassX can generate TOTP codes. And Keepass database is just a file, you can have as many backups of it as you want.
sedatk · 9h ago
You overestimate a regular person's technical skills and their capability of planning resilient backup strategies.
dfxm12 · 10h ago
The banks' real threat model is around what punishments will come from the government. If there's no real regulation with teeth, banks will not care.
gruez · 10h ago
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
nunez · 4h ago
There are ways of getting phone numbers that can be used in automation. Then there's SIM cloning, which is apparently very easy to do and very hard to defend against given how often this happens.
speckx · 8h ago
I was surprised that Bank of America still does SMS based 2FA.
dmoy · 8h ago
BoA is one of the very few US banks that do any modern auth - they support fido2 security keys.
Of course effectively 0% of their customers actually use it, and instead rely on sms
kccqzy · 7h ago
Huh I set up SMS 2FA for BofA back in 2016 and I never knew they now support fido2.
charcircuit · 10h ago
Why would a bank care about money laundering?
Muromec · 7h ago
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
charcircuit · 5h ago
There is a difference between caring about reducing legal risk and caring about money laundering.
jszymborski · 9h ago
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
If they're not seen as doing enough, they can be fined by regulators.
comrade1234 · 10h ago
UBS Switzerland has a decent system. When I first opened the account 15 years ago we had a number pad of codes on paper we entered as the authentication. Then later we got a credit card sized electronic device where we enter a passcode and it gives us a one-time code to enter to login. And now we have an Access app - we go to the website, enter our contract number, point our phone at a QR code on the webpage and authenticate on the app, and the desktop browser logs us in. The access app also is used for logging in with the mobile banking app. It never relied on sms.
Super simple but probably costs some money to develop.
fullstop · 10h ago
Banks in the US sometimes support U2F, but you can never disable SMS. Maybe one day.
notpushkin · 10h ago
Would be nice if they could do email instead.
FredFS456 · 10h ago
Zurich Kantonalbank (ZKB) has a very similar system, probably because they're also a big bank in Switzerland
Huntsecker · 10h ago
think its a Europe thing, we have the same solution in Denmark. Chip and Pin has been in Europe forever I don't think the US has moved to this yet (although happy to be wrong) and also believe they still like those bouncy checks that has sort of died elsewhere.
pixelesque · 8h ago
UK Banks like Barclays also had the small electronic credit card sized device from around 2011 or so (and now use the Mobile app for that), but other UK banks like Halifax are still doing passwords (they even have a limit of 18 chars) and just ask you for random characters of memorable words, so there's a big inconsistency even within a single country.
p0w3n3d · 9h ago
while working for UBS (outside of Switzerland) i believe I had to use the same card, but oh boy it's expensive.
Phui3ferubus · 10h ago
> TOTP Support: Let users use any standard authenticator
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
878654Tom · 9h ago
And I love that requirement. I do banking on my desktop and to confirm the transfers I get a push notification from a third-party application (ItsMe, so not a banking mobile app) with all the information I have entered.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
Detrytus · 8h ago
The requirement per se is not the biggest problem. Implementation by different banks is. In my country I have several bank accounts.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
creer · 8h ago
Plus the "app" was written by clowns and doesn't really work for any reasonable idea of "work".
lxgr · 6h ago
And that's to say nothing about what happens when changing phones...
creer · 8h ago
Although to be fair this EU requirement tends in practice to make things yet still more cumbersome - requiring multiple authentications in one online banking session.
Meleagris · 10h ago
This past weekend I was struggling to teach my 97-year old neighbor how to login to his RBC Bank account. It was an 11 step process!!! The state of technology in the Canadian banking system is abysmal.
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
Also to pay taxes, you have to type "CRA" into your bank's "Add Payee" searchbox and hope you pick the right result out of 5 different options that all have CRA in the title.
It's mind-boggling that this is the solution we've settled on.
frenchtoast8 · 7h ago
There are a lot of people who get confused using the SMS code they received, let alone setting up passkeys, or TOTP and backing up their codes, and so on. The systems are designed for those people, not you. Even offering passkeys or TOTP as an option is a customer support liability, that's another thing agents need to support when someone nontechnical inevitably enabled this on accident or has a family member set it up for them.
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
> I don’t think anyone considers a bank account “low-risk.” Yet here we are, still relying on SMS as the default, and sometimes only, 2FA option
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
taco_emoji · 8h ago
> People really don't understand passkeys
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
kortilla · 8h ago
One of the “features” of a passkey is that you can’t point to it. It’s a fucking nightmare
mixmastamyk · 7h ago
I didn't understand it either, but on the "Security Now" podcast Steve said it's basically like using a FIDO2 key but virtualized in software. As I've used a yubikey and understand public/private keys (with ssh) I now have a vague idea.
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
idontcareatall · 8h ago
I. don't. care. Because we have to cater to the absolute lowest denominator, I now can't use my credit card 90% of the time because I can't receive SMS when I'm traveling aboard? No, not everyone has a fking iPhone and iMessage. Nothing in your comment serves as a defense of most places only having SMS 2FA. Why can Capital One email me every critical account notification, but can't email me 2FA/OTP codes for confirming transactions when I'm on the other side of the world? Why?
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
const_cast · 5h ago
You need to switch to a carrier that allows international roaming, preferably at no cost. A lot of the budget carriers like Mint don't. Those carriers are really really good, like truly 99% of the way there, but for very specific use-cases they have problems.
Zak · 7h ago
> No, not everyone has a fking iPhone and iMessage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
bberenberg · 10h ago
So an interesting trick I learned while suffering from the same issue is that roaming usually only applies to outbound data / SMS usage. So when I travel I disable data usage, and set my travel sim to be active and primary, but I can still receive SMS for free.
patrakov · 10h ago
> Even worse, these apps often become excuses, a reason to avoid implementing the open, interoperable standards that actually make a difference.
Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
Muromec · 10h ago
From the POV of a bank, non extractable seed is a good thing
speedbird · 2h ago
Very few organisations get international use cases right. Want to load that public transport app for the city you’re spending three months in? Sorry, only available if your phone is tied to the local App Store. Use an international number as your primary contact number? No chance. &etc &etc
p0w3n3d · 9h ago
I remember my brother having a printed list of one-time-codes. I wonder why this is not mentioned? Not everyone wants to have their phone a single-point-of-failure. For me - breaking screen in my phone rendered my banking unavailable for me, which posed additional problem on how to pay for the screen replacement, not speaking about buying food etc.
h4ckerle · 7h ago
As a european I again find it crazy what kinds of insecure stuff the banking industry in the US does. Chip+PIN arrived long after they did here, SMS Tan is still a thing while EU Payment Services Directive 2 (PSD2) forbid this in 2018, 7 years ago.
Many transactions are still authenticated via signatures on paper cheques, you can use your credit card without a second factor (also regulated by PSD2).
I just can't understand why they continue doing this, when I'd assume fixing this would cost less than what fraud must be costing them today.
buckle8017 · 7h ago
> I'd assume fixing this would cost less than what fraud must be costing them today.
You'd be wrong there but not for obvious reasons.
Ultimately the cost of fraud is passed on to consumers. Banks pass the costs on to merchants, who in turn increase prices.
As a merchant increasing friction in the checkout process to reduce fraud does not improve profitability (broadly speaking).
So no they had no actual financial incentive to even implement chip and pin, that only happened because it was required by law.
lxgr · 6h ago
In the case of credit card payments this is true, but for checks and other P2P payments, there is no merchant to pass on costs to.
For these, it's usually the banks absorbing the losses themselves (or their customers, if they aren't legally required to, but in many cases they are).
buckle8017 · 4h ago
Check fraud is a relatively small percentage of all fraud.
It's also pretty much a solved problem, it's expensive to cash a check anywhere but into a checking account in your name. If you write too many bad checks or try to deposit them you'll get banned from... the entire banking sector.
avmich · 3h ago
> A modern authentication flow in 2025 should be built around strong, user-friendly, standards-based mechanisms:
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics.
Maybe I'm missing something, but I heard that using biometrics for authentication was found bad some years ago and other ways for that were required?
nunez · 4h ago
My most charitable guess as to why banks haven't adopted TOTP or WebAuthn is a combination of:
- TOTP having just relatively-recently become a first class citizen on iOS and Android,
- Not wanting to spend the money needed to educate their customers, many of whom can just barely text, on passkeys, and
- Lacking regulatory pressure to force their hand.
That said, I hate the trend of web services moving to "passwordless" auth schemes that rely solely on email or SMS .
progmetaldev · 6h ago
I work on the CMS side of banking, where promotions and current rates are posted regularly. All actual banking is done through a first-party link to external systems. The amount of scrutiny and regular application scanning for vulnerabilities that is done on the CMS software I've built drives me insane, considering the glaring holes in security that affect their systems that actually deal with money. I take security seriously, and it's one of the main selling points of the software I build, but knowing how poorly made these systems are that house what a malicious user actually wants makes me understand how much of society's systems play security theater.
bouncing · 10h ago
The problem with the suggestions here is that it puts all your eggs in the same basket. 1Password TOTP? If both your password and the TOTP are in your password manager, you arguably really just have a single factor, delegated to a third party (your password manager). PassKeys? Same problem. Storing your recovery keys in your password manager? You again just have 1 factor.
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
Hackbraten · 9h ago
If you use a password manager, you might not be part of the target group that benefits most from a second factor.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
aucisson_masque · 6h ago
I'd be curious to know what bank does actually proper authentification ? Like 2fa with otp code or passkey.
I went through quite a few bank in my life, some old style bank, some all internet bank, they were all some shade of horrible.
Neither offered proper authentification method.
peterldowns · 5h ago
Vanguard on Web supports Passkeys for 2fa, but the iOS app seems to only support text-sms 2fa.
Robinhood supports passkey login on iOS app but doesn’t seem to require it for 2fa, email+password succeeds with no further prompts. But on Web it doesn’t support passkey at all, and email+password requires you to confirm auth via an in-app notification.
Both Robinhood and Vanguard support FaceID biometric auth for their apps.
All I want is passkey auth everywhere and/or email+password with options for passkey and TOTP for 2fa.
Ugh.
progmetaldev · 6h ago
In the US, I am seeing biometric authentication, and/or 2fa on mobile apps for financial institutions. The issue is that these same institutions are still running their websites that have the same security that was around in the early 2000's. You can take advantage of the mobile application and get better security, but you're still a target to someone that just accesses the website.
etskinner · 8h ago
As far as I can tell, the reason why any given login is needlessly complex is that some product manager somewhere has outdated info in their head that says stuff like "passwords need 4 different character classes" and "everybody uses SMS for 2FA, we need to use that". Powerless devs then mindlessly implement what they're asked to implement.
abanana · 8h ago
Powerless, that's exactly it. I pushed back when asked to implement email-based "2FA" on a website account (nothing like as important as a bank though). I pointed out that the username is the email address, and password recovery works by emailing a reset link, therefore emailing a login code wouldn't be two-factor, it would be the same factor. Of course the response was: doesn't matter, the client's asked for it. I didn't have the authority to push back any more, but luckily in this case it was just a simple website login that had no real need for 2FA anyway.
000ooo000 · 7h ago
Are you me? I am an SE in a bank and I had this exact experience this week - though it relates to authing with the online banking system.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
warrenski · 8h ago
Here in South Africa all the banks I know of moved away from SMS text messages for 2FA ages ago, and perform authentication in-app with biometrics instead. Having a banking app installed on your phone is pretty much mandatory, and criminals have no doubt grown wise to this fact. So what happens when someone holds a gun to your head and forces you to perform a large transfer of funds from your phone? I'm sure the banks will try convince you that their fraud detection systems will come to your aid.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
fn-mote · 8h ago
> I'd much rather delete the apps, unlink my devices from my account and use a TOTP authenticator app instead.
I'm not clear how this changes the gun to your head scenario.
I would want to see numbers before making policy changes based on potential armed robbery.
dddddaviddddd · 10h ago
> And don’t even get me started on logging into accounts at the Canada Revenue Agency.
> The implementation of 3D Secure (3DS) primarily shifts the responsibility of transaction authentication to the customer. This approach is more about addressing legal and liability concerns than it is about enhancing security measures.
Is the answer I got.
physhster · 9h ago
Bank of America offers FIDO U2F as a second factor but doesn't let you remove SMS as a factor. I don't see what the point is.
lxgr · 6h ago
It doesn't do anything about SMS delivery based threats, but U2F at least makes authentication itself unphishable.
DamonHD · 10h ago
> If a system breaks in common scenarios, like international travel, it’s not a secure system. It’s a hostile one.
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
tadzikpk · 9h ago
The friction of changing bank accounts is high, and few people choose their bank accounts based on how easy the online authentication is. Unless a bank does this meaningfully much worse than their competitors (low bar) they have little incentive to fix it.
If you think TD is bad, try some European countries where there's only a handful of banks...
ziofill · 7h ago
I swear this is true: my old bank (Allianz) introduced a two factor authentication where they would show me a code upon login, then I HAD TO CALL THEM, go through a menu and punch in the code. I changed bank a couple months later.
kdbg · 6h ago
Only tangentially related but I'm a Canadian but have been on a US Cell provider (AT&T) for over a decade now because its cheaper, especially when I used to spend a lot more time roaming in the US. The number of Canadian companies that fail silently when sending SMS to US numbers is too damn high.
My bank is one of those with Verified by Visa. Thankfully I've figured out that using the Voice option instead of Text will work but still that silent failure is really annoying.
notpushkin · 2h ago
I’ve seen only one bank offering TOTP as an option (Bank SPB in Russia). It’s really sad more banks don’t adopt it.
pnw · 10h ago
OP's problem sounds like failure to plan. If you are going to suspend your cell plan, you should probably check your authenticator works or have a backup option before you travel to another country.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
Zak · 10h ago
A viable alternative is to offer multiple 2FA options, one of which should be RFC 6238 TOTP. The author would have probably planned ahead by selecting that rather than a proprietary app or SMS.
fullstop · 10h ago
> you should probably check your authenticator works or have a backup option before you travel to another country.
They may sign you out automatically if you connect from a different country.
coppsilgold · 10h ago
TD Authenticate does not require a network connection. I outright disabled network access for the app on my phone.
Don't know how he got logged out but he almost certainly didn't check before leaving the country.
Having said that, the 2FA for TD is atrocious as it provides SMS fallback in addition to their bespoke app.
saltcured · 10h ago
One thing I like about the Aegis authenticator app is the clear way it changes colors and even flashes to indicate a code is getting ready to change, so it is less common that you might start copying digits, glance away, and then finish copying digits from a different code.
But, I think it would still be a challenge for many elderly for other reasons.
nmca · 10h ago
hardware tokens are the way! Everyone has had a house key their whole lives, and understands how to keep a spare to prevent lock-outs.
Muromec · 10h ago
If only there was some kind of a physical tokem with a crypto key that is protected by a password and tied to one's bank account.
-s
nmca · 7h ago
I know this was sarcasm, but bank card is not appropriate because you should have one hardware key for all services produced by an independent provider.
Muromec · 6h ago
Why would I want to have one key for all them? To lose access or get them all compromised at the same time?
nmca · 5h ago
I think your threat model is bad — the isolation of accounts offers little and most people have effectively only the security of their email provider anyway.
That said, buying several keys would be a natural and happy path solution for the paranoid. Make sure to get three for each account (same as primary) as either you need a backup or the extra key offers no extra security.
craftkiller · 10h ago
The only bit we're lacking is the "tied to one's bank account". The rest already exists in the form of yubikeys and other hardware security tokens.
FateOfNations · 9h ago
Your bank/credit/debit/etc. card is a “physical token with a crypto key that is protected by a password and tied to one's bank account”. FIDO and EMV even both use the same underlying ISO/IEC 7816 and 14443 protocols for communications.
pasttense01 · 9h ago
Some of us don't want to have a dozen plus separate physical tokens (one for each of bank/credit card/tax, etc sites with sensitive financial information we have).
Muromec · 7h ago
Okay, I will make the "S" mark bigger next time.
mixmastamyk · 7h ago
Not how it works. One key can keep dozens of entries.
fullstop · 9h ago
I know plenty of people who have lost house keys. I have many Yubikeys and I am responsible with my things, but not everybody is like us.
rr808 · 8h ago
Hardware tokens are a PITA. Sure everyone has a house key because they only have a house at a time. I have 3 bank accounts, a few brokerage accounts, some pension logins on top of the regular stuff. I'm not going to carry 15 hardware tokens with me.
nmca · 7h ago
You only need one, plus a couple recovery spares, in any sane implementation.
kube-system · 8h ago
SecurID tokens suck but with FIDO2, you'd only need one key.
Of course, that breaks the UX analogy of the house key.
1a527dd5 · 7h ago
The answer is lack of competition.
Here in the UK, all bank apps were dismal. Until Monzo and Starling arrived on the scene, and holy hell did the big 4 get their acts together.
martinald · 10h ago
The reason it's a farce is because most banks are using some off the shelf system from one of the big vendors in the space OR legacy systems, or both. FIS is a good example.
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
pwg · 10h ago
> using some off the shelf system from one of the big vendors
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
FireBeyond · 9h ago
> If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
actinium226 · 8h ago
Pretty much the same thing with Chase. I had to access my account while overseas and had a somewhat similar story.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
bradley13 · 9h ago
Passkeys = excellent UX? In what world is that?
I keep looking st them, see the fragmentation, and have to say "no thanks, great idea, horrible reality".
hiatus · 9h ago
If you store them in a password manager it is pretty nice, but if not it can be pretty cumbersome, especially if using browsers with multiple profiles.
agentultra · 8h ago
Still not sure about Passkeys. Or biometrics. But agree that their SMS based systems are way outdated. Which is odd because, at least at the Canadian banks, the mobile and web experiences are generally pretty modern and good.
It’s almost like the various departments and make these systems don’t talk to each other.
Muromec · 10h ago
I think all the banks that I used for the last five years (from three different European countries) use the mobile app itself as a generator of security credentials. The app itself is pin protected.
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
xp84 · 10h ago
They should all be shamed continually until they adopt the common sense ideas in the article.
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
bob1029 · 10h ago
> There’s no excuse anymore.
Implementing "modern" auth flows is challenging with old core systems.
From a risk management and compliance standpoint, this new auth infrastructure would represent a non-trivial expansion in the bank's audit scope.
Until a regulator makes it a requirement to use whatever new auth flow, it is not going to happen at scale.
punnerud · 9h ago
We had SMS-auth in Norway until 15 years ago (?), then it was a special type of SMS popping all over your screen that was more secure. Now all that is gone and replaced with Apps for auth, with scanning of your Passport/NationalID using NFC + SMS the first time.
quintu5 · 8h ago
Banks are always facing a trade-off between security and regulatory accessibility requirements. A former employer offered ~10 different ways to perform step-up authentication for high risk activities to avoid getting slapped with fines.
creer · 8h ago
Then again "regulatory accessibility" has little to do with usability. You can have an 11 step process which works with a screen reader and is still hell.
homeonthemtn · 7h ago
I agree with this take and I think implementing passkeys, etc would result in mass confusion for many customers, especially the elderly.
I suspect that's a big reason for slow adoption
kirubel01 · 10h ago
Big corporations don’t fix anything unless it bleeds cash in an obvious way. Their siloed departments border on self-sabotage, and they only wake up when shareholders start shouting about lost profits—then they stall anyway.
kbar13 · 9h ago
i worked on a large platform (YC company, too!) previously on their 2FA implementation. while not ideal, it was decided to keep SMS 2FA because there are still people out there without smart phones or in general the ability to do TOTP. but they still have some means to access the site that wasn't a smartphone i guess.
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
creer · 8h ago
Anything that requires a cellphone bakes in BOTH a single point of failure and cumbersome extra steps. Terrible practice anyway - even though so many people here are in love with both single points of failure and extra steps.
ALLOWING methods X, Y or Z would be better reasoning.
ted_dunning · 8h ago
That isn't a very strong argument for not allowing me to secure my account.
cypherpunks01 · 9h ago
Any US banks support TOTP or Yubikey/U2F requirements for login yet?
I've seen a couple consumer fintech products that support TOTP, still not many, and no banks I'm aware of.
samwise_i · 9h ago
Wells Fargo offers RSA hardware tokens if you know how to ask for them:-)
Schwab offers a Symantec hardware token
Vangaurd allows the use of a FIDO device (YubiKey)
mixmastamyk · 7h ago
Imagine using anything Symantec related to security. :-/
Does password requirements with short max length count as getting it wrong? Because I see that all the time.
Also a password box that will accept more characters than the max password length.
idontwantthis · 9h ago
How about one that accepts any length on create but truncates it in the DB so your password manager saves the long one you typed in when it’s actually cut off at 12 chars? Had that one recently.
Waterluvian · 8h ago
It’s odd that banks are so bad at this because the incentives are correct: the banks pay when fraud happens. (At least up here)
john01dav · 10h ago
Some banks do it properly. For example, my local credit union does Google Authenticator (actually TOTP, but they call it Google Authenticator). I use it with Authy on F-Droid.
xp84 · 10h ago
Best thing that ever happened in this bleak security world is Google Authenticator. I haven’t used that app itself in years, preferring others, but the existence of it and it being non-proprietary, has done a lot to bring over the moderately-security-competent companies to thinking “hey, I guess we should support this.” Obviously that group excludes every American bank, every power utility, etc. They all want to email or text me a freaking code at each login for some reason.
poisonborz · 10h ago
Please do not use Authy, lacks essential features and it was bought by a bad actor.
clay10 · 10h ago
I switched from Lastpass Authenticator to Authy after the hack. The lack of the "upcoming key" feature has been a huge paint point.
wait, which bad actor? I use it for everything and hear about it first time
kirubel01 · 10h ago
It's not a common problem enough for them to care.
koakuma-chan · 6h ago
Hey at least they aren't on firebase
socalgal2 · 5h ago
My apartment wanted to use some 3rd party service to do ACH transfers for my rent. I just wanted to type in my bank's routing number and account number but this 3rd party service only worked if you gave it your bank username/password. I was like NOPE! And sent them a paper check. My guess is they had some permission from the bank to also suck down all your transaction history.
I'm too lazy to look up the service but it's a famous/popular service along the order or plaid or something
alkonaut · 10h ago
Why is there no standardized e-ID in the US? How much money is wasted by different authorities and businesses having to reinvent the same wheel over and over? I have used the same auth for doing my taxes or checking my prescriptions or signing into my bank for 20 years.
SpecialistK · 8h ago
From my experience in the US, UK (see https://en.wikipedia.org/wiki/NO2ID ) and Canada there is a cultural aversion to government ID. I believe it's the same in Aus and NZ, so it may be an Anglophone thing.
kube-system · 7h ago
It is partly cultural, and partly a power struggle between states and the federal government.
throwaway562if1 · 9h ago
The current US administration is known for illegally deporting permanent residents and has stated intent to deport natural-born citizens. It should be self-evident why a centralized ID system under the control of the executive branch is a terrible idea.
alkonaut · 9h ago
That's horrible but why would it be worse together with an e-id system?
throwaway562if1 · 9h ago
Because without thoroughly-enshrined protections for identities, an e-ID system provides an avenue for the government to effectively de-person undesirables at will, by removing their ability to use banks, sign contracts, access healthcare, etc.
Muromec · 7h ago
US government is deporting undesirables at will right now without any of that. On the other side of the world, where id is mandatory and e-id is used for everything that makes sense, the city hall gives free heroin injections to addicts as a last resort therapy and provides for illegal/undocumented homeless people so they don't shit on the street.
Neither of those prevents somebody from stealing bicycles zo.
shadowgovt · 10h ago
Broadly speaking: because they don't have to get it right.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
bluGill · 9h ago
While not wrong it will big a big hasstle for whoever is the fraud victum while things are reversed. You may even lose other things in your life because you are unable to pay bills you technically have the money for but cannot access the money.
shadowgovt · 8h ago
This is all true and, most notably, not the bank's immediate concern.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
tgsovlerkhgsel · 9h ago
None of the recommended alternatives show what you are authenticating for.
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
cccs-kevin2 · 8h ago
This happened to me when I was overseas recently. No phone, I needed to access my credit card website with Scotiabank. I had previously relied on having an option for the OTP to be delivered either by email or sms, but when I tried in March, Scotiabank had removed the email option! I ended up having to basically remove 2FA from my bank account as a workaround, after answering a ton of security questions.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
nottorp · 10h ago
I wonder what he would have written if he had his Canadian SIM but his TOTP device got stolen...
jamalhabash · 9h ago
Good question, that’s exactly why systems need multiple secure fallback options.
alfiedotwtf · 7h ago
Surely it couldn't be as bad as an unnamed Queensland (Australia) bank that did client side authentication by looking up the username and password if one giant
if username == "user1" && password == "password1"
return true;
else if username == "user2" && password == "password2"
return true;
else if ...
Yes, that was real.
focusgroup0 · 9h ago
AML & KYC
6510 · 8h ago
Is it possible for Americans to use European or Chinese banks?
I'm only half trolling.
nly · 5h ago
Same reason they're still occasionally sending money to one another by cheque.
delusional · 10h ago
What actual real life person is going to switch their bank account because TOTP isn't supported?
That's why banks get authentication wrong. Because they are in the business of banking and banking customers do not care about TOTP.
idontcareatall · 8h ago
Me? As in, I've literally changed banks and canceled cards over this.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
kube-system · 7h ago
> It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I think many banks might find it a benefit to exclude customers who don't have cellphones or SMS.
Geebs · 10h ago
But banks should have to provide better security or they should be at fault if the account is accessed by a third party due to their weak security.
delusional · 9h ago
Ok. They are not though.
ilaksh · 10h ago
I don't care how many times I am violently buried on this site for mentioning the word -- but cryptocurrency makes traditional banking obsolete. Or should have.
Muromec · 10h ago
No it doesn't
kube-system · 7h ago
cryptocurrency makes traditional banking obsolete only if:
1. you don't understand what banks do, or
2. you pretend that cryptocurrencies do things that they don't
One could make a list a mile long of things that banks do that cryptocurrencies have no answer for. Banking is not a technology, it is a service.
ilaksh · 5h ago
Maybe try to make a list of 1 or 2 things instead of a mile.
kube-system · 2h ago
Since we're on the topic of authentication, how about the fact that they are not recoverable? You cannot reset a password on the blockchain, nor can you call the blockchain and prove you are the rightful owner of any inaccessible/stolen funds, nor can you take the blockchain to court to return your funds. You are SOL.
Just about any service that banks do are great examples of other things that math itself cannot do for you. These are all reasons that people still overwhelmingly use banks.
Banks do work to integrate with other societal systems in meatspace, build infrastructure, manage exceptions, comply with legal expectations, provide service, build and maintain partnerships, etc. Cryptographic ledgers don't do any of this, they are inanimate.
xyst · 10h ago
Anybody that has the misfortune of working within a financial institution should know these folks are way behind the times.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
xienze · 10h ago
I don’t think banks are deliberately trying to avoid using TOTP, it’s just that they have to cater to the lowest common denominator, you know, the kind for which anything computer-related is basically black magic.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
xp84 · 10h ago
This is no excuse for not offering it. And no, SMS must NOT be a backup that’s always available, as the article points out, its availability for use is a security hole.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
error503 · 9h ago
Recovery codes is an option, for one.
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
xienze · 10h ago
> “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
jacobgkau · 5h ago
> Having someone call and ask for your SSN is a non-starter.
That's not what he said. This hypothetical robocall would simply instruct you to call a different (known good, printed on your card) number to authenticate, at which point you know who's on the line.
> And in what world is SMS not available but being able to call that same phone is?
It's a good point about the robocall notification itself, but I imagine this kind of system wouldn't even need that to work in order to function. What actually unlocks your account is calling the bank's system and inputting your SSN; you could preemptively do it from another phone if you know you lost your 2FA codes and are trying to log in.
This person's idea would replace your phone number being your authentication with your phone number simply being used for a notification, shifting the actual authentication to something the bank already knows but that someone who stole your credit card (and maybe your phone along with it) wouldn't inherently have. I got a bad whiff from it at first, but after thinking about it a little more, I think it's a good idea.
Zak · 10h ago
> With standard TOTP, now they have to worry about if the user correctly added the secret
The standard flow I usually see for setting up TOTP ends with entering an authentication code. If it's not valid then the setup isn't finished.
xienze · 10h ago
That's not what I'm talking about. I'm talking about the act of adding the secret to the authenticator app in the first place. There needs to be documentation to the effect of "open Google Authenticator, and if you don't have it, download it on the App Store or Google Play store. Open the app and choose 'new secret', ...". Probably also put in a QR code and link for good measure. Rinse and repeat for all the major authenticator apps. THEN you can have them verify.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
Zak · 10h ago
Outside of services like Github where the average user is expected to know what an RFC is, I usually just see Google Authenticator supported and no mention of the fact that alternatives exist. That seems like an adequate solution.
TacticalCoder · 10h ago
It's not just authentication that they get wrong. On several websites (non banks) I can get my entire history, all my logins, all my transactions, since I created my accounts: all the way back to, say, 2013... No problem.
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
E.g. Blizzard (assuming they still do this)
If they want to be aggressive about fraudulent activity, fine, but don't restrict perfectly valid phone numbers from being used in their required 2FA scheme.
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
Out of interest I clicked on the link in one of their "phishing" emails and I was redirected to a link where they essentially told me "never click on links in emails, you never know where they lead to". One week later I get an email "please click on this link to complete the second part of your course". Obviously I never completed their course, they told me never to click on links.
What's even worse is that they don't even use their own domain for the courses, but some random looking domain.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
You could ask them to list your last 3 transactions, and their exact amounts. Easy to cross-reference by looking at your banking website / app.
It isn't. China is the best example that draconian identity verification / KYC processes don't stop scammers.
I've never heard of this, I'm very curious.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
Because I have literally seen this go wrong: “Mr John Smith, you’re here for procedure X, yes?” “Yes” Some other provider overhears: “I thought that was Mr Jones for procedure Y” “Are you Mr smith or Mr Jones?” “Mr Jones” “Then why did you say yes when I asked if you were Mr Smith” “I assumed you knew best”…
People do weird things in healthcare settings
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
A person she hadn't seen or talked to in 20 years had moved to this town neither of them were from and named their kid the same name.
The weakness is in the processes and the lack of critical thinking skills of people executing processes.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
Talk about training people to give away sensitive data.
That's what you're supposed to do. That's what security is. That's the sensitive data that ensures it's not a rando calling who stole your card.
I'm not sure what alternative you are looking for? You're the one calling them, so it's fine.
> You're the one calling them, so it's fine.
Again, normalizing handing over complete CC details on the phone makes it much easier for scammers calling to succeed in asking for those details.
Basic customer service lets you do things like transfer money too, so you need something just as secure as a PIN.
So why would you want two different security mechanisms? Either it's you or it's not.
The banking system is so backwards in the US it's actually insane, you've just got used to it
YOU calling THEM is not an issue. That's the secure connection. There's not (afaik) a way to hijack the receiving phone number.
The issue is when somebody calls YOU. Faking the originating number of a phone call is easy, happens all of the time. That's the scammer route.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
Edit: changed Klarna to Sofort
Send people to the website to find your number, idiots.
Spirit of the law: [ ]
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
You should have looked up the ssa site and found the number that way.
Why has some startup not solved this problem already?
It is many problems with many solutions.
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
PS: I'm in EU.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
Obviously, this is a terrible idea.
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
Here is the relevant document: https://pages.nist.gov/800-63-3/sp800-63b.html
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
https://en.wikipedia.org/wiki/EIDAS
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
Driver's licenses (or non-driver IDs) are the US's de facto ID standard.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
Why not? Anonymous cryptographic attestation methods (e.g. of only the fact that you are over 18 years old, that you are a permanent resident etc.) exist.
These days, every smartphone with an ISO 1443 interface ("NFC") can act as a reader.
Apart from regime changes, being a functional democratic society doesn’t protect you from technical incompetence nor does it limit the ability for people with access to the DB from abusing it.
Your root of trust for said bank id is gov't documents, right?
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
I'm very paranoid about tracking and privacy, but the reality is that identity verification is just a necessary part of some services. Like opening a brokerage account, or riding a plane. So, if we HAVE to do it, we should have a more secure way of doing it. There's no reason we should be relying on easily-gathered 9 digit numbers.
[0] https://www.spid.gov.it/en/citizens/ it integrates with eIDAS too
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
How is this related to govt issued ID cards ?
Then, you will simply have to provide full government ID to every business for every transaction. Instant surveillance state (given that they can access all business records).
This is not a world in which you wish to live. It is very important that you be able to transact without ID.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate. Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.) And requiring a special app is quite difficult to automate.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
That is the main point of it. That's why it is called a second factor.
> It means game over for a regular person.
It just means you have to go to the nearest branch.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
https://en.wikipedia.org/wiki/Direct_bank
Whatever the problem you think they have with authentication resets -- much of the financial market seems to have solved the problem well enough without in-person resets to have successful mainstream businesses.
There's Canada. And yes, re-enabling a SIM and paying a handful of roaming SMS charges might easily be more convenient than traveling to Canada.
Of course effectively 0% of their customers actually use it, and instead rely on sms
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
[0] https://www.investopedia.com/stock-analysis/2013/investing-n...
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
https://edition.cnn.com/2024/10/10/investing/td-bank-settlem...
Super simple but probably costs some money to develop.
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
[1] https://productioncommunity.publicmobile.ca/t5/Get-Support/T...
It's mind-boggling that this is the solution we've settled on.
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
You'd be wrong there but not for obvious reasons.
Ultimately the cost of fraud is passed on to consumers. Banks pass the costs on to merchants, who in turn increase prices.
As a merchant increasing friction in the checkout process to reduce fraud does not improve profitability (broadly speaking).
So no they had no actual financial incentive to even implement chip and pin, that only happened because it was required by law.
For these, it's usually the banks absorbing the losses themselves (or their customers, if they aren't legally required to, but in many cases they are).
It's also pretty much a solved problem, it's expensive to cash a check anywhere but into a checking account in your name. If you write too many bad checks or try to deposit them you'll get banned from... the entire banking sector.
Maybe I'm missing something, but I heard that using biometrics for authentication was found bad some years ago and other ways for that were required?
- TOTP having just relatively-recently become a first class citizen on iOS and Android,
- Not wanting to spend the money needed to educate their customers, many of whom can just barely text, on passkeys, and
- Lacking regulatory pressure to force their hand.
That said, I hate the trend of web services moving to "passwordless" auth schemes that rely solely on email or SMS .
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
I went through quite a few bank in my life, some old style bank, some all internet bank, they were all some shade of horrible.
Neither offered proper authentification method.
Robinhood supports passkey login on iOS app but doesn’t seem to require it for 2fa, email+password succeeds with no further prompts. But on Web it doesn’t support passkey at all, and email+password requires you to confirm auth via an in-app notification.
Both Robinhood and Vanguard support FaceID biometric auth for their apps.
All I want is passkey auth everywhere and/or email+password with options for passkey and TOTP for 2fa.
Ugh.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
I'm not clear how this changes the gun to your head scenario.
I would want to see numbers before making policy changes based on potential armed robbery.
At least they support standard TOTP now. https://www.canada.ca/en/revenue-agency/services/e-services/...
Is the answer I got.
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
If you think TD is bad, try some European countries where there's only a handful of banks...
My bank is one of those with Verified by Visa. Thankfully I've figured out that using the Voice option instead of Text will work but still that silent failure is really annoying.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
They may sign you out automatically if you connect from a different country.
Don't know how he got logged out but he almost certainly didn't check before leaving the country.
Having said that, the 2FA for TD is atrocious as it provides SMS fallback in addition to their bespoke app.
But, I think it would still be a challenge for many elderly for other reasons.
-s
That said, buying several keys would be a natural and happy path solution for the paranoid. Make sure to get three for each account (same as primary) as either you need a backup or the extra key offers no extra security.
Of course, that breaks the UX analogy of the house key.
Here in the UK, all bank apps were dismal. Until Monzo and Starling arrived on the scene, and holy hell did the big 4 get their acts together.
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
I keep looking st them, see the fragmentation, and have to say "no thanks, great idea, horrible reality".
It’s almost like the various departments and make these systems don’t talk to each other.
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
Implementing "modern" auth flows is challenging with old core systems.
From a risk management and compliance standpoint, this new auth infrastructure would represent a non-trivial expansion in the bank's audit scope.
Until a regulator makes it a requirement to use whatever new auth flow, it is not going to happen at scale.
I suspect that's a big reason for slow adoption
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
ALLOWING methods X, Y or Z would be better reasoning.
I've seen a couple consumer fintech products that support TOTP, still not many, and no banks I'm aware of.
Also a password box that will accept more characters than the max password length.
Any suggestions for what is better?
I'm too lazy to look up the service but it's a famous/popular service along the order or plaid or something
Neither of those prevents somebody from stealing bicycles zo.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
I'm only half trolling.
That's why banks get authentication wrong. Because they are in the business of banking and banking customers do not care about TOTP.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I think many banks might find it a benefit to exclude customers who don't have cellphones or SMS.
1. you don't understand what banks do, or
2. you pretend that cryptocurrencies do things that they don't
One could make a list a mile long of things that banks do that cryptocurrencies have no answer for. Banking is not a technology, it is a service.
Just about any service that banks do are great examples of other things that math itself cannot do for you. These are all reasons that people still overwhelmingly use banks.
Banks do work to integrate with other societal systems in meatspace, build infrastructure, manage exceptions, comply with legal expectations, provide service, build and maintain partnerships, etc. Cryptographic ledgers don't do any of this, they are inanimate.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
That's not what he said. This hypothetical robocall would simply instruct you to call a different (known good, printed on your card) number to authenticate, at which point you know who's on the line.
> And in what world is SMS not available but being able to call that same phone is?
It's a good point about the robocall notification itself, but I imagine this kind of system wouldn't even need that to work in order to function. What actually unlocks your account is calling the bank's system and inputting your SSN; you could preemptively do it from another phone if you know you lost your 2FA codes and are trying to log in.
This person's idea would replace your phone number being your authentication with your phone number simply being used for a notification, shifting the actual authentication to something the bank already knows but that someone who stole your credit card (and maybe your phone along with it) wouldn't inherently have. I got a bad whiff from it at first, but after thinking about it a little more, I think it's a good idea.
The standard flow I usually see for setting up TOTP ends with entering an authentication code. If it's not valid then the setup isn't finished.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.