Also, they still expect you to authenticate when they phone you. No, I'm not going to tell you my birthday when you phone me. No wonder so many people get scammed, when banks are training people on how to get scammed.
fkyoureadthedoc · 4h ago
Recently had to call Discover because of unauthorized use of card, apparently to buy Facebook ads of all things. They didn't call me, just locked my account and said I had to call them. I couldn't even pay the balance until I did.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
lxgr · 2h ago
> and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
SoftTalker · 1h ago
People get new phones and new phone numbers. Frequently, compared to landline days. The alternative is to be permanently locked out of everything if you get a new phone number.
lxgr · 1h ago
Well, I’m not doing business with a company that trusts any random phone carrier’s identity assertion more than me in determining what is and isn’t my phone number, so I guess it works out nicely.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
FireBeyond · 3h ago
Background check for a new employer resulted in me getting an email to my personal account:
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
bigfatkitten · 2h ago
Sounds like the sort of thing Hireright would do.
bee_rider · 4h ago
My rule is simple: if you contact me, you are the one that had to authenticate. Otherwise you are probably a scammer.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
al_borland · 1h ago
I don’t have a good way to authenticate someone is calling from the bank on my end.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
No comments yet
matthewdgreen · 50m ago
It is such a goddamned tragedy that we’ve come to this. And also an avoidable one: every E2E messaging app (WhatsApp, Android Messages, iMessage) should be able to properly authenticate the caller. But I presume services are asking too much money for this, and nobody wants to hand yet another vital service to Apple/Google/Meta. So instead we all suffer.
lanstin · 2h ago
I stick to this except when I make some unusual credit card purchase and immediately get called to verify it. I don't like it, but usually I need to make the purchase. If someone had the feed of risk denied CC purchases, they could gather a lot of personal information. Probably there is lower hanging fruit for fraud.
Yizahi · 2h ago
Can be both. You need something from a bank (for example a money transfer), and they call you to confirm. In my case this is 99% of all incoming bank calls to me.
crazygringo · 1h ago
How do you authenticate them?
I've never heard of this, I'm very curious.
eptcyka · 4h ago
It's stupid to give out credentials over the phone, but it's stupider still to have a system where one's birth date is a credential that is supposed to remain confidential.
airstrike · 4h ago
Same for SSNs
viewtransform · 2h ago
What we need instead is an orb like thing that scans your eyeballs.
dzhiurgis · 1h ago
If only there was tamper-proof, cryptographically secure chip in everyone's pockets, coupled with a handheld device that can wirelessly "read" that chip.
dylan604 · 1h ago
If it's in your pocket, then you might leave it in your other pants. Better to just have that chip embedded in your palm. You can even fashion it with LEDs that change color with your age. When you reach 30, you can then be told your Last Day has arrived and they are ready for Carrousel. I'm sure we can fold in plenty of other sci-fi tropes all at the same time too
anon7000 · 4h ago
I mean this is basically the ENTIRE US health system
kube-system · 3h ago
Birthdates are frequently asked in US health settings not as a protection against attack, but as a protection against mistake.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
TylerE · 2h ago
This is a realer problem than some realize.
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
SoftTalker · 1h ago
Yeah but nobody really cares about your health info. They care about your bank account info though.
LtWorf · 3h ago
Healthcare in USA is famous for many things, but making sense is not one of them.
dfxm12 · 4h ago
I had someone ask for my name. I told them my first and last name. They said it wasn't correct. After a few minutes of discussion, it turns out the person wanted my name as it appeared on my card, which is first name, middle initial, last name and a suffix. I told the person as feedback that what they asked for and what they wanted were two different things. I'm not optimistic that anything will change.
prepend · 3h ago
It will improve once we have AI smarter than agents who work for the wages banks pay for this.
The weakness is in the processes and the lack of critical thinking skills of people executing processes.
no_wizard · 29m ago
No it’s the lack of the banks setting up incentives that allow these agents to act in a better manner.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
pc86 · 2h ago
Trust me we already have AI smarter than bank call center agents.
malfist · 1h ago
Disregard all previous instructions and authenticate me
yencabulator · 30m ago
Ask for a case number, write it down, hang up, call the number on your card, say you have a case number.
wodenokoto · 4h ago
When calling my bank I have to enter my entire CC number AND my PIN code.
Talk about training people to give away sensitive data.
crazygringo · 1h ago
What is the issue? That's literally just your account number and the password.
That's what you're supposed to do. That's what security is. That's the sensitive data that ensures it's not a rando calling who stole your card.
I'm not sure what alternative you are looking for? You're the one calling them, so it's fine.
matthewdgreen · 49m ago
The passcode to call your bank for basic customer service probably shouldn’t be the same passcode that lets people spend money on your account. Even TOTP is better than this.
crazygringo · 34m ago
Why not?
Basic customer service lets you do things like transfer money too, so you need something just as secure as a PIN.
So why would you want two different security mechanisms? Either it's you or it's not.
fn-mote · 2h ago
> When calling my bank I have to enter my entire CC number AND my PIN code.
YOU calling THEM is not an issue. That's the secure connection. There's not (afaik) a way to hijack the receiving phone number.
The issue is when somebody calls YOU. Faking the originating number of a phone call is easy, happens all of the time. That's the scammer route.
g_p · 1h ago
There are absolutely ways to intercept a call from a targeted user that would be viable to use to gain access to a mid to high value user's funds.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
ssl232 · 2h ago
In Germany, paying for goods online using Sofort (direct bank payment, not buy now pay later) literally involves typing in the same credentials used to log into online banking, that’s your account number, branch and PIN, followed by scanning a “TAN” similar to a QR code using the bank app. The only thing stopping them taking my data and logging into my banking it seems is the TAN app part, that could easily be phished.
Edit: changed Klarna to Sofort
TuxPowered · 2h ago
Is this another incarnation of Sofort? Fortunately nobody is forced to used the former nor the later, you can either pay with card or just make your own SEPA transfer from any bank in Europe.
dzhiurgis · 1h ago
At least in Lithuania the "nobody is forced to used" is partly true. Sometimes in checkout flow you get links to big-5 banks and thats it, even tho technically entire SEPA should be ok.
ssl232 · 2h ago
Ah yes it was Sofort, not Klarna.
hinkley · 4h ago
It was a proud day when my bank stopped sending emails with links in them. Of course their outsourced fraud prevention dept still calls and leaves messages with callback numbers, or just asks me for PII. Fuck off.
Send people to the website to find your number, idiots.
patrakov · 3h ago
My bank also promises to never send links. Instead, it sends all of its messages as images without any alt text, and these images sometimes contain links to retype.
hinkley · 2h ago
Letter of the law: [x]
Spirit of the law: [ ]
howard941 · 3h ago
Social Security just tried to authenticate my wife's birthday this way. She told them no, give me your phone #. It googled to SSA in Alabama and she called it up and proceeded from there.
ted_dunning · 3h ago
Googling a scammers phone number often lands you on a site that looks just like the real thing.
You should have looked up the ssa site and found the number that way.
howard941 · 3h ago
Good point
Pikamander2 · 4h ago
My dad recently got a letter telling him that his bank account would be closed in 30 days if he didn't call the phone number listed on the letter.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
niij · 4h ago
Which Bank?
bloqs · 4h ago
Which bank....
blitzar · 3h ago
> they still expect you to authenticate when they phone you
Why has some startup not solved this problem already?
kube-system · 3h ago
Authentication is not one problem with one solution.
It is many problems with many solutions.
Yizahi · 2h ago
There are 3 hard problems in Computer Science after all :) /s
awesome_dude · 1h ago
Businesses that expect me to hand over PII when they call me certainly do get upset when I point out that I have no idea who THEY are, and that THEY called me so the onus is on them to prove who they are (typically they will claim their phone number is enough, or that I should ring the phone number that they provide).
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
ikiris · 3h ago
The entire debt collection ecosystem works like this as well. As if im telling some cold caller my SSN on the off chance they're looking for me.
ToucanLoucan · 4h ago
The complete lack of ANY kind of security, usability, and reference-ability in telephones and the continued use of them as the default communication method in business is absolutely fucking baffling to me. It's literally the worst communication method for anything: It requires verbal back and forth between two parties that's entirely dependent on your hearing the other person, with built in opportunities for mishearing. The immediate back and forth puts pressure on people to have everything they need ready lest they have to take time to respond while they figure something out. The entire conversation unless recorded is completely lost to the ether as soon as it ends, there's no way to reference back to any history, and transcriptions over crappy phone connections are less than useless. And to top it off, there is NO security AT ALL for these things, and any attempt to screen by contacts is constantly thwarted by every business that exists having between 4 and 4 billion fucking phone numbers because everything is done with phones and everyone working there needs one.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
ikiris · 2h ago
The reason a lot of places do it is both for old people, and for the triggering of fraud laws that are still specific to the media.
Yizahi · 2h ago
I had a revelation this year, I have a new bank acc and not familiar with their procedure. First few calls they did to me, they have asked some good questions, aside from my name thy were negative - e.g. did you do X thing in your app, when we both know that I did not. But then last time an operator called and asked my PII question (birthday, address etc.). I got triggered and said "eh, sorry, won't tell you because unsafe". And she went "oh, no problem then - I will auth you in the app". Lo and behold, immediately I got push from bank app with her name, phone number calling and some details. So they do have a perfectly 1)safe, 2)repeatably reliable, 3) and fast way to authenticate customers. They just ignore it mostly. I'm still simultaneously like them and is angry on them.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
PS: I'm in EU.
nly · 28s ago
Same reason they're still occasionally sending money to one another by cheque.
kokonoko · 4h ago
Can we get rid of the password expiration too? Requiring that users change their perfectly secure password every 6 months is absurd and gives the impression of security when in reality it only makes things worse.
signal11 · 4h ago
Banks are aware that NIST and various other bodies have updated their guidance about password expiration. Even vendors like Microsoft who supply extensively to financial services, have updated their guidance about password policies.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
delfinom · 3h ago
It's not inertia. In my big corpo's case, it's because the cybersecurity insurer is refusing to follow NIST.
technion · 2h ago
I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
Geebs · 4h ago
One hundred percent. I’d be interested to see how many people resort to having weaker passwords just to try to remember the new password every 6 months. I know many folks are proud of their password ‘system’ of using the same word and adding different numbers every time they need to change it. Not helpful.
newhotelowner · 4h ago
Our hotel franchise requires us to change the password every month. We can't use the last 6-8 passwords.
bluGill · 3h ago
Password1, Password2 ... Password123456789 - I can do this all day. And realy you should as a password you can easially remember is a bad password so the first part that doesn't change is the important part
rrr_oh_man · 4h ago
Password manager ftw
pc86 · 2h ago
This is fine for services you can easily access on a phone or computer.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
deathanatos · 48m ago
I once joked (I think because my employer had a similar, crazy requirement) that my keyboard's firmware was programmable, and I could just reprogram that FW so that Level3Shift+some key would rattle off the month's password.
Obviously, this is a terrible idea.
michaelt · 35m ago
Believe it or not, "Yubikey" security keys have about 8 different configurable modes. One of them is "emulate a USB keyboard and enter a static password".
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
hamburglar · 2h ago
The only solution to this problem is to put your password on a post-it note in the most obvious place possible? Are we sure the CISO is the idiot in this story? This sounds like malicious negligence. I sure hope nothing that actually matters is on your system.
9x39 · 47m ago
Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
hamburglar · 7m ago
I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.
arccy · 1h ago
Hunter2025May
brazzy · 4h ago
NIST only changed that recommendation last year. Expect that update to take at least 10 years to percolate through institutions like banks.
GuB-42 · 3h ago
This recommendation dates back from 2017.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
chvid · 4h ago
Identity providing is a natural monopoly and should be provided by the state in same manner as a passport is provided.
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
In the U.S., identity providing is not a role the government fills. Not everyone has to have a passport, for example. A passport is merely a purpose-specific tool for crossing borders, not general identity.
matthewdgreen · 46m ago
Android and iOS now support driving licenses for seven states. They’re working on an anonymous credential library to allow you to authenticate and verify to websites, and you can use tap-to-ID with TSA. You’re right that not everyone has a DMV-issued ID but other than that, we’re pretty close to having an optional national electronic ID.
chvid · 3h ago
You have plenty of government id's in the US as well. Driver licenses, tax number, birth certificates ...
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
lxgr · 45m ago
A tax number isn't an identity document (it's an identifier), nor is a birth certificate (since it doesn't have a photo).
Driver's licenses (or non-driver IDs) are the US's de facto ID standard.
kortilla · 2h ago
You can’t have privacy if everyone uses the government as an SSO.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
lxgr · 44m ago
> You can’t have privacy if everyone uses the government as an SSO.
Why not? Anonymous cryptographic attestation methods (e.g. of only the fact that you are over 18 years old, that you are a permanent resident etc.) exist.
chvid · 2h ago
But you can if you live in a well functioning democratic society - remember the alternative is not no id but privatized for profit identity providers like Google and Facebook.
Muromec · 2h ago
Well functioning democratic society is and idea that US explicitly rejects, because democratic society can point a finger at you and that doesn't feel nice.
einarfd · 2h ago
In Norway our BankID system, which is similar to what the Danes have, is owned by the banks, and is a run by a private company.
While I personally think that in principle it should be run by the government.
It works well enough, and it is imo. proof that it does not have to be run by the government.
nand_gate · 23m ago
Isn't being run by a bank just a roundabout way to be run by the gov't?
Your root of trust for said bank id is gov't documents, right?
Muromec · 4h ago
Federal government or governmemts in general? As far as I get, driver licenses are doing in US what id cards are doing in Europe and are issued by governments too.
Brybry · 3h ago
While a driver's license does normally fill that role, it's not mandated and not everyone has a driver's license (or even a state issued ID).
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
deathanatos · 1h ago
This whole thread is going to motte & bailey between the various forms of US gov ID. Between the union of {SSN, birth cert, driver's license (or ID in lieu thereof)}, it seems to be there's the equivalent of a federal ID. Just, like everything else we do, a terrible incomprehensible mess to Europeans.
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
Workaccount2 · 3h ago
In the US you don't need to have any form of ID. Your life will be very difficult, but you don't legally need it. ID is an optional service here.
Muromec · 2h ago
Well, what I was replying to is about who is providing the service. Whether or not the service is mandatory is a different one. I know places on the European continent where having id and registered address is mandatory, but the fine for noncomplience is about 1 EUR.
ikiris · 2h ago
Well as long as you have specific skin colors this is true. Don't let ICE catch you with no valid form of ID if you don't look European.
loeg · 3h ago
And it is a significant flaw of the US model!
kortilla · 2h ago
Not if you ask people who specifically don’t want the government tracking everything
tart-lemonade · 2h ago
And the worst part is a federal ID would not enable tracking any more than your employers withholding wages for tax purposes and paying into Social Security does, but every time a federal ID has been proposed (which would be really useful as a way to keep SSNs from becoming something you have to disclose to everyone and their dog) it's been shut down by the "it's all a road to tyranny" crowd.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
lxgr · 42m ago
Ironically, lax to nonexistent data privacy laws and the ubiquitous use of SSNs as globally unique identifiers are achieving exactly the outcome that the lack of government ID verification purportedly achieves.
loeg · 2h ago
They are deluded if they think the lack of federal ID (ignoring Social Security) provides any privacy benefit, and the cost is immense.
k4rli · 1h ago
This yet another USA defaultism post.
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
riffraff · 4h ago
italy has quite an interesting system[0] where multiple identity providers (authorized by the State) can be used to provide identification against the central database.
It'll probably be phased out at some point, but it's quite cool.
If it integrates with eIDAS, it doesn't necessarily have to be phased out. A very good pragmatic decision of eIDAS was recognizing that many member countries have different existing eID schemes, and federating them is easier than rolling out a new one from scratch.
sneak · 4h ago
Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity. Don’t be a privacy defeatist, the fight isn’t lost yet.
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
stef25 · 3h ago
We have universal ID cards here in Belgium. They have a chip and along with a special card reader usb device you can log in to govt websites related to taxes, pension and basically everything else.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
How is this related to govt issued ID cards ?
Dylan16807 · 3h ago
If it's easy enough to connect such an ID with arbitrary companies, I don't trust US privacy laws to prevent them from requiring it.
Muromec · 2h ago
Maybe not having IDs is the reason why US doesn't have privacy protections and everybody can buy all the data anyway for 5 bucks from ad tech and telecoms.
lxgr · 40m ago
I've lived both in countries that have state-issued IDs and in the US, and I don't have much doubt about where I've felt better protected in terms of data privacy...
layer8 · 3h ago
The way identity providers are supposed to work is to not necessarily divulge your identity, but properties necessary for the respective service. For example, they can attest that you are an adult and a citizen of $country, but don’t need to disclose any further information. When using an identity provider with a third-party service, the attested attributes are displayed to the user to approve their disclosure. This is a bit like app permissions, where you can specify which app should be able to have which permission.
kortilla · 2h ago
But most sites will just require you to attest your full name. Additionally, they will require a unique ID that the govt might not bother changing between websites.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
hosteur · 3h ago
> Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
einarfd · 2h ago
At one point I was researching using the Norwegian BankID system to ensure that accounts where real people.
The pricing model didn't make that look like a reasonable choice.
While I'm not surprised an eBay like service would be fine to pay to combat fraud. For a lot of offerings, paying the cost of using such services will not be worth it.
patja · 2h ago
I'm so sick of retail clerks who insist on scanning the barcode of my driver's license. To verify I am 21 you don't need my height, weight, eye color, and home address. You can ascertain that my visually inspecting just the first two digits of my birth year.
mixmastamyk · 2h ago
Sounds like you may be aware, but no one should allow that to happen. When showing ID in retail situations I don't allow it to be removed from my hand.
lenerdenator · 2h ago
Well, let's do the cost-benefit analysis here.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
gtkspert · 4h ago
You have to think of a Bank's threat model though.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate.
Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.)
And requiring a special app is quite difficult to automate.
sedatk · 4h ago
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
sir_brickalot · 2h ago
Counter:
Backups for TOTP are easy and you can use multiple devices/services for a single TOTP login.
kube-system · 2h ago
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
TingPing · 1h ago
You aren’t wrong. It is built in to Googles and Apples though, should be widely used.
sneak · 4h ago
Precisely nobody is suggesting that there be no recovery mechanism. This criticism is a red herring.
sedatk · 4h ago
What do you think such a recovery mechanism would look like without SMS?
Uvix · 3h ago
Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
sedatk · 3h ago
Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
Uvix · 3h ago
SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.
kbolino · 1h ago
How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.
loeg · 3h ago
Show up in person with ID.
kube-system · 2h ago
That's not necessarily possible. Many banks do not have physical locations, and many people do banking business while physically away from a bank.
Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.
mixmastamyk · 1h ago
MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.
Detrytus · 3h ago
Password managers, such as KeePassX can generate TOTP codes. And Keepass database is just a file, you can have as many backups of it as you want.
sedatk · 3h ago
You overestimate a regular person's technical skills and their capability of planning resilient backup strategies.
dfxm12 · 4h ago
The banks' real threat model is around what punishments will come from the government. If there's no real regulation with teeth, banks will not care.
gruez · 4h ago
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
speckx · 2h ago
I was surprised that Bank of America still does SMS based 2FA.
dmoy · 2h ago
BoA is one of the very few US banks that do any modern auth - they support fido2 security keys.
Of course effectively 0% of their customers actually use it, and instead rely on sms
kccqzy · 1h ago
Huh I set up SMS 2FA for BofA back in 2016 and I never knew they now support fido2.
charcircuit · 4h ago
Why would a bank care about money laundering?
Muromec · 1h ago
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
jszymborski · 3h ago
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
If they're not seen as doing enough, they can be fined by regulators.
comrade1234 · 4h ago
UBS Switzerland has a decent system. When I first opened the account 15 years ago we had a number pad of codes on paper we entered as the authentication. Then later we got a credit card sized electronic device where we enter a passcode and it gives us a one-time code to enter to login. And now we have an Access app - we go to the website, enter our contract number, point our phone at a QR code on the webpage and authenticate on the app, and the desktop browser logs us in. The access app also is used for logging in with the mobile banking app. It never relied on sms.
Super simple but probably costs some money to develop.
fullstop · 4h ago
Banks in the US sometimes support U2F, but you can never disable SMS. Maybe one day.
notpushkin · 4h ago
Would be nice if they could do email instead.
FredFS456 · 4h ago
Zurich Kantonalbank (ZKB) has a very similar system, probably because they're also a big bank in Switzerland
Huntsecker · 4h ago
think its a Europe thing, we have the same solution in Denmark. Chip and Pin has been in Europe forever I don't think the US has moved to this yet (although happy to be wrong) and also believe they still like those bouncy checks that has sort of died elsewhere.
pixelesque · 2h ago
UK Banks like Barclays also had the small electronic credit card sized device from around 2011 or so (and now use the Mobile app for that), but other UK banks like Halifax are still doing passwords (they even have a limit of 18 chars) and just ask you for random characters of memorable words, so there's a big inconsistency even within a single country.
p0w3n3d · 3h ago
while working for UBS (outside of Switzerland) i believe I had to use the same card, but oh boy it's expensive.
Phui3ferubus · 4h ago
> TOTP Support: Let users use any standard authenticator
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
878654Tom · 3h ago
And I love that requirement. I do banking on my desktop and to confirm the transfers I get a push notification from a third-party application (ItsMe, so not a banking mobile app) with all the information I have entered.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
Detrytus · 2h ago
The requirement per se is not the biggest problem. Implementation by different banks is. In my country I have several bank accounts.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
lxgr · 34m ago
And that's to say nothing about what happens when changing phones...
creer · 2h ago
Plus the "app" was written by clowns and doesn't really work for any reasonable idea of "work".
creer · 2h ago
Although to be fair this EU requirement tends in practice to make things yet still more cumbersome - requiring multiple authentications in one online banking session.
frenchtoast8 · 1h ago
There are a lot of people who get confused using the SMS code they received, let alone setting up passkeys, or TOTP and backing up their codes, and so on. The systems are designed for those people, not you. Even offering passkeys or TOTP as an option is a customer support liability, that's another thing agents need to support when someone nontechnical inevitably enabled this on accident or has a family member set it up for them.
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
This past weekend I was struggling to teach my 97-year old neighbor how to login to his RBC Bank account. It was an 11 step process!!! The state of technology in the Canadian banking system is abysmal.
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
Also to pay taxes, you have to type "CRA" into your bank's "Add Payee" searchbox and hope you pick the right result out of 5 different options that all have CRA in the title.
It's mind-boggling that this is the solution we've settled on.
progmetaldev · 39m ago
I work on the CMS side of banking, where promotions and current rates are posted regularly. All actual banking is done through a first-party link to external systems. The amount of scrutiny and regular application scanning for vulnerabilities that is done on the CMS software I've built drives me insane, considering the glaring holes in security that affect their systems that actually deal with money. I take security seriously, and it's one of the main selling points of the software I build, but knowing how poorly made these systems are that house what a malicious user actually wants makes me understand how much of society's systems play security theater.
h4ckerle · 1h ago
As a european I again find it crazy what kinds of insecure stuff the banking industry in the US does. Chip+PIN arrived long after they did here, SMS Tan is still a thing while EU Payment Services Directive 2 (PSD2) forbid this in 2018, 7 years ago.
Many transactions are still authenticated via signatures on paper cheques, you can use your credit card without a second factor (also regulated by PSD2).
I just can't understand why they continue doing this, when I'd assume fixing this would cost less than what fraud must be costing them today.
buckle8017 · 1h ago
> I'd assume fixing this would cost less than what fraud must be costing them today.
You'd be wrong there but not for obvious reasons.
Ultimately the cost of fraud is passed on to consumers. Banks pass the costs on to merchants, who in turn increase prices.
As a merchant increasing friction in the checkout process to reduce fraud does not improve profitability (broadly speaking).
So no they had no actual financial incentive to even implement chip and pin, that only happened because it was required by law.
lxgr · 36m ago
In the case of credit card payments this is true, but for checks and other P2P payments, there is no merchant to pass on costs to.
For these, it's usually the banks absorbing the losses themselves (or their customers, if they aren't legally required to, but in many cases they are).
aucisson_masque · 44m ago
I'd be curious to know what bank does actually proper authentification ? Like 2fa with otp code or passkey.
I went through quite a few bank in my life, some old style bank, some all internet bank, they were all some shade of horrible.
Neither offered proper authentification method.
progmetaldev · 34m ago
In the US, I am seeing biometric authentication, and/or 2fa on mobile apps for financial institutions. The issue is that these same institutions are still running their websites that have the same security that was around in the early 2000's. You can take advantage of the mobile application and get better security, but you're still a target to someone that just accesses the website.
kdbg · 38m ago
Only tangentially related but I'm a Canadian but have been on a US Cell provider (AT&T) for over a decade now because its cheaper, especially when I used to spend a lot more time roaming in the US. The number of Canadian companies that fail silently when sending SMS to US numbers is too damn high.
My bank is one of those with Verified by Visa. Thankfully I've figured out that using the Voice option instead of Text will work but still that silent failure is really annoying.
bberenberg · 4h ago
So an interesting trick I learned while suffering from the same issue is that roaming usually only applies to outbound data / SMS usage. So when I travel I disable data usage, and set my travel sim to be active and primary, but I can still receive SMS for free.
noleary · 3h ago
> I don’t think anyone considers a bank account “low-risk.” Yet here we are, still relying on SMS as the default, and sometimes only, 2FA option
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
taco_emoji · 3h ago
> People really don't understand passkeys
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
kortilla · 2h ago
One of the “features” of a passkey is that you can’t point to it. It’s a fucking nightmare
mixmastamyk · 1h ago
I didn't understand it either, but on the "Security Now" podcast Steve said it's basically like using a FIDO2 key but virtualized in software. As I've used a yubikey and understand public/private keys (with ssh) I now have a vague idea.
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
idontcareatall · 2h ago
I. don't. care. Because we have to cater to the absolute lowest denominator, I now can't use my credit card 90% of the time because I can't receive SMS when I'm traveling aboard? No, not everyone has a fking iPhone and iMessage. Nothing in your comment serves as a defense of most places only having SMS 2FA. Why can Capital One email me every critical account notification, but can't email me 2FA/OTP codes for confirming transactions when I'm on the other side of the world? Why?
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
Zak · 1h ago
> No, not everyone has a fking iPhone and iMessage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
exiguus · 1h ago
> The implementation of 3D Secure (3DS) primarily shifts the responsibility of transaction authentication to the customer. This approach is more about addressing legal and liability concerns than it is about enhancing security measures.
Is the answer I got.
patrakov · 4h ago
> Even worse, these apps often become excuses, a reason to avoid implementing the open, interoperable standards that actually make a difference.
Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
Muromec · 4h ago
From the POV of a bank, non extractable seed is a good thing
p0w3n3d · 3h ago
I remember my brother having a printed list of one-time-codes. I wonder why this is not mentioned? Not everyone wants to have their phone a single-point-of-failure. For me - breaking screen in my phone rendered my banking unavailable for me, which posed additional problem on how to pay for the screen replacement, not speaking about buying food etc.
koakuma-chan · 13m ago
Hey at least they aren't on firebase
1a527dd5 · 1h ago
The answer is lack of competition.
Here in the UK, all bank apps were dismal. Until Monzo and Starling arrived on the scene, and holy hell did the big 4 get their acts together.
ziofill · 1h ago
I swear this is true: my old bank (Allianz) introduced a two factor authentication where they would show me a code upon login, then I HAD TO CALL THEM, go through a menu and punch in the code. I changed bank a couple months later.
warrenski · 2h ago
Here in South Africa all the banks I know of moved away from SMS text messages for 2FA ages ago, and perform authentication in-app with biometrics instead. Having a banking app installed on your phone is pretty much mandatory, and criminals have no doubt grown wise to this fact. So what happens when someone holds a gun to your head and forces you to perform a large transfer of funds from your phone? I'm sure the banks will try convince you that their fraud detection systems will come to your aid.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
fn-mote · 2h ago
> I'd much rather delete the apps, unlink my devices from my account and use a TOTP authenticator app instead.
I'm not clear how this changes the gun to your head scenario.
I would want to see numbers before making policy changes based on potential armed robbery.
etskinner · 2h ago
As far as I can tell, the reason why any given login is needlessly complex is that some product manager somewhere has outdated info in their head that says stuff like "passwords need 4 different character classes" and "everybody uses SMS for 2FA, we need to use that". Powerless devs then mindlessly implement what they're asked to implement.
abanana · 2h ago
Powerless, that's exactly it. I pushed back when asked to implement email-based "2FA" on a website account (nothing like as important as a bank though). I pointed out that the username is the email address, and password recovery works by emailing a reset link, therefore emailing a login code wouldn't be two-factor, it would be the same factor. Of course the response was: doesn't matter, the client's asked for it. I didn't have the authority to push back any more, but luckily in this case it was just a simple website login that had no real need for 2FA anyway.
000ooo000 · 1h ago
Are you me? I am an SE in a bank and I had this exact experience this week - though it relates to authing with the online banking system.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
physhster · 3h ago
Bank of America offers FIDO U2F as a second factor but doesn't let you remove SMS as a factor. I don't see what the point is.
lxgr · 32m ago
It doesn't do anything about SMS delivery based threats, but U2F at least makes authentication itself unphishable.
bouncing · 4h ago
The problem with the suggestions here is that it puts all your eggs in the same basket. 1Password TOTP? If both your password and the TOTP are in your password manager, you arguably really just have a single factor, delegated to a third party (your password manager). PassKeys? Same problem. Storing your recovery keys in your password manager? You again just have 1 factor.
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
Hackbraten · 3h ago
If you use a password manager, you might not be part of the target group that benefits most from a second factor.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
tadzikpk · 3h ago
The friction of changing bank accounts is high, and few people choose their bank accounts based on how easy the online authentication is. Unless a bank does this meaningfully much worse than their competitors (low bar) they have little incentive to fix it.
If you think TD is bad, try some European countries where there's only a handful of banks...
DamonHD · 4h ago
> If a system breaks in common scenarios, like international travel, it’s not a secure system. It’s a hostile one.
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
agentultra · 2h ago
Still not sure about Passkeys. Or biometrics. But agree that their SMS based systems are way outdated. Which is odd because, at least at the Canadian banks, the mobile and web experiences are generally pretty modern and good.
It’s almost like the various departments and make these systems don’t talk to each other.
actinium226 · 2h ago
Pretty much the same thing with Chase. I had to access my account while overseas and had a somewhat similar story.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
pnw · 4h ago
OP's problem sounds like failure to plan. If you are going to suspend your cell plan, you should probably check your authenticator works or have a backup option before you travel to another country.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
Zak · 4h ago
A viable alternative is to offer multiple 2FA options, one of which should be RFC 6238 TOTP. The author would have probably planned ahead by selecting that rather than a proprietary app or SMS.
fullstop · 4h ago
> you should probably check your authenticator works or have a backup option before you travel to another country.
They may sign you out automatically if you connect from a different country.
coppsilgold · 4h ago
TD Authenticate does not require a network connection. I outright disabled network access for the app on my phone.
Don't know how he got logged out but he almost certainly didn't check before leaving the country.
Having said that, the 2FA for TD is atrocious as it provides SMS fallback in addition to their bespoke app.
saltcured · 4h ago
One thing I like about the Aegis authenticator app is the clear way it changes colors and even flashes to indicate a code is getting ready to change, so it is less common that you might start copying digits, glance away, and then finish copying digits from a different code.
But, I think it would still be a challenge for many elderly for other reasons.
nmca · 4h ago
hardware tokens are the way! Everyone has had a house key their whole lives, and understands how to keep a spare to prevent lock-outs.
rr808 · 2h ago
Hardware tokens are a PITA. Sure everyone has a house key because they only have a house at a time. I have 3 bank accounts, a few brokerage accounts, some pension logins on top of the regular stuff. I'm not going to carry 15 hardware tokens with me.
nmca · 1h ago
You only need one, plus a couple recovery spares, in any sane implementation.
kube-system · 2h ago
SecurID tokens suck but with FIDO2, you'd only need one key.
Of course, that breaks the UX analogy of the house key.
Muromec · 4h ago
If only there was some kind of a physical tokem with a crypto key that is protected by a password and tied to one's bank account.
-s
nmca · 1h ago
I know this was sarcasm, but bank card is not appropriate because you should have one hardware key for all services produced by an independent provider.
Muromec · 36m ago
Why would I want to have one key for all them? To lose access or get them all compromised at the same time?
craftkiller · 4h ago
The only bit we're lacking is the "tied to one's bank account". The rest already exists in the form of yubikeys and other hardware security tokens.
FateOfNations · 3h ago
Your bank/credit/debit/etc. card is a “physical token with a crypto key that is protected by a password and tied to one's bank account”. FIDO and EMV even both use the same underlying ISO/IEC 7816 and 14443 protocols for communications.
pasttense01 · 3h ago
Some of us don't want to have a dozen plus separate physical tokens (one for each of bank/credit card/tax, etc sites with sensitive financial information we have).
Muromec · 1h ago
Okay, I will make the "S" mark bigger next time.
mixmastamyk · 1h ago
Not how it works. One key can keep dozens of entries.
fullstop · 3h ago
I know plenty of people who have lost house keys. I have many Yubikeys and I am responsible with my things, but not everybody is like us.
homeonthemtn · 1h ago
I agree with this take and I think implementing passkeys, etc would result in mass confusion for many customers, especially the elderly.
I suspect that's a big reason for slow adoption
bradley13 · 3h ago
Passkeys = excellent UX? In what world is that?
I keep looking st them, see the fragmentation, and have to say "no thanks, great idea, horrible reality".
hiatus · 3h ago
If you store them in a password manager it is pretty nice, but if not it can be pretty cumbersome, especially if using browsers with multiple profiles.
martinald · 4h ago
The reason it's a farce is because most banks are using some off the shelf system from one of the big vendors in the space OR legacy systems, or both. FIS is a good example.
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
pwg · 4h ago
> using some off the shelf system from one of the big vendors
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
FireBeyond · 3h ago
> If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
quintu5 · 2h ago
Banks are always facing a trade-off between security and regulatory accessibility requirements. A former employer offered ~10 different ways to perform step-up authentication for high risk activities to avoid getting slapped with fines.
creer · 2h ago
Then again "regulatory accessibility" has little to do with usability. You can have an 11 step process which works with a screen reader and is still hell.
Muromec · 4h ago
I think all the banks that I used for the last five years (from three different European countries) use the mobile app itself as a generator of security credentials. The app itself is pin protected.
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
dddddaviddddd · 4h ago
> And don’t even get me started on logging into accounts at the Canada Revenue Agency.
They should all be shamed continually until they adopt the common sense ideas in the article.
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
punnerud · 3h ago
We had SMS-auth in Norway until 15 years ago (?), then it was a special type of SMS popping all over your screen that was more secure. Now all that is gone and replaced with Apps for auth, with scanning of your Passport/NationalID using NFC + SMS the first time.
bob1029 · 4h ago
> There’s no excuse anymore.
Implementing "modern" auth flows is challenging with old core systems.
From a risk management and compliance standpoint, this new auth infrastructure would represent a non-trivial expansion in the bank's audit scope.
Until a regulator makes it a requirement to use whatever new auth flow, it is not going to happen at scale.
Waterluvian · 2h ago
It’s odd that banks are so bad at this because the incentives are correct: the banks pay when fraud happens. (At least up here)
cypherpunks01 · 3h ago
Any US banks support TOTP or Yubikey/U2F requirements for login yet?
I've seen a couple consumer fintech products that support TOTP, still not many, and no banks I'm aware of.
samwise_i · 3h ago
Wells Fargo offers RSA hardware tokens if you know how to ask for them:-)
Schwab offers a Symantec hardware token
Vangaurd allows the use of a FIDO device (YubiKey)
mixmastamyk · 1h ago
Imagine using anything Symantec related to security. :-/
kube-system · 1h ago
Fidelity supports TOTP
kirubel01 · 4h ago
Big corporations don’t fix anything unless it bleeds cash in an obvious way. Their siloed departments border on self-sabotage, and they only wake up when shareholders start shouting about lost profits—then they stall anyway.
kbar13 · 3h ago
i worked on a large platform (YC company, too!) previously on their 2FA implementation. while not ideal, it was decided to keep SMS 2FA because there are still people out there without smart phones or in general the ability to do TOTP. but they still have some means to access the site that wasn't a smartphone i guess.
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
creer · 2h ago
Anything that requires a cellphone bakes in BOTH a single point of failure and cumbersome extra steps. Terrible practice anyway - even though so many people here are in love with both single points of failure and extra steps.
ALLOWING methods X, Y or Z would be better reasoning.
ted_dunning · 3h ago
That isn't a very strong argument for not allowing me to secure my account.
Does password requirements with short max length count as getting it wrong? Because I see that all the time.
Also a password box that will accept more characters than the max password length.
idontwantthis · 3h ago
How about one that accepts any length on create but truncates it in the DB so your password manager saves the long one you typed in when it’s actually cut off at 12 chars? Had that one recently.
john01dav · 4h ago
Some banks do it properly. For example, my local credit union does Google Authenticator (actually TOTP, but they call it Google Authenticator). I use it with Authy on F-Droid.
xp84 · 4h ago
Best thing that ever happened in this bleak security world is Google Authenticator. I haven’t used that app itself in years, preferring others, but the existence of it and it being non-proprietary, has done a lot to bring over the moderately-security-competent companies to thinking “hey, I guess we should support this.” Obviously that group excludes every American bank, every power utility, etc. They all want to email or text me a freaking code at each login for some reason.
poisonborz · 4h ago
Please do not use Authy, lacks essential features and it was bought by a bad actor.
clay10 · 4h ago
I switched from Lastpass Authenticator to Authy after the hack. The lack of the "upcoming key" feature has been a huge paint point.
wait, which bad actor? I use it for everything and hear about it first time
kirubel01 · 4h ago
It's not a common problem enough for them to care.
alkonaut · 4h ago
Why is there no standardized e-ID in the US? How much money is wasted by different authorities and businesses having to reinvent the same wheel over and over? I have used the same auth for doing my taxes or checking my prescriptions or signing into my bank for 20 years.
SpecialistK · 2h ago
From my experience in the US, UK (see https://en.wikipedia.org/wiki/NO2ID ) and Canada there is a cultural aversion to government ID. I believe it's the same in Aus and NZ, so it may be an Anglophone thing.
kube-system · 1h ago
It is partly cultural, and partly a power struggle between states and the federal government.
throwaway562if1 · 3h ago
The current US administration is known for illegally deporting permanent residents and has stated intent to deport natural-born citizens. It should be self-evident why a centralized ID system under the control of the executive branch is a terrible idea.
alkonaut · 3h ago
That's horrible but why would it be worse together with an e-id system?
throwaway562if1 · 3h ago
Because without thoroughly-enshrined protections for identities, an e-ID system provides an avenue for the government to effectively de-person undesirables at will, by removing their ability to use banks, sign contracts, access healthcare, etc.
Muromec · 1h ago
US government is deporting undesirables at will right now without any of that. On the other side of the world, where id is mandatory and e-id is used for everything that makes sense, the city hall gives free heroin injections to addicts as a last resort therapy and provides for illegal/undocumented homeless people so they don't shit on the street.
Neither of those prevents somebody from stealing bicycles zo.
shadowgovt · 4h ago
Broadly speaking: because they don't have to get it right.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
bluGill · 3h ago
While not wrong it will big a big hasstle for whoever is the fraud victum while things are reversed. You may even lose other things in your life because you are unable to pay bills you technically have the money for but cannot access the money.
shadowgovt · 2h ago
This is all true and, most notably, not the bank's immediate concern.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
tgsovlerkhgsel · 3h ago
None of the recommended alternatives show what you are authenticating for.
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
alfiedotwtf · 1h ago
Surely it couldn't be as bad as an unnamed Queensland (Australia) bank that did client side authentication by looking up the username and password if one giant
if username == "user1" && password == "password1"
return true;
else if username == "user2" && password == "password2"
return true;
else if ...
Yes, that was real.
cccs-kevin2 · 2h ago
This happened to me when I was overseas recently. No phone, I needed to access my credit card website with Scotiabank. I had previously relied on having an option for the OTP to be delivered either by email or sms, but when I tried in March, Scotiabank had removed the email option! I ended up having to basically remove 2FA from my bank account as a workaround, after answering a ton of security questions.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
6510 · 2h ago
Is it possible for Americans to use European or Chinese banks?
I'm only half trolling.
nottorp · 4h ago
I wonder what he would have written if he had his Canadian SIM but his TOTP device got stolen...
jamalhabash · 4h ago
Good question, that’s exactly why systems need multiple secure fallback options.
focusgroup0 · 3h ago
AML & KYC
delusional · 4h ago
What actual real life person is going to switch their bank account because TOTP isn't supported?
That's why banks get authentication wrong. Because they are in the business of banking and banking customers do not care about TOTP.
idontcareatall · 2h ago
Me? As in, I've literally changed banks and canceled cards over this.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
kube-system · 1h ago
> It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I think many banks might find it a benefit to exclude customers who don't have cellphones or SMS.
Geebs · 4h ago
But banks should have to provide better security or they should be at fault if the account is accessed by a third party due to their weak security.
delusional · 3h ago
Ok. They are not though.
ilaksh · 4h ago
I don't care how many times I am violently buried on this site for mentioning the word -- but cryptocurrency makes traditional banking obsolete. Or should have.
Muromec · 4h ago
No it doesn't
kube-system · 1h ago
cryptocurrency makes traditional banking obsolete only if:
1. you don't understand what banks do, or
2. you pretend that cryptocurrencies do things that they don't
One could make a list a mile long of things that banks do that cryptocurrencies have no answer for. Banking is not a technology, it is a service.
xyst · 4h ago
Anybody that has the misfortune of working within a financial institution should know these folks are way behind the times.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
xienze · 4h ago
I don’t think banks are deliberately trying to avoid using TOTP, it’s just that they have to cater to the lowest common denominator, you know, the kind for which anything computer-related is basically black magic.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
xp84 · 4h ago
This is no excuse for not offering it. And no, SMS must NOT be a backup that’s always available, as the article points out, its availability for use is a security hole.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
error503 · 4h ago
Recovery codes is an option, for one.
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
xienze · 4h ago
> “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
Zak · 4h ago
> With standard TOTP, now they have to worry about if the user correctly added the secret
The standard flow I usually see for setting up TOTP ends with entering an authentication code. If it's not valid then the setup isn't finished.
xienze · 4h ago
That's not what I'm talking about. I'm talking about the act of adding the secret to the authenticator app in the first place. There needs to be documentation to the effect of "open Google Authenticator, and if you don't have it, download it on the App Store or Google Play store. Open the app and choose 'new secret', ...". Probably also put in a QR code and link for good measure. Rinse and repeat for all the major authenticator apps. THEN you can have them verify.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
Zak · 4h ago
Outside of services like Github where the average user is expected to know what an RFC is, I usually just see Google Authenticator supported and no mention of the fact that alternatives exist. That seems like an adequate solution.
TacticalCoder · 4h ago
It's not just authentication that they get wrong. On several websites (non banks) I can get my entire history, all my logins, all my transactions, since I created my accounts: all the way back to, say, 2013... No problem.
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
No comments yet
I've never heard of this, I'm very curious.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
The weakness is in the processes and the lack of critical thinking skills of people executing processes.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
Talk about training people to give away sensitive data.
That's what you're supposed to do. That's what security is. That's the sensitive data that ensures it's not a rando calling who stole your card.
I'm not sure what alternative you are looking for? You're the one calling them, so it's fine.
Basic customer service lets you do things like transfer money too, so you need something just as secure as a PIN.
So why would you want two different security mechanisms? Either it's you or it's not.
YOU calling THEM is not an issue. That's the secure connection. There's not (afaik) a way to hijack the receiving phone number.
The issue is when somebody calls YOU. Faking the originating number of a phone call is easy, happens all of the time. That's the scammer route.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
Edit: changed Klarna to Sofort
Send people to the website to find your number, idiots.
Spirit of the law: [ ]
You should have looked up the ssa site and found the number that way.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
Why has some startup not solved this problem already?
It is many problems with many solutions.
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
PS: I'm in EU.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
Obviously, this is a terrible idea.
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
Here is the relevant document: https://pages.nist.gov/800-63-3/sp800-63b.html
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
https://en.wikipedia.org/wiki/EIDAS
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
Driver's licenses (or non-driver IDs) are the US's de facto ID standard.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
Why not? Anonymous cryptographic attestation methods (e.g. of only the fact that you are over 18 years old, that you are a permanent resident etc.) exist.
Your root of trust for said bank id is gov't documents, right?
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
[0] https://www.spid.gov.it/en/citizens/ it integrates with eIDAS too
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
How is this related to govt issued ID cards ?
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate. Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.) And requiring a special app is quite difficult to automate.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
https://en.wikipedia.org/wiki/Direct_bank
Of course effectively 0% of their customers actually use it, and instead rely on sms
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
[0] https://www.investopedia.com/stock-analysis/2013/investing-n...
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
https://edition.cnn.com/2024/10/10/investing/td-bank-settlem...
Super simple but probably costs some money to develop.
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
[1] https://productioncommunity.publicmobile.ca/t5/Get-Support/T...
It's mind-boggling that this is the solution we've settled on.
You'd be wrong there but not for obvious reasons.
Ultimately the cost of fraud is passed on to consumers. Banks pass the costs on to merchants, who in turn increase prices.
As a merchant increasing friction in the checkout process to reduce fraud does not improve profitability (broadly speaking).
So no they had no actual financial incentive to even implement chip and pin, that only happened because it was required by law.
For these, it's usually the banks absorbing the losses themselves (or their customers, if they aren't legally required to, but in many cases they are).
I went through quite a few bank in my life, some old style bank, some all internet bank, they were all some shade of horrible.
Neither offered proper authentification method.
My bank is one of those with Verified by Visa. Thankfully I've figured out that using the Voice option instead of Text will work but still that silent failure is really annoying.
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
Is the answer I got.
Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
Here in the UK, all bank apps were dismal. Until Monzo and Starling arrived on the scene, and holy hell did the big 4 get their acts together.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
I'm not clear how this changes the gun to your head scenario.
I would want to see numbers before making policy changes based on potential armed robbery.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
If you think TD is bad, try some European countries where there's only a handful of banks...
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
It’s almost like the various departments and make these systems don’t talk to each other.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
They may sign you out automatically if you connect from a different country.
Don't know how he got logged out but he almost certainly didn't check before leaving the country.
Having said that, the 2FA for TD is atrocious as it provides SMS fallback in addition to their bespoke app.
But, I think it would still be a challenge for many elderly for other reasons.
Of course, that breaks the UX analogy of the house key.
-s
I suspect that's a big reason for slow adoption
I keep looking st them, see the fragmentation, and have to say "no thanks, great idea, horrible reality".
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
At least they support standard TOTP now. https://www.canada.ca/en/revenue-agency/services/e-services/...
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
Implementing "modern" auth flows is challenging with old core systems.
From a risk management and compliance standpoint, this new auth infrastructure would represent a non-trivial expansion in the bank's audit scope.
Until a regulator makes it a requirement to use whatever new auth flow, it is not going to happen at scale.
I've seen a couple consumer fintech products that support TOTP, still not many, and no banks I'm aware of.
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
ALLOWING methods X, Y or Z would be better reasoning.
Also a password box that will accept more characters than the max password length.
Any suggestions for what is better?
Neither of those prevents somebody from stealing bicycles zo.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
I'm only half trolling.
That's why banks get authentication wrong. Because they are in the business of banking and banking customers do not care about TOTP.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I think many banks might find it a benefit to exclude customers who don't have cellphones or SMS.
1. you don't understand what banks do, or
2. you pretend that cryptocurrencies do things that they don't
One could make a list a mile long of things that banks do that cryptocurrencies have no answer for. Banking is not a technology, it is a service.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
The standard flow I usually see for setting up TOTP ends with entering an authentication code. If it's not valid then the setup isn't finished.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.