You may be surprised to learn that your bank may not have some of the data security systems in place that are now standard for your email and social media accounts. One of the concerns is that many of the largest and most popular banks, including TD Bank, Citibank and Citizens, do not use a simple but effective method of protecting online accounts called two-factor authentication to prevent unauthorized logins.
Two-factor authentication (2FA) is an extra layer of security. It is also known as multi-factor authentication, which not only requires a password and username, but also something that you have on you, i.e. a piece of information only you should know or have immediately at hand typically sent to your mobile phone number or an alternative email account for the added protection. It is NOT the questions often used by banks that don’t require 2FA such as “what is your high school mascot” or “what street did you grow up on.” The risk of this question-based authentication is that the information you are asked to provide is often easily found through a little research on your Facebook page.
It appears little progress has been made to make 2FA standard with online banking since Gizmodo covered this issue two years ago. And yet, the problem of data theft via online banking continues to grow. The New York Times reports, “About half of the data breaches at financial institutions are made via the institutions’ web applications, according to Verizon’s 2016 Data Breach Investigations Report.”
With so much at risk, why don’t the banks use this standard technology to help protect our data? The answer may not comfort you. Gizmodo reports:
“So it's up to the banks to evaluate risk and put security in place to meet those risks. In the words of Duo Security CTO Jon Oberheide: ‘Due to the weak guidance, banks instead did the bare minimum and offered security questions/answers and "security images". You probably see this on your accounts today when you log in: a security image and phrase pre-chosen by the user that is supposed to make you confident that your login is secure. In reality, those mechanisms offer little to no protection against phishing and other credential theft threats.’”
So what can you do to protect your financial data? First, find out whether your bank offers 2FA. If they do, take the added steps to enable it. And while you’re at it, we strongly advise our customers that, with a little effort, you can enable 2FA for all your cloud-based accounts that offer it, including Microsoft, Facebook, Twitter, Salesforce and Dropbox. These are just a few examples of the solutions that offer 2FA.
You can find out which banks (and other cloud-based solutions) offer 2FA here. If your bank doesn’t offer 2FA, call them and ask them whether they have a plan to enable this security measure in the near future. If they don’t, you may want to find another bank.
Gizmodo’s Managing Editor Mario Aguilar sums it up well: “It's so easy to implement tighter security. If Gmail can do it, why can't your bank?”