We had been car shopping recently, and we happened into a dealership that just so happened to use our regular bank for financing.
And so this was fairly convenient and mildly painless, although it did require the submission of a credit application. More or less as a formality I’m left to presume, as our bank most certainly already has what it needs to determine our credit worthiness.
Anyway we go through the motions, complete the required fields on the application, and off we go. And in fairly short order, we’re in a new car, life is great.
Fast forward a few days, when I log into my bank’s online bill payment system. For reasons I can only assume are rooted in profitability and not actual security, my bank still uses SMS 2FA. My bank has, forever, presented me with a choice of two phone numbers to use for this purpose each time I log in, but today, there is a surprise:
I immediately go into defense condition red. You have likely felt this very feeling. It is characterized by symptoms including rapid pulse, immediate perspiration, controlled berserk, and visions of your financial everything in a smoldering ruin.
Before I’m even thinking it through, I have the bank’s customer service line dialed and while on hold, my mind is racing. What is this new number. Where did it come from. Then I hang up the phone. The 4311 number is the main line for Phillips Exeter Academy, which is where I work.
It becomes immediately clear how this happened: my bank obtained this phone number from my vehicle credit application, added it to the list of phone numbers on my account, and decided that an appropriate default condition is to make that number eligible for second factor authentication. To me, this is insane.
SMS 2FA is already dubious, but in my case it’s all the bank offers, so you take what you can get. But what if my work phone accepts SMS, and that number is shared or is a main number? Effectively anyone with access to that main business number has access to my second factor – the thing that proves that I am me!
And worse, having been given no choice in the matter. By a completely unrelated action – applying for a car loan – I have programatically and unknowingly lowered my security posture. It makes no sense.
My bank has languished for quite a long time in this space, with no outward signs of moving in a better direction with pervasive tokens or authenticators.
Sadly, it’s the same bank that, while allowing you to create secure one-time use credit card numbers for online shopping, requires Adobe Flash to do so.
One thing is for certain: banks aren’t going to up their game on their own. Until the penalty for non-compliance exceeds the cost of compliance, nothing will change.