I keep getting astonished by how bad online banking security is in the UK and US.
Here in scandiavia, we've had hardware tokens (or phone apps) to offer 2fa for ages. And you need a new token for every transaction. In addition to the password for logging in. When you reset your password, you get an email and an SMS saying that your password was reset.
Last time I needed a new token issuer dongle, I had to actually visit the bank and sign stuff.
My UK bank had a hardware token for years. They recently "upgraded" my security for online banking, and now use SMS 2FA codes for login and authorising new transfers. The hardware token is now unusable.
I'd change banks, but I doubt the others are better.
HSBC did this to me as well. The battery had died in my old token so I had to jump through so many hoops as the default assumption seemed to be that the customer would have a working token to set up the 2FA.
To send money over £250, RBS still use hardware card readers for their MFA flow. You put your debit/credit card in the device, entry your normal pin and then a code that is displayed on the website. It's a little inconvenient of you don't have the device with you when you need to send large amounts of money but in general it's great to have rather than SMS.
Of course, I expect that eventually they'll move to SMS too since it's easier for them and more on line with the rest of the industry.
Under the new EU rules 2FA over SMS is not allowed because it is possible to transfer phone numbers to other devices (through social engineering or simply because providers reuse old numbers) and thereby intercept the code. Instead most banks use an authentication app so that 2FA is bound to a single device.
They are better. One of my banks offer a hardware token which requires my card to be physically present and for a correct PIN to be entered. The other has an app with push notifications which can be used to approve or deny transactions.
Aye, that's what they used to use. Great News! Now I don't have to remember to have my card reader and I can use app, SMS or email to get codes instead. Err WTF? Apparently these changes help protect my accounts from fraud better, or some similar Orwellian doublespeak.
I did wonder if it was some unintended consequence of the EU banking interop changes, but that didn't seem especially convincing. OK, changing bank it is then. At least it's so much easier than it used to be. :)
I hate hardware tokens. Recently got one from my bank. I'm switching banks. I just don't see any advantage over a phone app (plus a phone app can offer better notifications).
Yes, but then it's not 2FA, it's notifications in the app you're probably using for banking, so now it's 1FA.
That's fine for sending £100 to an account already in your list of payees, but to set up a new account, where's the second factor in an app? That, to me, seems a large step backwards.
Well, you need (1) my phone and (2) my fingerprint, so technically it is 2FA. They could easily require (1) my password and (2) my phone, so still 2FA.
2FA is usually fake anyways, there's usually a way to reset stuff with only one factor (e.g. use phone number to reset password, or login with password and change phone number, ... same with PIN), so it's all a misnomer anyways.
> Last time I needed a new token issuer dongle, I had to actually visit the bank and sign stuff.
I'm glad UK banks try to avoid physical dongles because having to go to the bank and sign stuff to get one is not always convenient, not to mention you need to carry around the dongle everywhere, and if you lose it while you're in vacation it's yet more troubles.
Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app. Personally I'm satisfied with the way UK banks handle security - it's secure, they block suspicious transactions, etc. yet it doesn't get too much in your way.
I don't think UK banks are less competent, it's just a fine balance between usability and security.
> Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app.
This is exactly like having a physical token with you. If it gets stolen, they have the tokens.
But, at least, having token on the phone app is waymore convenient for customers and also has another layer of protection (think of the fingerprint/passcode ecc you need to access your phone)
I don't think having 2FA in phone app is pointless. It's still second factor, if someone got to your bank account. They need to get access to that 2FA app as well. And of course you protect that app with password/ping. Do you know of cases when 2FA app was defeated when someone stole money from bank account?
What I mean is that if a user has access to my bank mobile app on my phone, they also have access to the Google Authenticator app. With Lloyds, the app is locked by finger print or password which in this particular scenario is actually more secure.
This is so true. My wife (US) just needs user+pwd to access her bank. Me (Italy), had physical tokens or at least SMS 2fa for years.
Also EU is now going through a major security upgrade for banks with SCA (Strong Customer Authentication)
As a child in Sweden in the late 90s and early 2000s I recall that my dad had a hardware token to access his bank account. Though nowadays people in Sweden use BankID for the most part which is 2FA in the form of a mobile app. BankID is also used to login to most government websites in Sweden which is nice.
Meanwhile, banking security in the US is stuck in the Stone Age. Last I checked Wells Fargo, one of the largest US banks, still does not allow passwords greater than 14 characters in length and passwords are not case sensitive.
In the Netherlands we used to have dongles or card-readers for all online banking but we are now downgrading to apps, 5-digit number codes and 2FA without an external device. This is all for ease of use but I think from a security standpoint it's not the right direction to go. For instance, in an app you can't view the certificate and wether or not the connection is secure. If you are in a foreign country with dubious leadership it could be hijacked using a rogue SIM-card or some dictator driven root CA (looking at you Kazakhstan).
The worst offender is ING, you can set a payment limit in the app but then you can also change the payment limit in the app itself. If I take a nap on the train, you can drain my bank account my pressing my thumb on the reader.
Unfortunately the BankID has been scammed a lot, where fraudsters have simple asked people on the phone to sign BankID stuff for them.
It is far from perfect and in fact the scam here would be possible to do with BankID as well.
Not as easily. As I understand it, with Mobile BankID, the attacker goes to the bank web site and then asks the victim to authenticate with their BankID app.
With the real BankID, the computer accessing the bank web site needs access to the smart card. Exploitation is still possible of course, but the bar seems higher.
This is the same system I'm talking about.
You can use your smartphone and a PIN, or you can get a hardware dongle. Same authentication API from the banks POV.
Here in scandiavia, we've had hardware tokens (or phone apps) to offer 2fa for ages. And you need a new token for every transaction. In addition to the password for logging in. When you reset your password, you get an email and an SMS saying that your password was reset.
Last time I needed a new token issuer dongle, I had to actually visit the bank and sign stuff.