My pension provider (a well known investment company) still use 6 digit One Time Passwords via SMS and email.
As far as the security authorities are concerned (the UK NCSC and NIST in the US) both recommend that if available some other form of 2FA should be used.
I raised an enquiry with my pension provider about when they would support some more modern form of 2FA, because currently my Twitter Account has better 2FA than my pension.
After considering it for some time, they sent me a cut and paste of their security policy, which roughly translated âwe take everything into account and do modern super duper stuff to keep your money safe so donât worry your pretty little head about itâ.
Similar complaint about another well known investment company with whom I have an ISA, and they have only just introduced 2FA by SMS code, when their US counterpart allows the use of more sophisticated methods up to and including hardware security keys (my preferred method).
I agree that SMS-based 2FA is probably the weakest option, though itâs still vastly better than not having it at all. Still, it does surprise me when financial institutions opt for such a poor method. Youâd think theyâd be all over security!
If someone accessed your account what could they actually do though? Thatâs probably another reason thereâs not as much security as with a bank account.
A lot of savings accounts for example only require you to receive a text code to login and nothing else because theyâre a closed loop system. You can only withdraw to a nominated account or one thatâs in your name.
Two investment platforms I use only require a username and password.
Also when it comes to security and this applies to all things there are multiple layers. Itâs not just as simple as someone accessing your account and thatâs it, game over. There are probably other ways theyâre protecting you that youâre not aware of.
It absolutely does, but itâs the easiest method for an attacker to get round. This could be via social engineering, getting the customer to reveal the code to them over the phone, or they could try a SIM swap, where they get the mobile company to transfer the number to a new SIM.
Thatâs beyond what most payment card fraud is going to do though, realistically. The âgameâ is converting hot card details, purchased soon after being captured, to cash/crypto as quickly as possible.
There is no time for engaging with the victims.
And even if they did, they could do exactly the same, just by telling them to follow whatever steps are necessary to authenticate the transaction via their banking app (or whatever). People are sharing codes sent with the warning text âdo not share this code with anyone, even bank staffâ⌠I really donât think being guided through approving a transaction on a bank app is that much of a leap from there.
SIM swap is even more effort.
Once youâre engaging in the levels of subterfuge to do this there are far more juicy fruits available to you than payment card fraud - a purchase completed with a stolen card can be stopped after the fraud has taken place far easier than a series of wire transfers.
Theyâre not going to decide to go down that route when the effort is equal to just gaining control of a victimâs banking applications but the reward much lower and more likely to be stopped/thwarted.
Unlike the scams which people fall for, which take place over hours or sometimes days, payment card fraud is about volume and speed. Burn through cards as quickly as possible and obtain goods/funds before the transactions are stopped; expecting in most cases the card details are already dead or something gets in the way of completing the scam.
The economies and overall viability of such an operation with a trick/hack to gain access to the victims SMS just arenât there.
And yet, it happens. They become more and more common each passing year, and can be quite a lucrative scam.
With that said, you can protect yourself from it to a reasonable degree, and so I donât think itâs worth abandoning the SMS fallback yet until thereâs greater support for the open standards from banks and enough customers can easily access them.
It does surprise me that not one fintech has finteched their MFA implementations yet. The implication of fintech is theyâre supposed to be tech companies too, and could be argued tech first companies who just so happen to offer bank accounts. Which begs the question, why are they just as far behind on this as the retail banks?