2 Factor Authentication Methods

Just checking how everybody else feels about 2FA.

My pension provider (a well known investment company) still use 6 digit One Time Passwords via SMS and email.

As far as the security authorities are concerned (the UK NCSC and NIST in the US) both recommend that if available some other form of 2FA should be used.

I raised an enquiry with my pension provider about when they would support some more modern form of 2FA, because currently my Twitter Account has better 2FA than my pension.

After considering it for some time, they sent me a cut and paste of their security policy, which roughly translated “we take everything into account and do modern super duper stuff to keep your money safe so don’t worry your pretty little head about it”.

Similar complaint about another well known investment company with whom I have an ISA, and they have only just introduced 2FA by SMS code, when their US counterpart allows the use of more sophisticated methods up to and including hardware security keys (my preferred method).

Any thoughts?

I agree that SMS-based 2FA is probably the weakest option, though it’s still vastly better than not having it at all. Still, it does surprise me when financial institutions opt for such a poor method. You’d think they’d be all over security!

If someone accessed your account what could they actually do though? That’s probably another reason there’s not as much security as with a bank account.

A lot of savings accounts for example only require you to receive a text code to login and nothing else because they’re a closed loop system. You can only withdraw to a nominated account or one that’s in your name.

Two investment platforms I use only require a username and password.

Also when it comes to security and this applies to all things there are multiple layers. It’s not just as simple as someone accessing your account and that’s it, game over. There are probably other ways they’re protecting you that you’re not aware of.

For as long as banks remain hellbent on using only their own app for authentication, I think the SMS needs to exist.

There’s a convenience/security tradeoff there for sure, but I think the convenience far outweighs it.

If banks start supporting the proper standard, so you can use your authenticator of choice, then I’ll probably shift my stance on SMS.

1 Like

I’m satisfied that SMS 2FA covers off the vast majority of potential online payment card fraud.

It absolutely does, but it’s the easiest method for an attacker to get round. This could be via social engineering, getting the customer to reveal the code to them over the phone, or they could try a SIM swap, where they get the mobile company to transfer the number to a new SIM.

1 Like

That’s beyond what most payment card fraud is going to do though, realistically. The ‘game’ is converting hot card details, purchased soon after being captured, to cash/crypto as quickly as possible.

There is no time for engaging with the victims.

And even if they did, they could do exactly the same, just by telling them to follow whatever steps are necessary to authenticate the transaction via their banking app (or whatever). People are sharing codes sent with the warning text “do not share this code with anyone, even bank staff”… I really don’t think being guided through approving a transaction on a bank app is that much of a leap from there.

SIM swap is even more effort.

Once you’re engaging in the levels of subterfuge to do this there are far more juicy fruits available to you than payment card fraud - a purchase completed with a stolen card can be stopped after the fraud has taken place far easier than a series of wire transfers.

Until somebody decides to. SMS 2FA is definitely better than nothing but that’s not an excuse to preclude other methods.

They’re not going to decide to go down that route when the effort is equal to just gaining control of a victim’s banking applications but the reward much lower and more likely to be stopped/thwarted.

Unlike the scams which people fall for, which take place over hours or sometimes days, payment card fraud is about volume and speed. Burn through cards as quickly as possible and obtain goods/funds before the transactions are stopped; expecting in most cases the card details are already dead or something gets in the way of completing the scam.

The economies and overall viability of such an operation with a trick/hack to gain access to the victims SMS just aren’t there.

I am not the greatest fan of using sms or email authentication for 2 factor authentication. But not sure of any way else around it.

1 Like

And yet, it happens. They become more and more common each passing year, and can be quite a lucrative scam.

With that said, you can protect yourself from it to a reasonable degree, and so I don’t think it’s worth abandoning the SMS fallback yet until there’s greater support for the open standards from banks and enough customers can easily access them.

It does surprise me that not one fintech has finteched their MFA implementations yet. The implication of fintech is they’re supposed to be tech companies too, and could be argued tech first companies who just so happen to offer bank accounts. Which begs the question, why are they just as far behind on this as the retail banks?

I know that SIM Swap fraud happens. I’m not aware of any times it has been used in order to achieve Payment Card fraud though.