I’m sure you’ve heard it before-maybe online or from an older relative-
“I don’t trust online banking-what if I get hacked?”
“I only go to my bank in person. I’ve known someone there for 20 years.”
For those of us who rely on online banking daily, the idea of avoiding it seems almost prehistoric.
But what if they’re right?
My bank recently revamped their online banking system, so I naturally logged in to check out the security section and add either my YubiKey or generate a new TOTP code and download the recovery key to store locally. Except… there was no option besides SMS.
But as I dug deeper, things got even weirder.
I had been fairly aware of the significant rise in SIM swapping, or the process of a bad actor gaining access to your phone number by leveraging social engineering techniques. Here’s a notable case from 2023 in which the DOJ charged a Florida ring led by a rogue telecom employee for stealing $500k+ from their customers’ crypto wallets:
For the past couple years or so, I have been shifting many of my service logins to utilize MFA and disabled SMS authentication where it was possible. So I started looking at banks that support hardware or software based MFA methods. The results were….not great.
Press enter or click to view image in full size
Of the 74 banks, credit unions, and investment brokerages listed on 2fa.directory, not only did most not support hardware or token verification, but some did not support MFA at all! (Passkeys are so far fetched at this rate we’d be likely if we’d get them before AGI/ASI.)
My hopes diminished, I checked out Bank of America, Chase, and Morgan Stanley (E*TRADE).
Chase provided no options at all — apparently a hardware token is only available to higher value business accounts (?).
Bank of America and E*TRADE readily support 2 alternative authentication methods, but sources online claim the SMS MFA can’t be disabled with BofA. It’s unclear whether software and hardware tokens can be used exclusively with E*TRADE.
The takeaways
Ironically, banks remain a vulnerable element when it comes to data security. Not pacing forward with technology has opened more loopholes. Account compromise stats are not published by banks, but they never would publish these voluntarily anyway due to strict regulation requirements.
Other mitigating controls certainly exist (in-house fraud detection ML models, carrier-specific SIM transfer security features) but they’re imperfect and fallible. With advanced techniques now being possible using AI for social engineering and fraud evasion, it’s becoming concerning to continue using banking services with their current security controls.
Ask yourself if you’d count on your bank assuming the cost of reimbursing your funds distributed to a foreign bank following account takeover. If your answer is anything less than “absolutely”, heed caution.
What you can do about it
- Prioritize providers that offer strong security controls with non-SMS MFA (Potentially Morgan Stanley, or if you are a Chase Business customer).
- Lock down access to your carrier with additional authentication methods
- Diversify your portfolio and distribute risk into crypto-based currencies, which provide among the best technical security and privacy guarantees (volatility is another thing 😅)
- Contact your bank on social media and let them know how much this concerns you.
Do you have anything to add? Drop a comment!