Business & Finance
MFA-optional banks leave safe doors (and accounts) wide open for thieves to pillage
Key Points
OPINION I write a weekly column called PWNED, about how poor security practices can lead to serious damage. Usually, there’s something funny in the malfeasance, like a CEO who kept every employee’s password in an Excel file on his desktop. However, I wasn’t laughing back in May when professional thieves invaded my 84-year-old mother’s entire financial life and managed to make off with $30,000 from her bank accounts alone.
OPINION I write a weekly column called PWNED, about how poor security practices can lead to serious damage. Usually, there’s something funny in the malfeasance, like a CEO who kept every employee’s password in an Excel file on his desktop. However, I wasn’t laughing back in May when professional thieves invaded my 84-year-old mother’s entire financial life and managed to make off with $30,000 from her bank accounts alone. And they wouldn’t have gotten in if her financial institutions required multi-factor authentication (aka MFA or 2FA), a step too many institutions won’t take. One day in May, Mom got a call from the institution that runs her retirement savings account, who had identified a suspicious transaction and asked her if it was legit. She said no and they immediately protected her account. Then she checked her bank account at a different institution to see if it was compromised and found thousands of dollars transferred out of her checking and savings accounts. The thieves knew exactly how much they could withdraw each day, and used both withdrawals and transfers to a strange account. But the financial institution hadn't flagged the fraudulent activity. The thieves were so slick that they broke into her Gmail account and created spam filters to filter any mail from her bank or retirement savings provider to the trash so she wouldn’t get alerts about the transfers or about the fake accounts they made in her name. She spent hours on the phone reporting the theft to an unhelpful and incredulous fraud department who asked “Are you sure a relative didn’t do this?” We don’t know for certain how the crims got into my mom’s accounts, but we know she used the same or similar passwords on all of her accounts, and at least one of her accounts was part of a data breach a few years ago, so that info was probably available somewhere online. The miscreants then could have used this info to get into her retirement account, her bank, and her Gmail. None of this would have been possible if she had MFA enabled on those accounts, but neither Google nor her financial institutions require it. “Many consumers assume every bank requires 2FA, but that's not the reality,” said Gregory Shein, CEO of Nomadic Soft, a SaaS company that serves fintech clients. “Some financial institutions still treat it as an optional feature because they're balancing security against friction. Every extra login step can reduce conversions, increase support tickets, and frustrate less technical customers.” Indeed, while some banks such as PNC require MFA, others such as Bank of America, Chase, Capital One, and Citibank leave it as optional. Google’s accounts are also MFA-optional. Fortunately, after they spent hours telling my mom that someone in her family could have done the deed, and repeatedly putting her on hold, then forcing her to navigate a labyrinthine phone tree, the bank eventually agreed to investigate. A few weeks later, they restored the stolen funds. A not entirely happy ending My mother was lucky, because if money is stolen from your bank account, there is no guarantee that you will get it back, at least in the US. According to the Consumer Financial Protection Bureau, you have 60 days from the date of a bank statement to dispute any transactions. The bank also has 45 days to investigate, unless your bank account was just opened in the last 30 days or the fraudulent transactions took place outside the US. But the bank could very well decide that those fraudulent transactions look legitimate and refuse to reimburse you. If the bank doesn’t agree to reimburse you, your next step is to get a lawyer and attempt to sue. A quick search revealed dozens of lawyers in my area who specialize in dealing with this problem. It would be easy to blame my mom for being robbed. Using the same password in multiple places left her wide open for exploitation. However, her bank’s lack of a required second authentication factor also contributed. The bank doesn’t let you transact without a password, and it doesn’t issue you an ATM card without a PIN, because it knows that there has to be a required minimum level of security. Banks and other financial institutions know better. Google knows better. But they’re all putting convenience ahead of security when it’s your money that’s on the line. “Different segments of the population adopt technology faster or slower. If I’m a bank, I have to consider that very closely because I don’t want to lose any banking relationships.” Andrew Shikiar, CEO of the FIDO Alliance, an industry association that advocates for stronger login security, told me in an interview. “So I think there’s some concerns around friction that have held some banks and other service providers back from really pushing this more aggressively.” How effective is MFA? According to a 2019 article from Microsoft, MFA prevents 99.9 percent of attacks on your accounts. However, other experts say this number is exaggerated, as there are many ways to get past MFA if you’re a criminal, including social engineering and interception. One of the most common types of MFA, issuing a one-time passcode via an SMS message or an email, is inherently flawed. A determined thief can use social engineering to get a SIM card with your phone number on it, then get to your texts. And if your email itself isn’t perfectly secure and it is receiving an OTP, they can get to that too. Phishers can also trick you into giving up your OTPs by creating a fake website that looks like your bank’s login page. The right way to do MFA today is with a passkey. Passkeys are cryptographic key pairs where there’s a private key on the user’s device and a public key on the server. To access the key on the device, the user must either enter a PIN, touch a physical security key like a Yubikey, or enter a biometric login such as their face or fingerprint. Passkeys cannot be phished or intercepted, which is why they are known as “phishing-resistant MFA.” Unfortunately, a lot of banks are sticking with their OTPs. For example, when I went to set up MFA for a family member’s account with US bank Chase, using its website. Chase offered the chance to receive an OTP via email, SMS, or a phone call. The bank is rolling out passkeys, according to the FIDO Alliance. So are Wells Fargo, US Bank, and Bank of America. Some banks may be using better MFA only within their mobile apps. Chase’s app, for example, asks users to use a fingerprint or facial recognition at login, even though the website does not. However, if a thief wants to log in at Chase's website, there will be no biometric challenge. And if a user doesn’t have MFA enabled at all, it’s even easier for thieves to get in. “OTP is just another password. So it’s a shorter-lived one, but it really is just another password,” Shikiar said. “And there’s also usability issues. You’re juggling between your mobile and your desktop. It’s insecure, inefficient, and a really inadequate user experience.” What banks don’t seem to understand is that you’re only as secure as your weakest entry point. If security controls only exist on mobile apps, it doesn’t help with web-based attacks. If a level of security is optional, the majority of people won’t enable it. Thieves will take the path of least resistance, so service operators need to lock down all entry paths equally by default. Unfortunately, an approach that favors convenience over security will lead to a lot more people losing their money. And, ultimately, banks will lose money when they have to reimburse people for those fraudulent transactions. “I don't expect banks to be mandating passkeys and only passkeys for some time, but the more they push them, the more comfort there is,” Shikiar told us. “The sooner we’ll get to that point where it becomes a de facto default and then becomes really something that's either required or essentially required.” That time should be now. ®