By  Thu Oct 4, 2012

Banks Will Require This to Prevent Your Account From Being Hacked

Robert Nelson / Flickr source

Imagine hackers dipping their hands into your brokerage and retirement accounts and ruining your investment portfolio for their financial gain. Earlier this year, a man was charged for doing just that. Could two-factor authentication, for account login and/or trade execution, have prevented victims from being harmed? Most likely yes.

Two-factor authentication requires users to obtain a passcode, which is often delivered by phone or text message, in addition to entering their username and password. A hacker might steal the username and password, but he most likely does not also have access to your phone.

This month, Citibank introduced its own two-step verification system for certain online transactions that involve money movement or viewing of sensitive information. Customers enter an identification code, obtained by text message or by phone call, to finish the transaction. Citibank requires this extra security step for all online-banking customers.

As more and more consumers perform our banking online, expect more financial institutions to enforce similar measures.

Living on the Internet

When the Internet was commercialized in the 1990s, who could have predicted that users would one day suffer from such a thing called Internet withdrawal? It’s proof of how much we’ve come to rely on the web — for consuming, socializing, banking and an infinite number of things that haven’t yet been invented. As the digital realm encompasses a larger part of our lives (and cybercriminals get smarter), security becomes a major concern, especially when it comes to our money.

For years, the door separating a stranger from your online accounts was guarded by a username and a password. Today, that type of online security is no longer enough to protect against an evolving group of fraudsters.

In the wake of data breaches and cyberthreats, it is likely that more companies — especially banks and other financial institutions — will mandate two-step authentication. Right now, that’s not the case, but we’re heading there.

The missing step

In the past year, Sony, Dropbox, Zappos and LinkedIn are some big-name companies that have lost control of consumers’ login credentials. Sure, they aren’t financial institutions but the threat to your bank accounts is still there.

We’re always advised to use different usernames and passwords for different websites, but we don’t. According to a recent study by security firm CSID, 61 percent of consumers reuse the same password for multiple sites. It’s understandable. Now that we have so many accounts on the Internet, who has the mental capacity to recall every unique password from memory?

If the same password is used at all your online accounts, all it takes is a leak from one small website to jeopardize your financial accounts and all other accounts.

Matt Honan, a Wired reporter, can attest to the shortcomings of password security since his digital life was dismantled when hackers gained access to his Google account in August. In one hour’s time, the cyberthug(s) also gained access to his accounts for Twitter, Apple and Amazon.

“Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing,” Honan said in a post detailing the ordeal. “Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened.”

Google, which has more than 425 million email users, started offering two-factor authentication in February 2011. After opting in for this feature, users have to obtain a one-time code (via text message, phone call or a dedicated authenticator mobile application) when they are prompted to log in.

In recent months, popular cloud-storage sites Dropbox and Box began offering the same security option.

Being that financial institutions are charged with the responsibility of holding people’s money, they’ve been ahead of the game when it comes to such two-step verification processes.

In 2007, Bank of America introduced a two-factor authentication program called SafePass, which is available through text message or a wallet-sized card that generates a one-time code. Like with Google, Dropbox and Box, SafePass is optional. In the same year, PayPal launched its Security Key, which works just like SafePass, and it can also be used for users’ eBay accounts.

Although the extra layer of security has good intentions, it’s important to note that it isn’t required by these companies.

That is changing.

In August, Activision Blizzard, the company that recently released popular gaming title “Diablo III,” reported that email addresses, answers to security questions and encrypted passwords were compromised in a security breach.

In the game, players have the option to buy and sell digital weapons and armor for real money (through PayPal). Before players can complete any of these transactions, they must obtain a passcode via text message. Even with the leaked log-in credentials, two-factor authentication protected players from having their digital items sold off and the proceeds routed to hackers’ accounts.

For the financial industry, Citibank is setting the example with its stricter security policy.

Undoubtedly, it may become a tedious task to have to request a security code whenever you log in or make a transaction. But, that peace-of-mind beats waking up to an empty bank account.

 

Add Your 2 Cents

  • Shawn Knutson

    I have seen bank mobile apps that are testing similar options but built within there mobile app that creates a 4 digit pin each time you login.

    • http://www.mybanktracker.com Alex Matjanec

      Thats a good point. I know Simple Bank uses the 4 pin sercurity as well.

    • http://www.mybanktracker.com Simon Zhen

      As more consumers use smartphones, I think authenticator mobile apps are a great way to intro two-factor authentication. Google and Blizzard offers them. It does exclude the population that doesn’t have smartphones but they could be offered the text message or phone call option.

  • icefyre2

    Great article. One point on CITIBANKs “two factor” solution. It’s utterly ineffective. Anyone with a username and password can change both phone and email addresses directly from the website. I know because I just did it. An attacker can just change the phone number on file, get the text , authorize the transfer. What’s the point? If there was an authorization as part of the login process or as part of editing your phone, email and address it would make sense, as it stands it is useless. The only two US banks I know of that offer real two-factor authentication for a checking account are Bank of America and ETrade.