Bank that Doesn't Offer Multifactor Authentication (MFA)

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

I have an account with a well-know bank. There appears to be no way to set up MFA for accessing their website. I just enter my username and password, and I'm in. This makes me a little nervous. I've asked them about it twice, and they pretty much say it isn't necessary with their advanced security. The last time they said, "We don't have that option for you to set up on your end due to our enhanced security."

Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
jebmke
Posts: 25475
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by jebmke »

There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.

https://2fa.directory/#banking
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

jebmke wrote: Wed Dec 15, 2021 8:15 am There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.

https://2fa.directory/#banking
Yes, there certainly are. I probably wouldn't have set up accounts at this bank if I had known they don't offer MFA. I just assumed they would. Seems like virtually everybody else does. Unfortunately, I want to buy I-bonds soon, and it will probably take two weeks to a month to list a new account on Treasury Direct to draw money from.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by mptfan »

No, it does not seem reasonable and yes you should be concerned. I would not do business with any financial institution that did not have two factor authentication, it's as simple as that. Any financial institution that does not offer 2FA is behind the curve when it comes to account security no matter what BS they tell you about "enhanced security."

What bank is this? It would be helpful to know so we can warn others.
Last edited by mptfan on Fri Dec 17, 2021 12:07 pm, edited 5 times in total.
jebmke
Posts: 25475
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by jebmke »

OpenMinded1 wrote: Wed Dec 15, 2021 8:20 am
jebmke wrote: Wed Dec 15, 2021 8:15 am There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.

https://2fa.directory/#banking
Yes, there certainly are. I probably wouldn't have set up accounts at this bank if I had known they don't offer MFA. I just assumed they would. Seems like virtually everybody else does. Unfortunately, I want to buy I-bonds soon, and it probably take two weeks to a month to establish a new account for Treasury Direct to draw money from.
Normally when I change banks I set up the new one and migrate things gradually anyway so you can always get started and then pull the plug after the iBonds purchase. Hopefully you can change the bank link on TD fairly easily (I don't use TD so I have no idea).

You have to assess the risk of loss over the short term, given the amount of assets. In my case, my transaction bank is typically low balance. Even if there are large transactions like tax payments, the money gets pushed into the bank a day or two before the debit so it isn't sitting there for long -- so even if my transaction bank didn't have 2FA the exposure would be brief.
Last edited by jebmke on Wed Dec 15, 2021 8:28 am, edited 1 time in total.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Gaston
Posts: 1220
Joined: Wed Aug 21, 2013 7:12 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by Gaston »

I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.

A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
“My opinions are just that - opinions.”
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

Gaston wrote: Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.

A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

jebmke wrote: Wed Dec 15, 2021 8:26 am
OpenMinded1 wrote: Wed Dec 15, 2021 8:20 am
jebmke wrote: Wed Dec 15, 2021 8:15 am There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.

https://2fa.directory/#banking
Yes, there certainly are. I probably wouldn't have set up accounts at this bank if I had known they don't offer MFA. I just assumed they would. Seems like virtually everybody else does. Unfortunately, I want to buy I-bonds soon, and it probably take two weeks to a month to establish a new account for Treasury Direct to draw money from.
Normally when I change banks I set up the new one and migrate things gradually anyway so you can always get started and then pull the plug after the iBonds purchase. Hopefully you can change the bank link on TD fairly easily (I don't use TD so I have no idea).

You have to assess the risk of loss over the short term, given the amount of assets. In my case, my transaction bank is typically low balance. Even if there are large transactions like tax payments, the money gets pushed into the bank a day or two before the debit so it isn't sitting there for long -- so even if my transaction bank didn't have 2FA the exposure would be brief.
Yes, similar situation here. I don't keep a lot of money in the accounts at this bank, at least not for very long. However, I wonder if I should be concerned that someone might exploit the linkage to other banks, brokerage firms, credit card accounts, bill paying etc. that the bank uses for electronic transfers. I'm not sure.

FYI: It's somewhat time consuming to change the link at TD. Complete a form with signature guarantee. Mail and wait 15 to 30 days before the change is completed.
exodusNH
Posts: 10347
Joined: Wed Jan 06, 2021 7:21 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by exodusNH »

OpenMinded1 wrote: Wed Dec 15, 2021 8:13 am I have an account with a well-know bank. There appears to be no way to set up MFA for accessing their website. I just enter my username and password, and I'm in. This makes me a little nervous. I've asked them about it twice, and they pretty much say it isn't necessary with their advanced security. The last time they said, "We don't have that option for you to set up on your end due to our enhanced security."

Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
They don't offer at lease a security phrase with a new device?

My major back doesn't offer text confirmation, but when setting up the account, they asked for security questions. They prompt me with one when I log in from a new device.

A couple of things you can do to help security.

Make sure the associated email address is protected with a unique password and has multifactor enabled.

Use a uniquified email address if you can. E.g. with Gmail addresses, you can put periods anywhere in your name and it will get to you. E.g. openm.inded1, op.en.mind.ed.1, and I think even o.penm..inded1 (consecutive dots will work.) This gives you unique email addresses per login.

Gmail also supports "+addressing", e.g., openminded1+bank name will also get to your primary Gmail account. Fewer sites support that format because their developers are idiots. (E.g. Home Depot.)

Now you've got a unique email address to supply to the bank.

If your bank has you use a separate username instead of using your email address, make sure that's unique, e.g. openminded1bankname. You'll probably have to abbreviate here, e.g. openmindbankX.

Finally make sure you're using a unique password for each bank.

Unless you're being specifically targeted, which is not likely, all of these attacks are automated. They get a list of user names, email addresses, and passwords and simply try them wherever. There isn't a human looking at these and saying "a-ha! openminded1 always adds the bank name to their user name."

If you want to be even more careful, have four independent email accounts. Set up one for high value use (banks, brokerages), one for sites that store your payment info (Amazon), and one for sites that require logins but don't have financial data (e.g. bogleheads.) The last one if your your personal use.

That's probably overkill, but it does get everything segregated into different "security zones". It's easier to do now than 10 years ago, since account aggregation is common on phones. It's probably more annoying on a computer with browser logins than on your phone. It wouldn't be bad on the computer if you used an email client.
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

exodusNH wrote: Wed Dec 15, 2021 8:44 am
OpenMinded1 wrote: Wed Dec 15, 2021 8:13 am I have an account with a well-know bank. There appears to be no way to set up MFA for accessing their website. I just enter my username and password, and I'm in. This makes me a little nervous. I've asked them about it twice, and they pretty much say it isn't necessary with their advanced security. The last time they said, "We don't have that option for you to set up on your end due to our enhanced security."

Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
They don't offer at lease a security phrase with a new device?

My major back doesn't offer text confirmation, but when setting up the account, they asked for security questions. They prompt me with one when I log in from a new device.

A couple of things you can do to help security.

Make sure the associated email address is protected with a unique password and has multifactor enabled.

Use a uniquified email address if you can. E.g. with Gmail addresses, you can put periods anywhere in your name and it will get to you. E.g. openm.inded1, op.en.mind.ed.1, and I think even o.penm..inded1 (consecutive dots will work.) This gives you unique email addresses per login.

Gmail also supports "+addressing", e.g., openminded1+bank name will also get to your primary Gmail account. Fewer sites support that format because their developers are idiots. (E.g. Home Depot.)

Now you've got a unique email address to supply to the bank.

If your bank has you use a separate username instead of using your email address, make sure that's unique, e.g. openminded1bankname. You'll probably have to abbreviate here, e.g. openmindbankX.

Finally make sure you're using a unique password for each bank.

Unless you're being specifically targeted, which is not likely, all of these attacks are automated. They get a list of user names, email addresses, and passwords and simply try them wherever. There isn't a human looking at these and saying "a-ha! openminded1 always adds the bank name to their user name."

If you want to be even more careful, have four independent email accounts. Set up one for high value use (banks, brokerages), one for sites that store your payment info (Amazon), and one for sites that require logins but don't have financial data (e.g. bogleheads.) The last one if your your personal use.

That's probably overkill, but it does get everything segregated into different "security zones". It's easier to do now than 10 years ago, since account aggregation is common on phones. It's probably more annoying on a computer with browser logins than on your phone. It wouldn't be bad on the computer if you used an email client.
Thanks for the information. I do a lot of that, but not quite all. No they don't ask for a security phrase.
rkhusky
Posts: 17764
Joined: Thu Aug 18, 2011 8:09 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by rkhusky »

Doesn't the bank guarantee to make you whole if your account is hacked?

Just use a complex password, don't give the password out to anyone, and keep your computer secure.

My bank has started putting in a delay between password entry and account access, which would slow down multiple password entries. I suspect that they would also lock access if too many incorrect passwords were entered.
User avatar
vitaflo
Posts: 1905
Joined: Sat Sep 03, 2011 3:02 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by vitaflo »

OpenMinded1 wrote: Wed Dec 15, 2021 8:30 am
Gaston wrote: Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.

A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?
Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.
exodusNH
Posts: 10347
Joined: Wed Jan 06, 2021 7:21 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by exodusNH »

vitaflo wrote: Wed Dec 15, 2021 9:06 am
OpenMinded1 wrote: Wed Dec 15, 2021 8:30 am
Gaston wrote: Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.

A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?
Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.
This is absolutely true, but unless you're being specifically targeted this is not a likely hack.

The most likely scenarios for the overwhelming majority of people are that your email address and contact info is leaked along with your password or phishing. Keylogging is a distant third.

Once the creds are out there, bots spray those logins across the web and hope something sticks. Even something as simple as varying your username slightly per site is enough to prevent that attack.
User avatar
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by VictorStarr »

OpenMinded1 wrote: Wed Dec 15, 2021 8:13 am I have an account with a well-know bank. There appears to be no way to set up MFA for accessing their website. I just enter my username and password, and I'm in. This makes me a little nervous. I've asked them about it twice, and they pretty much say it isn't necessary with their advanced security. The last time they said, "We don't have that option for you to set up on your end due to our enhanced security."

Does this seem reasonable? In recent years, have any of you encountered this with a company that holds personal assets in accounts; e.g. banks, brokerages, investment companies etc.? I haven't. Should I be concerned?
I would not use a bank that does not provide reliable and configurable 2FA. The absolute minimum is 2FA with SMS (support for Google Voice number is a big plus), better option is 2FA with authenticator app or hardware key. There is no excuse for not support 2FA by any financial institution.

It is hard to find mainstream bank that offers 2FA with authenticator app or hardware key without fallback to SMS. Two exceptions are Charles Schwab bank and Fidelity CMA. Both Schwab and Fidelity provide support for authenticator app (without fallback to SMS).
User avatar
quantAndHold
Posts: 10141
Joined: Thu Sep 17, 2015 10:39 pm
Location: West Coast

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by quantAndHold »

My credit union doesn’t have 2FA. I called them and found out that their CS rep understands what 2FA is better than their IT department does. Which made me very nervous.

I kept the account open so that I still have a local banking account, but transferred all but a token amount of money elsewhere.
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

vitaflo wrote: Wed Dec 15, 2021 9:06 am
OpenMinded1 wrote: Wed Dec 15, 2021 8:30 am
Gaston wrote: Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.

A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?
Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.
I seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.
User avatar
vitaflo
Posts: 1905
Joined: Sat Sep 03, 2011 3:02 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by vitaflo »

OpenMinded1 wrote: Fri Dec 17, 2021 9:37 am
vitaflo wrote: Wed Dec 15, 2021 9:06 am
OpenMinded1 wrote: Wed Dec 15, 2021 8:30 am
Gaston wrote: Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.

A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?
Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.
I seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.
You had to have authenticated at some point, it can't just grab your mail. You either did it when you first got the Mac or you have your credentials in you iCloud account (from an iPhone or iPad) and it applied them to your Mac.
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

delete
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

vitaflo wrote: Fri Dec 17, 2021 9:57 am
OpenMinded1 wrote: Fri Dec 17, 2021 9:37 am
vitaflo wrote: Wed Dec 15, 2021 9:06 am
OpenMinded1 wrote: Wed Dec 15, 2021 8:30 am
Gaston wrote: Wed Dec 15, 2021 8:27 am I work in IT, and IMHO, you are correct to raise the concern. If the bank won't / can't offer the additional security feature, I would move to another bank.

A further FYI: You will know that banks who offer two-factor authentication (2FA) often use your mobile phone number as the second factor, texting you a code that you must enter each time you sign onto their website or app. You might also know that mobile phone numbers are not that secure. It's much better to use an authentication app (e.g. Authy) or a Yubikey for 2FA. Fewer banks offer these options, however, and they are less convenient for the account holder. So 2FA with a mobile phone number is better than no 2FA.
Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?
Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.
I seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.
You had to have authenticated at some point, it can't just grab your mail. You either did it when you first got the Mac or you have your credentials in you iCloud account (from an iPhone or iPad) and it applied them to your Mac.
Yes, we have other apple products, and like I said I had to enter some information when I set Apple mail up. But now I just click on the icon and all my email comes up. I wonder if this somehow increases the chances I will get hacked versus just going to the email website and logging in using 2FA.
User avatar
vitaflo
Posts: 1905
Joined: Sat Sep 03, 2011 3:02 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by vitaflo »

OpenMinded1 wrote: Fri Dec 17, 2021 10:04 am
vitaflo wrote: Fri Dec 17, 2021 9:57 am
OpenMinded1 wrote: Fri Dec 17, 2021 9:37 am
vitaflo wrote: Wed Dec 15, 2021 9:06 am
OpenMinded1 wrote: Wed Dec 15, 2021 8:30 am

Thanks for the information. I haven't started using a Yubikey yet, but instead of having a company text me a code, I usually have the company's automated system call me with it. Maybe this is somewhat more secure?
Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.
I seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.
You had to have authenticated at some point, it can't just grab your mail. You either did it when you first got the Mac or you have your credentials in you iCloud account (from an iPhone or iPad) and it applied them to your Mac.
Yes, we have other apple products, and like I said I had to enter some information when I set Apple mail up. But now I just click on the icon and all my email comes up.
Yes, because it saved your credentials. Same if you logged into gmail or facebook, etc. If you log in once it remembers that device and lets you use the app without having to log in again. You don't have to reauth every time you use the app. This is pretty common for most apps outside of finance.
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

vitaflo wrote: Fri Dec 17, 2021 10:06 am
OpenMinded1 wrote: Fri Dec 17, 2021 10:04 am
vitaflo wrote: Fri Dec 17, 2021 9:57 am
OpenMinded1 wrote: Fri Dec 17, 2021 9:37 am
vitaflo wrote: Wed Dec 15, 2021 9:06 am

Not if it's a cell phone. While sim card hacks aren't common they are possible. All someone needs is a way to port your number to their sim card, plug it into their cell phone and now they have your number, both voice and text. This is why an app is better since the app is tied to the hardware itself, not the phone number. Someone would need your physical device to get your 2FA code. Of course if you lose your device then his presents a problem which is why most 2FA systems have backup codes that you can use in case this happens. Make sure you keep those in a safe place should you ever need them. That said having any 2FA is way better than having none.
I seem to hear over and over that one should at least have 2FA set up to access their email accounts. On my Macbook laptops there is an icon on the bar at the base of the screen. It links to what is usually referred to as Apple Mail or Mail. You can just click on this icon, and it brings your email up without any logging in. It can be set up, so it brings up email from multiple email service providers. For example, a person might have Google and Yahoo mail, and it will bring those up just by clicking that icon. I don't think it's actually an email service. It's more of an email manager. Is this relatively safe/secure? I don't think it offers 2FA? There is no logging in involved. Like I said, you just click on the icon, and it brings all your email up. You do have to enter password and other information when setting it up.
You had to have authenticated at some point, it can't just grab your mail. You either did it when you first got the Mac or you have your credentials in you iCloud account (from an iPhone or iPad) and it applied them to your Mac.
Yes, we have other apple products, and like I said I had to enter some information when I set Apple mail up. But now I just click on the icon and all my email comes up.
Yes, because it saved your credentials. Same if you logged into gmail or facebook, etc. If you log in once it remembers that device and lets you use the app without having to log in again. You don't have to reauth every time you use the app. This is pretty common for most apps outside of finance.
I can't log into Facebook (Meta) or gmail on my computer without entering a username and password. Sometimes it (the device) will ask me if I want it to remember them, and I always say "never." I appreciate your efforts to explain. I have quite a bit of experience using comps, but wasn't practically born with one in my hand like some of the younger Bogleheads.
jebmke
Posts: 25475
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by jebmke »

vitaflo wrote: Fri Dec 17, 2021 10:06 am Yes, because it saved your credentials. Same if you logged into gmail or facebook, etc. If you log in once it remembers that device and lets you use the app without having to log in again.
I notice when I authenticate GMail on a new browser that the 2FA pops up in my GMail app on iPhone. I assume that the GMail app, now that it has authenticated on the phone is acting as an authentication app for the purposes of authenticating other devices. This would seem to be inherently safer than SMS -- is that a fair interpretation.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by anon_investor »

jebmke wrote: Fri Dec 17, 2021 11:48 am
vitaflo wrote: Fri Dec 17, 2021 10:06 am Yes, because it saved your credentials. Same if you logged into gmail or facebook, etc. If you log in once it remembers that device and lets you use the app without having to log in again.
I notice when I authenticate GMail on a new browser that the 2FA pops up in my GMail app on iPhone. I assume that the GMail app, now that it has authenticated on the phone is acting as an authentication app for the purposes of authenticating other devices. This would seem to be inherently safer than SMS -- is that a fair interpretation.
It is, because the authentication in that instance is tied to your physical device, whereas with SMS, someone can steal your phone number remotely via "SIM swap" and intercept your SMS 2FA codes.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by mptfan »

vitaflo wrote: Fri Dec 17, 2021 10:06 amIf you log in once it remembers that device and lets you use the app without having to log in again. You don't have to reauth every time you use the app. This is pretty common for most apps outside of finance.
It's pretty common for finance apps too.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by anon_investor »

mptfan wrote: Fri Dec 17, 2021 12:05 pm
vitaflo wrote: Fri Dec 17, 2021 10:06 amIf you log in once it remembers that device and lets you use the app without having to log in again. You don't have to reauth every time you use the app. This is pretty common for most apps outside of finance.
It's pretty common for finance apps too.
Many finance apps can be set up so they require 2FA for every login. For example my Fidelity app requires a code from my Symantec VIP authenticator app for every login.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by mptfan »

anon_investor wrote: Fri Dec 17, 2021 12:10 pm Many finance apps can be set up so they require 2FA for every login. For example my Fidelity app requires a code from my Symantec VIP authenticator app for every login.
Yes, and many non-finance apps can be setup that way as well. One example is Amazon.
Topic Author
OpenMinded1
Posts: 1576
Joined: Wed Feb 05, 2020 8:27 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by OpenMinded1 »

anon_investor wrote: Fri Dec 17, 2021 11:54 am
jebmke wrote: Fri Dec 17, 2021 11:48 am
vitaflo wrote: Fri Dec 17, 2021 10:06 am Yes, because it saved your credentials. Same if you logged into gmail or facebook, etc. If you log in once it remembers that device and lets you use the app without having to log in again.
I notice when I authenticate GMail on a new browser that the 2FA pops up in my GMail app on iPhone. I assume that the GMail app, now that it has authenticated on the phone is acting as an authentication app for the purposes of authenticating other devices. This would seem to be inherently safer than SMS -- is that a fair interpretation.
It is, because the authentication in that instance is tied to your physical device, whereas with SMS, someone can steal your phone number remotely via "SIM swap" and intercept your SMS 2FA codes.
Thanks. That's helpful.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by evelynmanley »

mptfan wrote: Wed Dec 15, 2021 8:25 am No, it does not seem reasonable and yes you should be concerned. I would not do business with any financial institution that did not have two factor authentication, it's as simple as that. Any financial institution that does not offer 2FA is behind the curve when it comes to account security no matter what BS they tell you about "enhanced security."

What bank is this? It would be helpful to know so we can warn others.
FYI - I've been having an ongoing issue with Ally about setting up 2FA. viewtopic.php?f=2&t=362768

After lots of research, I find that Ally, Discover, Marcus, and Lending Club Bank do NOT offer consistent 2FA codes when logging in. This is a dealbreaker for me.
Tamales
Posts: 1644
Joined: Sat Jul 05, 2014 10:47 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by Tamales »

rkhusky wrote: Wed Dec 15, 2021 8:53 am Doesn't the bank guarantee to make you whole if your account is hacked?

Just use a complex password, don't give the password out to anyone, and keep your computer secure.
Yes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by anon_investor »

Tamales wrote: Fri Jan 21, 2022 9:04 am
rkhusky wrote: Wed Dec 15, 2021 8:53 am Doesn't the bank guarantee to make you whole if your account is hacked?

Just use a complex password, don't give the password out to anyone, and keep your computer secure.
Yes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds. Personally, I think it makes sense to have at least some money in more than one location. If your bank account got hacked, even if you were made whole later, you still have to pay current bills, etc. I doubt any bank is going to be able to make you whole in only a few days. I think there is an argument to be made that everyone should have at least 1 months of expenses at 2 separate financial instituations for this reason.
Tamales
Posts: 1644
Joined: Sat Jul 05, 2014 10:47 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by Tamales »

anon_investor wrote: Fri Jan 21, 2022 9:09 am
Tamales wrote: Fri Jan 21, 2022 9:04 am
rkhusky wrote: Wed Dec 15, 2021 8:53 am Doesn't the bank guarantee to make you whole if your account is hacked?

Just use a complex password, don't give the password out to anyone, and keep your computer secure.
Yes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds. Personally, I think it makes sense to have at least some money in more than one location. If your bank account got hacked, even if you were made whole later, you still have to pay current bills, etc. I doubt any bank is going to be able to make you whole in only a few days. I think there is an argument to be made that everyone should have at least 1 months of expenses at 2 separate financial instituations for this reason.
All good points. But judging from the sheer volume of "pants on fire" threads and posts about 2FA, I get the impression some think there is naked and unrecoverable loss potential, so it seems useful to point out that's not the case in general.

It would be useful if people nit-picked the strengths and weaknesses of the existing law as a protection mechanism (no law is perfect), but I've never seen a thread do that. I guess that's not as exciting as discussing the various flavors and views on 2FA.
rkhusky
Posts: 17764
Joined: Thu Aug 18, 2011 8:09 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by rkhusky »

anon_investor wrote: Fri Jan 21, 2022 9:09 am
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds. Personally, I think it makes sense to have at least some money in more than one location. If your bank account got hacked, even if you were made whole later, you still have to pay current bills, etc. I doubt any bank is going to be able to make you whole in only a few days. I think there is an argument to be made that everyone should have at least 1 months of expenses at 2 separate financial instituations for this reason.
Push comes to shove you can pay a lot of things with a credit card and get cash advances with your credit card.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by anon_investor »

rkhusky wrote: Fri Jan 21, 2022 9:50 am
anon_investor wrote: Fri Jan 21, 2022 9:09 am
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds. Personally, I think it makes sense to have at least some money in more than one location. If your bank account got hacked, even if you were made whole later, you still have to pay current bills, etc. I doubt any bank is going to be able to make you whole in only a few days. I think there is an argument to be made that everyone should have at least 1 months of expenses at 2 separate financial instituations for this reason.
Push comes to shove you can pay a lot of things with a credit card and get cash advances with your credit card.
I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
rkhusky
Posts: 17764
Joined: Thu Aug 18, 2011 8:09 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by rkhusky »

anon_investor wrote: Fri Jan 21, 2022 10:09 am I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
Some of the planning also depends on how easy it would be to open another bank account or whether the bank would still let you transact while they are investigating. Most of my money is at Vanguard, so I need a way to transfer to a bank (I have some old Vanguard checks, but I don’t know if they work anymore).
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by mptfan »

Tamales wrote: Fri Jan 21, 2022 9:20 am But judging from the sheer volume of "pants on fire" threads and posts about 2FA, I get the impression some think there is naked and unrecoverable loss potential...
I don't think that is a fair impression. I know that there is not a "naked and unrecoverable loss potential" so long as I timely report unauthorized activity, but the inconvenience and hassle factor involved in trying to fix things is worth enough to me to take extra steps to protect my account.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by evelynmanley »

mptfan wrote: Fri Jan 21, 2022 11:14 am
Tamales wrote: Fri Jan 21, 2022 9:20 am But judging from the sheer volume of "pants on fire" threads and posts about 2FA, I get the impression some think there is naked and unrecoverable loss potential...
I don't think that is a fair impression. I know that there is not a "naked and unrecoverable loss potential" so long as I timely report unauthorized activity, but the inconvenience and hassle factor involved in trying to fix things is worth enough to me to take extra steps to protect my account.
Agreed. The experience I had with Ally has soured me to any financial institution that doesn't offer 2FA. It's the very least they can do. As I've mentioned in another thread, I wouldn't have thought much about the importance of 2FA, except that my daughter, who is a systems architect, said she would never use any bank that doesn't offer it at the very least. She has set me up with 2FA/SMS and/or Authy (https://authy.com/) for all of my online accounts. I've been with Ally for years, but after the run-around and all the frustration in dealing with them, and STILL no 2FA, I am transferring all my savings from Ally to Bank of America, where I have a business checking account and a very good relationship with my banker. I'm happy to give up the interest at Ally to feel better about the bank I'm dealing with. I've called Ally, Marcus, Discovery, Lending Club, and none of them offer 2FA consistently when the customer logs in. It's some consolation that my purchase of I-Bonds in 2021 and 2022 will more than make up for the interest at Ally. No regrets.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by anon_investor »

rkhusky wrote: Fri Jan 21, 2022 10:29 am
anon_investor wrote: Fri Jan 21, 2022 10:09 am I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
Some of the planning also depends on how easy it would be to open another bank account or whether the bank would still let you transact while they are investigating. Most of my money is at Vanguard, so I need a way to transfer to a bank (I have some old Vanguard checks, but I don’t know if they work anymore).
I assume if you had to pay your mortgage from Vanguard there would be a way to wire it directly to the mortgage company.
rkhusky
Posts: 17764
Joined: Thu Aug 18, 2011 8:09 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by rkhusky »

anon_investor wrote: Fri Jan 21, 2022 11:39 am
rkhusky wrote: Fri Jan 21, 2022 10:29 am
anon_investor wrote: Fri Jan 21, 2022 10:09 am I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
Some of the planning also depends on how easy it would be to open another bank account or whether the bank would still let you transact while they are investigating. Most of my money is at Vanguard, so I need a way to transfer to a bank (I have some old Vanguard checks, but I don’t know if they work anymore).
I assume if you had to pay your mortgage from Vanguard there would be a way to wire it directly to the mortgage company.
I would look into that if I had to.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by anon_investor »

rkhusky wrote: Fri Jan 21, 2022 11:52 am
anon_investor wrote: Fri Jan 21, 2022 11:39 am
rkhusky wrote: Fri Jan 21, 2022 10:29 am
anon_investor wrote: Fri Jan 21, 2022 10:09 am I was thinking more like mortgage and CC bill payments. The mortgage payment is harder to deal with.
Some of the planning also depends on how easy it would be to open another bank account or whether the bank would still let you transact while they are investigating. Most of my money is at Vanguard, so I need a way to transfer to a bank (I have some old Vanguard checks, but I don’t know if they work anymore).
I assume if you had to pay your mortgage from Vanguard there would be a way to wire it directly to the mortgage company.
I would look into that if I had to.
But I could see a problem for the "one-stop-shop" folks if your account was compromised and you lost access to ALL of your money... :shock:
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by evelynmanley »

Interesting article that addresses which banks do and do not hold you up if you've been hacked and there's an investigation pending:

https://www.mybanktracker.com/news/most ... protection

Next-Day Cash Reimbursement

When disputes are being settled (such as fraud), some banks offer next-day cash reimbursement so their customers have that money in the meantime, instead of waiting months before they get their cash back.

Bank of America and Chase are two big banks that do this, and Discover and Citibank send their customers emergency money if customers' cards are lost or stolen while traveling.
tibbitts
Posts: 23726
Joined: Tue Feb 27, 2007 5:50 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by tibbitts »

OpenMinded1 wrote: Wed Dec 15, 2021 8:20 am
jebmke wrote: Wed Dec 15, 2021 8:15 am There are many alternatives so it should not be an issue finding a bank that has the services you want AND MFA.

https://2fa.directory/#banking
Yes, there certainly are. I probably wouldn't have set up accounts at this bank if I had known they don't offer MFA. I just assumed they would.
Similarly, I opened an account at a bank that doesn't allow transfer on death, because I just assumed it would.
User avatar
grogu
Posts: 258
Joined: Thu Jan 21, 2021 11:36 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by grogu »

anon_investor wrote: Fri Jan 21, 2022 9:09 am
Tamales wrote: Fri Jan 21, 2022 9:04 am
rkhusky wrote: Wed Dec 15, 2021 8:53 am Doesn't the bank guarantee to make you whole if your account is hacked?

Just use a complex password, don't give the password out to anyone, and keep your computer secure.
Yes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds.
What about the inconvenience and impact of wasting time every time you log in? It seems like there's a market here for 6-factor authorization. Some people would love to have to receive a text, receive an email, enter a 27-digit password, retinal scans, play 7 captcha games in order to get in to your own account. No thanks. I'll take these "unsecure" websites (with their FDIC protection) any day.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by anon_investor »

grogu wrote: Fri Jan 21, 2022 12:51 pm
anon_investor wrote: Fri Jan 21, 2022 9:09 am
Tamales wrote: Fri Jan 21, 2022 9:04 am
rkhusky wrote: Wed Dec 15, 2021 8:53 am Doesn't the bank guarantee to make you whole if your account is hacked?

Just use a complex password, don't give the password out to anyone, and keep your computer secure.
Yes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds.
What about the inconvenience and impact of wasting time every time you log in? It seems like there's a market here for 6-factor authorization. Some people would love to have to receive a text, receive an email, enter a 27-digit password, retinal scans, play 7 captcha games in order to get in to your own account. No thanks. I'll take these "unsecure" websites (with their FDIC protection) any day.
It is always a trade off between convenience and security. I feel like the minor inconvenience of 2FA is worth it for the added security, better safe than sorry. If you do not check your accounts constantly, it should not be that big of a hassle.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by evelynmanley »

grogu wrote: Fri Jan 21, 2022 12:51 pm
anon_investor wrote: Fri Jan 21, 2022 9:09 am
Tamales wrote: Fri Jan 21, 2022 9:04 am
rkhusky wrote: Wed Dec 15, 2021 8:53 am Doesn't the bank guarantee to make you whole if your account is hacked?

Just use a complex password, don't give the password out to anyone, and keep your computer secure.
Yes, it's federal law actually. There's a seemingly simple requirement to meet re: timely reporting. So it's not clear to me that there is any REAL risk of uncompensated loss. Not to mention all the other restrictions and delays banks put in place even for legitimate transfers to external accounts.
I think it is more about inconvenience and potential impact if you do not have immediate access to your funds.
What about the inconvenience and impact of wasting time every time you log in? It seems like there's a market here for 6-factor authorization. Some people would love to have to receive a text, receive an email, enter a 27-digit password, retinal scans, play 7 captcha games in order to get in to your own account. No thanks. I'll take these "unsecure" websites (with their FDIC protection) any day.
FDIC insurance doesn't protect our funds from hacking. It protects our funds if the bank fails.
https://www.fdic.gov/resources/deposit-insurance/
https://finance.yahoo.com/blogs/hot-sto ... 39974.html

This is an interesting link that shows which banks do and don't allow us to still use our money right away in case of a hacking and pending investigation:
https://www.mybanktracker.com/news/most ... protection
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by mptfan »

grogu wrote: Fri Jan 21, 2022 12:51 pm What about the inconvenience and impact of wasting time every time you log in?
You can identify your device as a trusted device so that you do not need to use your second factor everytime. Problem solved.

I rather err on the side of taking an extra step to login sometimes to keep my account safe. You may choose differently and that's ok.
NYCaviator
Posts: 1967
Joined: Sat Apr 09, 2016 5:06 pm
Location: NYC

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by NYCaviator »

It's definitely a balance between convenience and security. Basic 2FA is important, but worrying about SIM hacks, using a Yubikey, having multiple "clean" email addresses, etc. is too extreme for me.

Even if someone did access your bank account, what could they realistically do? Transfer between checking and savings, pay a bill, see your balance? It's not like they could instantly set up an ACH transfer to their account and drain my funds. My bank e-mails me whenever there is a new log-in from an untrusted computer, or a new bank is added for external transfers (and even that takes a few days to do). If I saw an email, I could just call them and lock it out. Also, banks have very sophisticated AI software that looks for security issues. If all of a sudden someone from the Philippines is trying to log into your account when you just used your debit card in Manhattan an hour ago, it will likely flag it and lock the account.

I think you are at a bigger risk of losing money from a stolen check or compromised debit card.
advice789
Posts: 120
Joined: Mon Jan 30, 2017 12:47 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by advice789 »

Informative discussion. Have high respect for hacker’s creativity. With VPN, someone overseas can appear as calling or accessing from USA. Same for phone calls- Area code of US city appears but the call originates overseas. There are various reports that use of a password manager may be a reason for a bank to deny reimbursement due to hacking. Eg if you give the account password to someone else, and it is used to access your account, the bank has a rationale to not reimburse losses. Seems this varies by bank. Would not stop use of password managers vs recognize the needs for prudence in any security setup
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by evelynmanley »

advice789 wrote: Sat Jan 22, 2022 4:00 pm Informative discussion. Have high respect for hacker’s creativity. With VPN, someone overseas can appear as calling or accessing from USA. Same for phone calls- Area code of US city appears but the call originates overseas. There are various reports that use of a password manager may be a reason for a bank to deny reimbursement due to hacking. Eg if you give the account password to someone else, and it is used to access your account, the bank has a rationale to not reimburse losses. Seems this varies by bank. Would not stop use of password managers vs recognize the needs for prudence in any security setup
Agreed. I never store any passwords in Bitwarden for my financial institutions.
User avatar
ObiQuiet
Posts: 126
Joined: Sun Sep 05, 2021 12:04 pm

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by ObiQuiet »

advice789 wrote: Sat Jan 22, 2022 4:00 pm Eg if you give the account password to someone else, and it is used to access your account, the bank has a rationale to not reimburse losses. Seems this varies by bank.
I'd argue the technical reality that I didn't give the password manager company my password. I gave them a long complicated (i.e. encrypted) number to store for me. The password itself never left my computer, aka "local only encryption".

OTOH, the password companies declaim liability in their ToS.
Tamales
Posts: 1644
Joined: Sat Jul 05, 2014 10:47 am

Re: Bank that Doesn't Offer Multifactor Authentication (MFA)

Post by Tamales »

I just want to verify something related to these 2FA threads. The main issue seems to be (if I may make up a shorthand reference) the threat of a successfully executed "Quickie Hacker Liquidation" or QHL, right? In other words, similar to home burglaries, in and out in a few minutes.

And the QHL concern is limited to bank checking/savings accounts holding pure cash (not something 1 or 2 steps removed from cash like money market mutual funds or CDs), is that correct?

Taking that one step further in the portfolio hierarchy, it seems a QHL of one's retirement accounts (even if they are 100% cash) is not even feasible. Legitimate versions of such external transfers take days or weeks to complete, often involving much time navigating the website for forms and sometimes requiring calls to the firm to have them send you forms, sometimes requiring physically signed/mailed forms or checks for at least one side of the transaction.
Setting aside the question of 2FA on or off for retirement accounts, am I correct that a QHL of a retirement account has a probability of zero for all intents and purposes? If that's not right, can you please explain with specifics, because at the moment I'm not seeing how it would be possible. Maybe there are distinctions between tIRA, 401k, and other retirement account categories, as far as a QHL is concerned?

How about an after-tax brokerage account? Is the only real concern in such an account for a QHL of the pure cash portion of your balance? In other words a bit more concern than a retirement brokerage account, but not a real concern for a QHL transferring stock/bond positions?

Thanks for any insights.
Post Reply