Canadian banks still don’t have 2FA. Who are the real criminals here?
In 2014 the Globe and Mail wrote an article called "Why Canada’s banks have weaker passwords than Twitter or Google". In 2018 I also wrote about this. I opened a support ticket for my bank complaining about this, their response was that "your password plus personal verification question is 2-factor". E.g. you have 2 passwords, shut up and like it.
Its 2019. I have multi-factor authentication on nearly everything. Except the thing criminals care most about: money. I can prevent the crooks from posting as me on Reddit, from accepting a Pull Request on GitHub. But my finances? Forget about it.
The web is littered with people asking, and complaining, and getting nowhere. The banks obfuscate and dissemble when asked, pointing to other "security" initiatives like the questions. In some cases they SMS you for a transfer. But this is after you are logged in. (and its SMS).
What we want is TOTP. It works with Google Authenticator, Microsoft Authenticator, other apps. Its strong. Its simple. Its ubiqitous (except in the banking sector for clients). (Even better if was a U2F like Yubikey, but, well, I dream!).
Why am I ranting about this today? Well let me tell you. I bank with Royal Bank of Canada (RBC). In order to transfer more than 5K on my business account I need a SecureID fob. OK, its not TOTP, but better than nothing, it works, its secure. To make it as hard as possible for people to do this they charge you $50 for it. OK, fine, I paid. Then they can only ship it to your branch. OK, fine, I'll go the branch. Monday I get the note. I go, they have no idea. I'm in a hurry, I finish doing the transaction that I wanted the SecureID for anyway (manually, paper, cheque, you know, like your great-grandparents did). I come back today to pick up the SecureID fob that *they emailed me was ready*. Nobody knows what it is, where it is. After 1/2 hour of hunting, I'm asked again, "is this a set of cheques?" "is this a passbook?" Finally I point to their own personal keychain, they have one. "Its that thing". Oh, that is just for us, not for customers.
Its clear that if no one in a branch has heard of it, that the level of cybersecurity awareness is not very high. On day 1 I train all my staff about the merits of 2FA (or MFA). On their GitHub, their twitter, their Gmail, etc. Why can I afford to do this as a small business and RBC cannot?
After nearly 1 hour I'm asked to come back another time when a different set of staff are in. I bike home in the fridgid rain and write this missive to you.
So here's my suggestion. Let's do something about this. Are you a reporter? Great, do a story, I'll talk with you. Are you a customer of a bank? Ask your teller, your branch manager, on the online support, wherever. We demand better. Yes I know you have a lot of complex IT systems. Yes I know its tough to explain how this works to consumers. You know what else is expensive? Losing my money. I know you've each and all been hacked. I know you treated this like some sort of actuarial problem cost/benefit. Ford did that with the Pinto, and people died. Put down your calculator, pick up your keyboard, Google "TOTP" and "OpenID Connect" and maybe U2F. I would prefer to login in with OIDC from my Google account: I believe it is much more secure than you and your AS/400 backend with a sticky note on the console saying the admin password is "i manage".
Get on that list or get out.