Canadian banks still don’t have 2FA. Who are the real criminals here?

In 2014 the Globe and Mail wrote an article called "Why Canada’s banks have weaker passwords than Twitter or Google". In 2018 I also wrote about this. I opened a support ticket for my bank complaining about this, their response was that "your password plus personal verification question is 2-factor". E.g. you have 2 passwords, shut up and like it.

Its 2019. I have multi-factor authentication on nearly everything. Except the thing criminals care most about: money. I can prevent the crooks from posting as me on Reddit, from accepting a Pull Request on GitHub. But my finances? Forget about it.

The web is littered with people asking, and complaining, and getting nowhere. The banks obfuscate and dissemble when asked, pointing to other "security" initiatives like the questions. In some cases they SMS you for a transfer. But this is after you are logged in. (and its SMS).

What we want is TOTP. It works with Google Authenticator, Microsoft Authenticator, other apps. Its strong. Its simple. Its ubiqitous (except in the banking sector for clients). (Even better if was a U2F like Yubikey, but, well, I dream!).

Why am I ranting about this today? Well let me tell you. I bank with Royal Bank of Canada (RBC). In order to transfer more than 5K on my business account I need a SecureID fob. OK, its not TOTP, but better than nothing, it works, its secure. To make it as hard as possible for people to do this they charge you $50 for it. OK, fine, I paid. Then they can only ship it to your branch. OK, fine, I'll go the branch. Monday I get the note. I go, they have no idea. I'm in a hurry, I finish doing the transaction that I wanted the SecureID for anyway (manually, paper, cheque, you know, like your great-grandparents did). I come back today to pick up the SecureID fob that *they emailed me was ready*. Nobody knows what it is, where it is. After 1/2 hour of hunting, I'm asked again, "is this a set of cheques?" "is this a passbook?" Finally I point to their own personal keychain, they have one. "Its that thing". Oh, that is just for us, not for customers.

Its clear that if no one in a branch has heard of it, that the level of cybersecurity awareness is not very high. On day 1 I train all my staff about the merits of 2FA (or MFA). On their GitHub, their twitter, their Gmail, etc. Why can I afford to do this as a small business and RBC cannot?

After nearly 1 hour I'm asked to come back another time when a different set of staff are in. I bike home in the fridgid rain and write this missive to you.

So here's my suggestion. Let's do something about this. Are you a reporter? Great, do a story, I'll talk with you. Are you a customer of a bank? Ask your teller, your branch manager, on the online support, wherever. We demand better. Yes I know you have a lot of complex IT systems. Yes I know its tough to explain how this works to consumers. You know what else is expensive? Losing my money. I know you've each and all been hacked. I know you treated this like some sort of actuarial problem cost/benefit. Ford did that with the Pinto, and people died. Put down your calculator, pick up your keyboard, Google "TOTP" and "OpenID Connect" and maybe U2F. I would prefer to login in with OIDC from my Google account: I believe it is much more secure than you and your AS/400 backend with a sticky note on the console saying the admin password is "i manage".

https://twofactorauth.org/

Get on that list or get out.

6 comments on “Canadian banks still don’t have 2FA. Who are the real criminals here?
  1. Do I care with CIDC and current Canadian banking laws?

    Also TD’s passwords are not case sensitive which means they are either not hashed when stored or at least go through a string manipulation function.

    • db db says:

      Do you care? sure. Unless you re broke 🙂
      CIDC is good for 100K if your bank goes bankrupt.
      If they claim you didn’t safeguard your password, its 100% downside for you.
      Want to spend time fighting and get the news involved?
      https://globalnews.ca/news/4633382/scotiabank-customer-fraud/
      But that doesn’t always work:
      https://www.cbc.ca/news/canada/british-columbia/td-bank-refuses-to-refund-art-student-600-in-fraudulent-cheques-1.5278144

      • db Matt D says:

        Apart from raisins in butter tarts, another thing that scares the bejeezus out of me is the Canadian banks’s lack of MFA.

        What a timely article from the CBC! https://www.cbc.ca/news/canada/nova-scotia/two-factor-verification-online-banking-security-1.5306052

        “He said some people in remote areas might have difficulty with 2FA if the second step involves receiving a code on a separate device.

        So, it’s not just a technology issue; it’s a people issue. It’s convenience and technology together,” he said.”

        I recall that it wasn’t too long ago where the CRA would physically mail you an authentication code to verify your personal income tax account. While annoying, I can appreciate that there are options here, so simply saying, “people in remote areas can’t do it” is a cop-out.

        • db Jayme Snyder says:

          Needing connectivity as a prerequisite for 2FA is pretty lame, especially if the second factor could be required to purchase connectivity, such as on a plane.
          The alternative is just basically just a salted hash of a longer stored password or a pad of pre-negotiated passwords.
          I don’t trust any bank not to screw either up…
          Nor do I trust my carrier to securely deliver my SMS to me and me only… especially if I wish to be able to roam between carriers.
          Which brings me to the biggest concern I have with 2FA, bio-metrics & even chip pin etc. – the bank’s ever growing lack of incentive to do their primary function of protecting our ledgers. They may instead rather claim the security theater technology insists the fraud must be their consumers fault.
          It is ever more dubious that they are typically gate keepers to modern society, even selling credit 90% of their consumers require to survive.
          Consumers don’t really have any alternative choice.
          If I get to choose between a banking system that is generally consumer friendly vs. one that is built on security theater without accountability, I’ll gladly pay a little more for the former.

          • db db says:

            Who put these MF 2FA on a plane!

          • “From September 2019, all remote electronic payments by card or credit transfer (with some exceptions, e.g. for low-value transactions) in the EU will require SCA. SCA entails the existence of at least two out of three authentication factors:

            what the payer knows (e.g. password);
            what the payer has (e.g. smartphone);
            what the payer is (e.g. fingerprint).”

            The “some exceptions” part was a bit of a open topic…

            “The deadline for migration to SCA has now been postponed to 31 December 2020 (instead of 14 September 2019).”

            If I am correct, this is the 3rd or 4th deadline extension… the regulators know what they are doing here.

Leave a Reply

Your email address will not be published. Required fields are marked *

*