Account security has long been a paramount concern of banks. And the Internet era and online banking services have increased the attack surface. See the movie The Shawshank Redemption for an illustration of what it took to heist an account with out an inside co-conspirator, back in the days of paper-based documentation. Today banks need to protect customers without unduly annoying them, or worse, locking them out.
Of course, one can’t feel all that sorry for banks. They discouraged customers from using branches qua branches, as opposed to for their ATMs, when having customers bank in person cuts down on the opportunity for mischief.
A new story at the Wall Street Journal discusses how banks are trying to square this circle. It’s bizarrely incomplete. It fails to mention one approach far too many financial institutions are trying to implement, which is using voiceprints. As I recall, about 20 years ago, it was possible to get enough information about a voice to replicate it with a 30 second recording; the required input length has fallen greatly. Why be so keen on a security method so easily abused? Anyone can find programs that generate voice clones and deepfakes via a web search, so why are bank security mavens kidding themselves?
I have argued with Citi on this issue. If you push them, they say you can opt out of having your voiceprint used for account ID but it still can be used for account security. I’ve tried telling them I don’t allow that since voices can be deepfaked and I’ve been interviewed in the press, so it would be easier to get clean audio for me than most people, but clearly this is stupid policy and I don’t have the time and energy to escalate.
In fact, any biometric ID is problematic. As with facial ID, the system takes enough sites, say of your fingerprints or retina, to make a unique identification. But if someone hacks the files, they can the template for your ID and fool the screening program. And pray tell, how do you get new fingers or eyeballs?
The article does explain how some banks log the device you usually employ when accessing their site and issue challenges, like sending a text or e-mail to you with an ID code, to confirm your identity.
As a frequent customer, I have come across practices that strike me as bizarre. One is that non-PIN protected debit cards are common in the US. Both of my current banks try foisting them on me; the only account card I can get on my business account is one of those horrible debit cards. If anyone got your wallet, they could drain your account.
Similarly, one bank routinely assists readers, even before they show any sign of difficulty, with their security word.
I would imagine a high percentage of account thefts result from a crook succeeding in unlocking a phone and then accessing the banking app, which autofills the password. The banks can prevent the use of autofill. They can also block copying and pasting login information or e-mailed security codes. Of course, there are those among us who only use laptops to access banking information as another preventative measure. But instead they use other methods. From the Journal:
Instead, banks run a lot of software in the background to make sure you’re really you. Among several factors considered during logins are: the time of day, location, device IP address, mobile carrier, and if any links prompted users to open the app. If anything differs from your unique “fingerprint,” your bank might suspect a hacker or a phishing attempt, and prompt you to take more steps to verify your identity….
Now, newer behind-the-scenes measures take precedence, say security experts and banking software providers. Some compare a user’s password-typing speed and cadence with that person’s prior attempts. Others analyze the pressure with which credentials are entered by checking how many pixels are covered when the user taps each key.
This mélange of authentication practices is found largely in banking apps because the stakes are higher. Banks know if customers have any concerns about the safety of their money, they’ll go elsewhere. On top of that, banks must abide by federal regulations to use secure data management practices, such as end-to-end encryption.
Um, what if you try getting to your bank when drunk? Or exhausted? I can barely type when super tired, not that I am a great typist even under normal circumstances. Well that might not be such a good idea anyhow.
Because I am way past my shut-eye time, I not up for a proper rant, so perhaps readers can provide their horror stories of bank/financial services firm security incompetence, both on the too rigorous and too lax side. I am perplexed how some sites, like My Alabama Taxes, always insist on account verification….as if what could someone do? Pay taxes for me? File a bogus report of quarterly taxes due? Are malicious ex-employees with login credential such a problem that this sort of thing is really necessary? Note in keeping, Alabama requires the use of encrypted e-mail for sending medical records, even to patients, even though HIPAA requires records to be e-mailed to the patient upon request. As a result, pretty much all providers here use fax instead.
The Journal provides some additional security options in the apps of the four biggest banks. This was the only one that seemed a wee bit novel:
For extra login protection, you can buy a $25 portable security device from Wells Fargo. It generates and displays unique random passcodes every 60 seconds. But if you lose it, you’ll have to call customer support.