Financial firms not offering two factor authentication

A recent article in the New York Times may, hopefully, shame financial firms into increasing their online security. The article, A Two-Step Plan to Stop Hackers by Ron Lieber is about two factor authentication (2FA), a system we all experience at ATMs.

Getting cash requires both something you know (a PIN code) and something you have (your ATM card). 

In contrast, the websites of American Express, Capital One, Citibank, TD Ameritrade, Vanguard and Wells Fargo are all based merely on something you know, a userid and password. With passwords being stolen left and right, two factor authentication offers improved security. 

When dealing with a website, the thing you typically have is a cellphone rather than an ATM card. After half logging in with a userid and password, a site offering two factor authentication sends you a text message with a one-time code in it. You are not fully logged on until you enter this one-time code, proving that you have your cellphone.

It's not perfect, and this was a bit of a simplification, but it is more secure.  

Mr Lieber writes 

I’d hoped to be able to ask every company I do business with to simply send me a code by text message each time I successfully entered my username and password ... I already do something similar with Gmail. But not one company was able to do this, though Vanguard intends to start a similar service before the end of the year.

The other companies that Lieber investigated were Bank of America, Charles Schwab, Fidelity and JPMorgan Chase. At Chase, customers may or may not get a text message with a one-time code. It depends.

Schwab and Fidelity can offer increased security, but instead of text messages they issue small devices to customers that display a different number every minute. After entering their userid and password, customers also have to enter the code on the device proving that they have the thing. This system pre-dates smartphones and has its drawbacks. 

For one, it does not scale well, imagine having to carry a handful of the devices around with you. Also, the devices are battery operated and cost money to buy, ship and maintain. According to the Times article they are not very popular. 

Perhaps the worst thing that the article exposed is how hard the financial companies make it to increase your security above and beyond a userid and password. Perhaps they don't want the tech support hassle. 

While it's great to see articles like this in the business section of a newspaper, there is still an elephant in the room that needs to be mentioned. 

Two factor authentication does not protect a computer infected with malware. 

Put another way, anyone doing financial transactions on a Windows computer is, frankly, a fool. 

Yes, Macs are safer but not by much. Linux is safer too, but no one uses it. 

Whether an app running on a smartphone can ever be safe is debatable. I say this because the security of smartphone apps is hidden. Unlike a desktop web browser, there is no visible HTTPS keyword or lock icon to look for. There may or may not be certificate warnings. Multiple studies have found apps that fail to implement SSL/TLS (which underlies HTTPS) correctly.  

The safest operating system for financial transactions is Chrome OS (the sytem on Chromebooks) and the safest way to use it, is in Guest Mode

I have previously made the case here for Chrome OS security, so I won't repeat myself. For more see A Chromebook offers Defensive Computing when travelingChromebooks defend against the Flash PlayerWhy Chrome OS should have fewer bugs than other operating systems and, from back in 2012, Defensive Computing for online finances: Go with Chrome OS.

Guest mode on a Chromebook is like private browsing mode (called "incognito" in Chrome and "InPrivate" in Internet Explorer) on steroids. 

Like private browsing, guest mode erases all traces of your browsing activity when you're done, but in addition, it also starts you off with a clean slate. That is, when you logon as a Guest there are no cookies, favorites or browsing history to be discovered, stolen or manipulated. 

Normally you logon to a Chromebook with a Google account, but there is no Google account in Guest Mode. And Guest users can't see files stored on the Chromebook by others. 

Personally, I use a Chromebook in Guest Mode for my online financial transactions. I suggest you do the same. 

Maybe you can borrow one from the kids. Schools are adopting Chromebooks in droves. 

Copyright © 2014 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon