Account security has long been a primary concern of banks. And the age of the Internet and online banking has increased the attack surface. See the movie The Shawshank Redemption for an illustration of what it took to rob an account without an inside co-conspirator, back in the days of paper documentation. Today, banks need to protect their customers without unduly annoying them, or worse, locking them out.
Of course, one cannot feel so sorry for the banks. They discouraged customers from using branches as branches, rather than for their ATMs, when having customers banking in person reduces the risk of mischief.
A new story at the Wall Street Journal explains how banks try to reconcile this circle. It’s oddly incomplete. He fails to mention an approach that far too many financial institutions are trying to implement, namely the use of voiceprints. If I remember correctly, about 20 years ago it was possible to get enough information about a voice to reproduce it with a 30 second recording; the input length required has decreased considerably. Why be so fond of a security method so easily abused? Anyone can find programs that generate voice clones and deepfakes via web search, so why are banking security experts laughing at themselves?
I spoke with Citi about this issue. If you push them, they say you can disable the use of your voiceprint for account identification, but it can still be used for account security. I tried to tell them that I don’t allow this because voices can be faked and I’ve been interviewed in the press so it would be easier to get a clean sound for me than most people, but clearly it’s a stupid policy and I don’t have the time and energy to escalate.
In fact, any biometric identification is problematic. As with facial identification, the system takes enough sites, for example your fingerprint or your retina, to perform a unique identification. But if someone hacks the files, they can use your ID pattern and fool the filtering program. And please, how do you get new fingers or eyeballs?
The article explains how some banks register the device you usually use to access their site and issue challenges, such as texting or emailing you with an identification code, to confirm your identity.
As a frequent customer, I have encountered practices that strike me as odd. The first is that non-PIN-protected debit cards are common in the United States. My two current banks try to impose them on me; the only account card i can get on my business account is one of those awful debit cards. If someone had your wallet, they could empty your account.
Similarly, a bank systematically assists readers, even before they show the slightest sign of difficulty, with their security word.
I imagine a high percentage of account thefts result from a scammer successfully unlocking a phone and then accessing the banking app, which automatically fills in the password. Banks can prevent the use of autofill. They can also block the copying and pasting of login credentials or security codes sent via email. Of course, there are those of us who only use laptops to access banking information as another preventative measure. But instead they use other methods. From the Review:
Instead, banks run a lot of software in the background to make sure you’re really you. Several factors considered during logins include: time of day, location, device IP address, mobile carrier, and any links prompting users to open the app. If anything differs from your unique “fingerprint,” your bank might suspect a hacker or phishing attempt, and ask you to take more steps to verify your identity….
Now, new behind-the-scenes measures take precedence, according to security experts and banking software vendors. Some compare the speed and cadence of a user’s password entry with that person’s previous attempts. Others analyze the pressure with which credentials are entered by checking how many pixels are covered when the user presses each key.
This mixture of authentication practices is widely found in banking applications because the stakes are higher. Banks know that if customers have concerns about the safety of their money, they will go elsewhere. On top of that, banks must follow federal regulations to use secure data management practices, such as end-to-end encryption.
What if you tried to go to your bank drunk? Or exhausted? I can barely type when I’m super tired, not that I’m a great typist even under normal circumstances. Well, maybe that’s not such a good idea anyway.
Because I’m well past my closing time, I’m not ready to go on a real rant, so maybe readers can tell their horror stories of bank/corporate security incompetence. financial services, both on the too strict and too lax side. I’m puzzled that some sites, like My Alabama Taxes, still insist on verifying accounts…like what can anyone do? Pay taxes for me? Filing a false quarterly tax report due? Are malicious ex-employees with login credentials such a problem that this sort of thing is really necessary? Note that Alabama requires the use of encrypted email for sending medical records, even to patients, even though HIPAA requires records to be emailed to the patient upon request. As a result, almost all providers here use fax instead.
The Journal offers additional security options in the applications of the four largest banks. This was the only one that seemed a tiny bit new:
For additional login protection, you can purchase a $25 wearable security device from Wells Fargo. It generates and displays unique random access codes every 60 seconds. But if you lose it, you’ll have to call customer service.