Two-Factor ID for my Bank

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
Topic Author
sport
Posts: 7847
Joined: Tue Feb 27, 2007 3:26 pm
Location: Cleveland, OH

Two-Factor ID for my Bank

Post by sport » Tue Mar 12, 2019 12:26 pm

Recently, when I tried to log onto my bank account (regional B&M bank) the system did not recognize my computer. This required the bank to send me an authorization code to enable access. The bank gave me 3 choices to receive the code. A call to my land line, a call to my cell phone, or an email to my computer. It seems to me that if the bank wants to verify my computer, sending a authorization code to that computer would be a security risk. I contacted the bank, and asked them to remove the email option for sending authorizations. They told me they cannot do that. Is this really a security problem? If so, how can I deal with it other than changing banks?

User avatar
RickBoglehead
Posts: 2506
Joined: Wed Feb 14, 2018 9:10 am

Re: Two-Factor ID for my Bank

Post by RickBoglehead » Tue Mar 12, 2019 12:30 pm

sport wrote:
Tue Mar 12, 2019 12:26 pm
Recently, when I tried to log onto my bank account (regional B&M bank) the system did not recognize my computer. This required the bank to send me an authorization code to enable access. The bank gave me 3 choices to receive the code. A call to my land line, a call to my cell phone, or an email to my computer. It seems to me that if the bank wants to verify my computer, sending a authorization code to that computer would be a security risk. I contacted the bank, and asked them to remove the email option for sending authorizations. They told me they cannot do that. Is this really a security problem? If so, how can I deal with it other than changing banks?
They are not sending a security code to your computer. They are sending a security code to your email address. You choose to access it on your computer, hopefully via a password.

So if someone tries to access your account via a different computer, they'd have to have access to your email account to get the code.

If they steal your computer, and you hadn't secured it in someway, not only would they be able to access your account (if the password was stored on the computer), but they'd be able to get a code if you didn't secure your email access.
Avid user of forums on a variety of interests - financial, home brewing, F-150, PHEV, home repair and more. Enjoy learning and passing on knowledge.

Topic Author
sport
Posts: 7847
Joined: Tue Feb 27, 2007 3:26 pm
Location: Cleveland, OH

Re: Two-Factor ID for my Bank

Post by sport » Tue Mar 12, 2019 12:39 pm

RickBoglehead wrote:
Tue Mar 12, 2019 12:30 pm
sport wrote:
Tue Mar 12, 2019 12:26 pm
Recently, when I tried to log onto my bank account (regional B&M bank) the system did not recognize my computer. This required the bank to send me an authorization code to enable access. The bank gave me 3 choices to receive the code. A call to my land line, a call to my cell phone, or an email to my computer. It seems to me that if the bank wants to verify my computer, sending a authorization code to that computer would be a security risk. I contacted the bank, and asked them to remove the email option for sending authorizations. They told me they cannot do that. Is this really a security problem? If so, how can I deal with it other than changing banks?
They are not sending a security code to your computer. They are sending a security code to your email address. You choose to access it on your computer, hopefully via a password.

So if someone tries to access your account via a different computer, they'd have to have access to your email account to get the code.

If they steal your computer, and you hadn't secured it in someway, not only would they be able to access your account (if the password was stored on the computer), but they'd be able to get a code if you didn't secure your email access.
Thanks. I use Thunderbird on my computer. All incoming emails arrive automatically. I still believe it would be more secure if they would let me turn off the email option that I don't need.

Amphian
Posts: 135
Joined: Tue Jan 30, 2018 9:37 pm

Re: Two-Factor ID for my Bank

Post by Amphian » Tue Mar 12, 2019 12:50 pm

sport wrote:
Tue Mar 12, 2019 12:39 pm
I still believe it would be more secure if they would let me turn off the email option that I don't need.
With the ability to easily steal a phone number via a port out scam, of the three options listed, email is the most secure - which isn't saying much.

User avatar
RickBoglehead
Posts: 2506
Joined: Wed Feb 14, 2018 9:10 am

Re: Two-Factor ID for my Bank

Post by RickBoglehead » Tue Mar 12, 2019 12:50 pm

sport wrote:
Tue Mar 12, 2019 12:39 pm
RickBoglehead wrote:
Tue Mar 12, 2019 12:30 pm
sport wrote:
Tue Mar 12, 2019 12:26 pm
Recently, when I tried to log onto my bank account (regional B&M bank) the system did not recognize my computer. This required the bank to send me an authorization code to enable access. The bank gave me 3 choices to receive the code. A call to my land line, a call to my cell phone, or an email to my computer. It seems to me that if the bank wants to verify my computer, sending a authorization code to that computer would be a security risk. I contacted the bank, and asked them to remove the email option for sending authorizations. They told me they cannot do that. Is this really a security problem? If so, how can I deal with it other than changing banks?
They are not sending a security code to your computer. They are sending a security code to your email address. You choose to access it on your computer, hopefully via a password.

So if someone tries to access your account via a different computer, they'd have to have access to your email account to get the code.

If they steal your computer, and you hadn't secured it in someway, not only would they be able to access your account (if the password was stored on the computer), but they'd be able to get a code if you didn't secure your email access.
Thanks. I use Thunderbird on my computer. All incoming emails arrive automatically. I still believe it would be more secure if they would let me turn off the email option that I don't need.
I know of no site that allows you to pick and choose what 2FA process you want. Most offer SMS messaging and/or email. They don't let you say "I don't want email."

You're missing the issue that you're confronting.

The bank did not recognize your computer, likely because your browser updated. But it's YOUR computer.

As part of the 2FA, they send an email. Since it's YOUR computer, it goes to your email program, and you read it and put the code in. If this was any other computer, it would not have your email program on it set to read all emails, and it would not get the code. Also - YOU would get the code, and say "Hey bank, what the ____ is going on, I didn't ask for a code.".

Since your Thunderbird program is not secure on your computer, you should consider setting both a power on password as well as a Windows account level password, so that IF your computer is stolen / accessed by someone they can't open your emails and get all the 2FA codes.
Avid user of forums on a variety of interests - financial, home brewing, F-150, PHEV, home repair and more. Enjoy learning and passing on knowledge.

RetiredAL
Posts: 214
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Two-Factor ID for my Bank

Post by RetiredAL » Tue Mar 12, 2019 1:55 pm

I share to OP's concern, but I'm not paranoid about.

I am currently at my elderly Dad's giving care support and using by laptop. I also use this laptop when traveling. I consider a laptop more vulnerable because it of its grab and run potential, compared to my desktop at home.

Win10 logon security seems reasonable, but I sure its not perfect. Thus, someone that has the laptop might be able to access my login. If they succeed logging in, then my mail system ( Thunderbird ) will automatically retrieve any new mail plus they can read the mail stores.

If one uses Gmail, then it's likely that the computer will auto-logon to Google whenever the browser is started.

IMO, having your browser auto fill-in a user name creates a lot of vulnerability as it gives the bad guy an entry point. If one of the options for a password reset is email, when that bad guy may have just gotten access to what you thought was a password protected account.

I don't ever use a password manager, either stand-alone or the browser's. I suspect that if your OS logon has been compromised, then the bad guy can use the password manager too.

If you are a victim of a strong-arm grab and run, your device will not be OS password locked until the screen saver kicks in.

That said, if the OS password required is active, how many thieves have the desire and wherewithal to crack the OS password. They most likely just want the device to sell or use as their own.

My concern is over financial accounts or the few buying accounts I have. Anything else is just fluff. Sorry Bogleheads, FB, ect, if someone can use my credentials to post, I really don't care.

I never use my phone to access anything were security might be concern. I strongly avoid using my laptop anywhere other than where I know about the network, such as here at my Dad's.

Just my 2-bits.

User avatar
Epsilon Delta
Posts: 8061
Joined: Thu Apr 28, 2011 7:00 pm

Re: Two-Factor ID for my Bank

Post by Epsilon Delta » Tue Mar 12, 2019 2:02 pm

You could also set up a second email account and not have thunderbird remember the email password. That way you can get your grandma's pie recipes without the inconvenience of having to type a password every time and still protect the 2FA.

Personally I think it is presumptuous for banks to assume that any email address I give them is secure, it's particularly galling when I give it to them for one reason, such as to confirm an appointment and they escalate to send very sensitive info. But they also do the same with phone numbers. I once had a call back at my parents house and it took a long time to convince a bank that I had not given blanket authorization for anybody at that phone number to make transactions.

bryanm
Posts: 130
Joined: Mon Aug 13, 2018 3:48 pm

Re: Two-Factor ID for my Bank

Post by bryanm » Tue Mar 12, 2019 2:08 pm

RickBoglehead wrote:
Tue Mar 12, 2019 12:50 pm
Since your Thunderbird program is not secure on your computer, you should consider setting both a power on password as well as a Windows account level password, so that IF your computer is stolen / accessed by someone they can't open your emails and get all the 2FA codes.
I largely agree with this. The point-of-attack here is your computer. But you can make your computer "2FA" by itself. Simply lock-down access to the data behind a good password, and now you need 1) your password (something you know) and 2) your computer (something you have). There are two things to do to make this work. First, make sure you have a modern OS (Windows 10 or OSX), as many older operating systems weakly encrypt the password and are vulnerable to local attacks. Second, make sure you use full-disk encryption. OSX I believe calls it "FileVault." Windows 10 calls it bitlocker. (Third party tools are available but more complicated to use.) I probably would skip the power-on password since they're typically easy to circumvent with physical access to a device.

As with all my security posts, I will mention that I think the likelihood of attack here is low, since most people who break into houses to steal PCs aren't mining them for data (that's much more prevalent online). Other security hygiene practices probably have a higher impact in reducing risk.

Topic Author
sport
Posts: 7847
Joined: Tue Feb 27, 2007 3:26 pm
Location: Cleveland, OH

Re: Two-Factor ID for my Bank

Post by sport » Tue Mar 12, 2019 2:23 pm

I don't feel that the bank is as careful about security as they should be. I get alert emails when a check clears my account. This is good. However, in those emails, they state my account balance. Since emails are not secure, it does not seem to be a good idea to show my account balance. Furthermore, if I have written a paper check, they don't even know what my available balance really is until the check clears. So, I know the balance better than the bank does. Nevertheless, they insist on showing the balance they think I have. (I know that is the actual balance, but if I have already written checks on it, it is not available for writing other checks.)

Amphian
Posts: 135
Joined: Tue Jan 30, 2018 9:37 pm

Re: Two-Factor ID for my Bank

Post by Amphian » Tue Mar 12, 2019 2:34 pm

sport wrote:
Tue Mar 12, 2019 2:23 pm
I don't feel that the bank is as careful about security as they should be. I get alert emails when a check clears my account.
I'm not sure how it is at your bank, but mine (I have three.) all allow you to customize when you get alerts. At the one brick and mortar I've kept (so the least flexible of my accounts), I cannot turn off alerts that I have new statements or tax documents, but I can shut off all other alerts. You might want to log in and see what options you have.

User avatar
RickBoglehead
Posts: 2506
Joined: Wed Feb 14, 2018 9:10 am

Re: Two-Factor ID for my Bank

Post by RickBoglehead » Tue Mar 12, 2019 2:35 pm

sport wrote:
Tue Mar 12, 2019 2:23 pm
I don't feel that the bank is as careful about security as they should be. I get alert emails when a check clears my account. This is good. However, in those emails, they state my account balance. Since emails are not secure, it does not seem to be a good idea to show my account balance. Furthermore, if I have written a paper check, they don't even know what my available balance really is until the check clears. So, I know the balance better than the bank does. Nevertheless, they insist on showing the balance they think I have. (I know that is the actual balance, but if I have already written checks on it, it is not available for writing other checks.)
Then turn off the email alerts if they don't allow you to specify to not provide the balance. I get alerts and they don't have balance. You may also find you can change the alert to a text instead.
Avid user of forums on a variety of interests - financial, home brewing, F-150, PHEV, home repair and more. Enjoy learning and passing on knowledge.

megabad
Posts: 1189
Joined: Fri Jun 01, 2018 4:00 pm

Re: Two-Factor ID for my Bank

Post by megabad » Tue Mar 12, 2019 6:01 pm

Most secure option in my book is a true landline because it is notoriously difficult to port those. But I just polled the folks I am texting with (about a dozen), not one of them has an actual landline (that is not VOIP). So I don't think that works for most. Both cell phone and email are about equally unsecure in my book. The fact that I can literally grab the phone out of most peoples hand and instantly gain access to most of their banking is ridiculous and something I just don't understand. To me, it is the equivalent of walking around with George Costanza wallet with your life savings in it. Email is not better as you can do the same thing since folks routinely leave their email signed in.

In short, it seems that folks just accept the risk.

rkhusky
Posts: 6331
Joined: Thu Aug 18, 2011 8:09 pm

Re: Two-Factor ID for my Bank

Post by rkhusky » Tue Mar 12, 2019 6:16 pm

OP you said the bank is giving you the option of which method, right? They are not sending to all three are they? Just choose your phone if you don’t want email.

Topic Author
sport
Posts: 7847
Joined: Tue Feb 27, 2007 3:26 pm
Location: Cleveland, OH

Re: Two-Factor ID for my Bank

Post by sport » Tue Mar 12, 2019 7:35 pm

rkhusky wrote:
Tue Mar 12, 2019 6:16 pm
OP you said the bank is giving you the option of which method, right? They are not sending to all three are they? Just choose your phone if you don’t want email.
When it wants to send an authorization code, it gives 3 choices for me to receive it. They insist that email must be one of the choices. I cannot choose in advance.

rkhusky
Posts: 6331
Joined: Thu Aug 18, 2011 8:09 pm

Re: Two-Factor ID for my Bank

Post by rkhusky » Tue Mar 12, 2019 8:42 pm

sport wrote:
Tue Mar 12, 2019 7:35 pm
rkhusky wrote:
Tue Mar 12, 2019 6:16 pm
OP you said the bank is giving you the option of which method, right? They are not sending to all three are they? Just choose your phone if you don’t want email.
When it wants to send an authorization code, it gives 3 choices for me to receive it. They insist that email must be one of the choices. I cannot choose in advance.
Gotcha. I think Vanguard also gives a choice each time, but it is only between landline and cell phone. I prefer email, if I have to have 2FA, and cancelled service with a company that would only send codes to a cell phone.

gtd98765
Posts: 201
Joined: Sun Jan 08, 2017 4:15 am

Re: Two-Factor ID for my Bank

Post by gtd98765 » Wed Mar 13, 2019 8:00 am

megabad wrote:
Tue Mar 12, 2019 6:01 pm
The fact that I can literally grab the phone out of most peoples hand and instantly gain access to most of their banking is ridiculous and something I just don't understand. To me, it is the equivalent of walking around with George Costanza wallet with your life savings in it. Email is not better as you can do the same thing since folks routinely leave their email signed in.

In short, it seems that folks just accept the risk.
I hope, but don't know, that most people whose cell phones are attached to bank accounts use a password, PIN, fingerprint, etc., to enable access to the phone. That would limit your risk quite a bit.

Ren
Posts: 47
Joined: Tue Sep 11, 2012 11:16 am

Re: Two-Factor ID for my Bank

Post by Ren » Wed Mar 13, 2019 10:14 am

sport wrote:
Tue Mar 12, 2019 2:23 pm
Since emails are not secure, it does not seem to be a good idea to show my account balance.
Emails are secure. The way you are using your email client you are using may not be. Either have it automatically log you out after checking your email or manually do it yourself. Problem solved.

megabad
Posts: 1189
Joined: Fri Jun 01, 2018 4:00 pm

Re: Two-Factor ID for my Bank

Post by megabad » Wed Mar 13, 2019 1:06 pm

gtd98765 wrote:
Wed Mar 13, 2019 8:00 am
megabad wrote:
Tue Mar 12, 2019 6:01 pm
The fact that I can literally grab the phone out of most peoples hand and instantly gain access to most of their banking is ridiculous and something I just don't understand. To me, it is the equivalent of walking around with George Costanza wallet with your life savings in it. Email is not better as you can do the same thing since folks routinely leave their email signed in.

In short, it seems that folks just accept the risk.
I hope, but don't know, that most people whose cell phones are attached to bank accounts use a password, PIN, fingerprint, etc., to enable access to the phone. That would limit your risk quite a bit.
Would it? I have seen a "pickpocket" take a phone right out of someones hand before and run and I don't think this is uncommon. I suppose you are correct if said person never used his/her phone in public, but based on my casual observations, phones are in use and unlocked most of the time. Most folks can't put them down for more than a few minutes it seems (me included). Porting can be limited with a PIN. But if you walk around with your cell phone unlocked (as most do) than you are still exposed.

User avatar
RickBoglehead
Posts: 2506
Joined: Wed Feb 14, 2018 9:10 am

Re: Two-Factor ID for my Bank

Post by RickBoglehead » Wed Mar 13, 2019 1:10 pm

rkhusky wrote:
Tue Mar 12, 2019 6:16 pm
OP you said the bank is giving you the option of which method, right? They are not sending to all three are they? Just choose your phone if you don’t want email.
The OP's complaint is that if someone else gained access they could choose email, and the OP feels that email is not secure.
Avid user of forums on a variety of interests - financial, home brewing, F-150, PHEV, home repair and more. Enjoy learning and passing on knowledge.

lazydavid
Posts: 2094
Joined: Wed Apr 06, 2016 1:37 pm

Re: Two-Factor ID for my Bank

Post by lazydavid » Wed Mar 13, 2019 1:10 pm

RetiredAL wrote:
Tue Mar 12, 2019 1:55 pm
I don't ever use a password manager, either stand-alone or the browser's. I suspect that if your OS logon has been compromised, then the bad guy can use the password manager too.

If you are a victim of a strong-arm grab and run, your device will not be OS password locked until the screen saver kicks in.

That said, if the OS password required is active, how many thieves have the desire and wherewithal to crack the OS password. They most likely just want the device to sell or use as their own.
Your (non-browser) password manager has a master password for a reason, and should be configured to require re-login upon every boot. If that's the case, it should be safe even if the laptop is stolen and someone gains access to your Windows account.

In terms of getting access to that Windows account, it's trivial unless the drive is encrypted. There are boot disk images widely available that can change the password on any account to whatever value you want. I used one once on my wife's work laptop when they stupidly deployed a new VPN client that required the user to be a local admin. And of course, she wasn't.

rkhusky
Posts: 6331
Joined: Thu Aug 18, 2011 8:09 pm

Re: Two-Factor ID for my Bank

Post by rkhusky » Wed Mar 13, 2019 1:43 pm

RickBoglehead wrote:
Wed Mar 13, 2019 1:10 pm
rkhusky wrote:
Tue Mar 12, 2019 6:16 pm
OP you said the bank is giving you the option of which method, right? They are not sending to all three are they? Just choose your phone if you don’t want email.
The OP's complaint is that if someone else gained access they could choose email, and the OP feels that email is not secure.
Regular email is not secure, in the sense that it is sent over the Internet as clear text.

The OP explained that the bank was offering the different options every time a code needed to be sent, rather than setting a preference for a single method to be used at all times.

So, if the OP's bank and email passwords were compromised, the bank account would be at risk.

If the OP's computer is stolen and it is set up such that a password is automatically supplied for the bank login and email login, their bank account would be at risk.

bryanm
Posts: 130
Joined: Mon Aug 13, 2018 3:48 pm

Re: Two-Factor ID for my Bank

Post by bryanm » Wed Mar 13, 2019 2:30 pm

rkhusky wrote:
Wed Mar 13, 2019 1:43 pm
Regular email is not secure, in the sense that it is sent over the Internet as clear text.
This used to be true, but is largely not anymore. Email protocols have long supported TLS, and any enterprise worth their salt is probably using it. So while email can be sent as clear text, yours probably isn't.

rkhusky
Posts: 6331
Joined: Thu Aug 18, 2011 8:09 pm

Re: Two-Factor ID for my Bank

Post by rkhusky » Wed Mar 13, 2019 4:45 pm

bryanm wrote:
Wed Mar 13, 2019 2:30 pm
rkhusky wrote:
Wed Mar 13, 2019 1:43 pm
Regular email is not secure, in the sense that it is sent over the Internet as clear text.
This used to be true, but is largely not anymore. Email protocols have long supported TLS, and any enterprise worth their salt is probably using it. So while email can be sent as clear text, yours probably isn't.
In looking through my emails, many were using SMTP. But it did seem like my financial institutions were mostly using TLS.

User avatar
tuningfork
Posts: 434
Joined: Wed Oct 30, 2013 8:30 pm

Re: Two-Factor ID for my Bank

Post by tuningfork » Wed Mar 13, 2019 7:17 pm

rkhusky wrote:
Wed Mar 13, 2019 4:45 pm
bryanm wrote:
Wed Mar 13, 2019 2:30 pm
rkhusky wrote:
Wed Mar 13, 2019 1:43 pm
Regular email is not secure, in the sense that it is sent over the Internet as clear text.
This used to be true, but is largely not anymore. Email protocols have long supported TLS, and any enterprise worth their salt is probably using it. So while email can be sent as clear text, yours probably isn't.
In looking through my emails, many were using SMTP. But it did seem like my financial institutions were mostly using TLS.
Even if an email is sent using TLS that does not make it completely secure. TLS only encrypts the data during transit. It is still potentially stored in plain text on the sender's email server, on the receiver's email server, and any other servers it might have rested on along the way (such as if your email is auto-forwarded from one domain to another). A hack into the email server or an evil server administrator might expose your emails even if they were sent with TLS.

bryanm
Posts: 130
Joined: Mon Aug 13, 2018 3:48 pm

Re: Two-Factor ID for my Bank

Post by bryanm » Thu Mar 14, 2019 1:57 pm

tuningfork wrote:
Wed Mar 13, 2019 7:17 pm
Even if an email is sent using TLS that does not make it completely secure. TLS only encrypts the data during transit. It is still potentially stored in plain text on the sender's email server, on the receiver's email server, and any other servers it might have rested on along the way (such as if your email is auto-forwarded from one domain to another). A hack into the email server or an evil server administrator might expose your emails even if they were sent with TLS.
That's true of any data anywhere. Your bank data is no more secure than your email under those assumptions.

Post Reply