Hacker News new | past | comments | ask | show | jobs | submit login

Out of my 5 banks, 3 use physical 2fa RSA tokens (and 2 support 2fa apps) and 2 use those crappy code cards for 2fa. Are American banks really that bad?



Yes US banks are that bad and they lag their European counterparts.

Fidelity is a large US brokerage with $2T under management. Only last year did they start to offer two factor authentication as an option (had to ask). I have accounts with one US regional bank and one US credit union which use basic device recognition and a security question when logging in from an unknown device.

Other anecdotes..

My account at Fidelity is a joint account. After setting up online access and funding the account I discovered a year later that it was possible to get full access to the account by creating online access under my wife's name using the account number and a semi-trivial validation process.

Accounts in the US typically have all features enabled by default or can be enabled in a trivial manner and this can't be disabled. Why should a typical account have the ability to wire funds internationally?

It typically isn't possible to configure a second level of authentication for higher risk transactions.

Limited ability to configure alerts based on unusual behavior. For example access from a new device or a transfer over a threshold. No ability to alert when those alerts are changed.

Opaque account recovery processes. Even if additional security measures are implemented it may be possible to have them disabled trivially by phone.

Almost zero customer education around risks and ways to reduce risk. stupid things like "Don't use your bank's password on other sites, it should be unique!"


I never imagined that an account without the ability to wire funds internationally even existed.

I have family oversees, I have friends oversees, I have bank accounts in three countries.


Of course is should be an option but from a risk management perspective it makes sense to reduce the attack surface that a fraudster has to work with.

In the US at least a typical customer will never initiate an international wire transfer. Even those with friends and family overseas will typically transfer funds through a money transfer service or via ATM networks to avoid the associated high fees.

When a US customer walks into a bank asking to initiate a wire transfer its usually a red flag they are a victim of fraud.


I just read the original referenced story about the woman who got defrauded.

It definitely couldn't happen with my former main bank - they will not allow any kind of ID aside from in-person photo ID or 2FA, to the point where my parents are actually locked out of their account since the battery ran out in their 2FA device, they never set up a mobile app 2FA, and they live abroad so they can't go into an office. The bank actually told them "tough luck, you're going to have to fly across half the planet to get the 2FA device replaced". My parents are obviously upset, but I thought it was pretty impressive.


That's not impressive, that's security run amok.

Unless these bank people know you personally, it's just a way to make certain frauds a little harder while making other, very common frauds much easier.


> other, very common frauds

Is this also coming from a US perspective, where photo ID is basically useless and everyone relies on a "secret" number (SSN) that was specifically not meant to be used for identification?


The SSNs aren't even secret, it's trivial to get someone's SSN using public information:

https://news.ycombinator.com/item?id=10394881


Yeah it's insane, hence the scare quotes around secret.

All the ideologic resistance against a properly designed and handled ID number means that a number that was never meant to be used for ID is used instead. Madness.


I don't think that it's really accurate to say that SSN is how you are identified by most banks today.

SSN is a component, but they are no longer accepting it blindly for transactions with higher assigned risk. It needs to be correlated against other data to authenticate.

For higher assurance transactions (TSA pre-check, access to criminal data, privileged account access, etc), biometrics and photos are used establish who you are. You don't need that for common banking transactions.

Where you see it used blindly, its generally scenarios where fraud is low risk and low impact activity.


In the US, you pay businesses by sharing your account number(s) with them. They initiate pulls from their infrastructure, which your bank responds to without consulting you. (You may call them after the fact if you disagree).

Your account number is a "secret" shared among potentially hundreds of merchants and all it takes is one of them to leak it.

Online banking webapps are mostly a read-only view of your transaction history. Sometimes they are capable of pushing money out, but for a new payee this generally requires phone verification, and in all cases it sends a lot of emails and takes a few days.

But even just by virtue of having a password (which you have not shared with every store you've ever visited) it's already much harder to attack online banking than it is to make fraudulent credit card or ACH transactions.


Bank of America offers 2 way verification.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: