Bank security stinks
Contrary to popular belief, even though banks advertise themselves as "secure" and other apps and sites tout their "bank-level security"....bank security fucking sucks. In this blog post I'll review my banks, of which I have quite the large swath, and why their security fucking sucks.
My banks
I have the following banks, which for all intents and purposes I will be assigning phonetic alphabet names. Naming and shaming is absolutely what should be done here, but I don't want people rooting around in my finances or trying to hack me, so I will not be disclosing where I bank.
- Alpha, handles main checking account, savings account, two credit cards, and two personal loans.
- Bravo, a local credit union that handles checking and savings isolating PayPal, Venmo and the like(I'll cover the why later)
- Charlie, handles one credit card
- Delta, handles another credit card
- Echo, handles a credit card, but since they were a local outfit they outsourced the credit card to some large chain bank. Since I don't use the local features or hold any accounts anymore, this is effectively just the chain.
- Foxtrot, handles retirement and investing, plus a savings account.
- PayPal/Venmo/Apple Cash are left out, as their apps all have quite decent security and they're not the target of my wrath. Plus, they don't really function as banks, per se.
I won't be covering passwords on any of them, because I randomly generate them with 1Password, and all of them allowed me to do so. Bare minimum security, but it's not an issue at any institution, so I'll skip it.
Alpha - the center hub
Alpha is the home of my main checking, savings, and a handful of loans and credit cards. However, their security is lax, for a number of reasons:
- Two-factor authentication is defaulted to a phone number
- They do provide a code option, but instead of supporting 2FA through some open and reliable format, they force you to use Symantec's proprietary code generator(ewwww!)
However, that's not so bad. As long as you don't get SIM swapped, the rest of their verification questions and processes are fairly decent. I'd just, you know, like to use the two-factor I already have?
Bravo - the locals
Bravo is a local credit union that I use to insulate PayPal/Venmo and the like. Essentially, since Alpha is online-only, it gives me a place to dump cash and then transfer later, and gives me a bank account to provide to PayPal and Venmo. I've heard one too many horror stories of people's accounts emptied at the behest of PayPal, and I don't trust PayPal to handle my money well at all, so they get what amounts to a "burner" checking.
However, local credit union's computer systems are a joke.
- Their mobile app is a web frame around their website(ewww!)
- All credit unions basically use one of two apps - Seriously, just go to the app store, search "credit union" and scroll through those banking apps. Disregard anything that's a major national chain and peep those screenshots. They all use one of the same two apps! Now, this wouldn't be a problem, except for the fact that 1, it's a web frame, and 2, the attack surface is huge. Anyone who hacks any of these apps, could potentially get into any of them, depending on the size and scope of potential breach. Disgusting.
- Their verification is garbage - just by knowing some basic info you could get complete access to my account.
- And for all that, they don't even offer Apple Pay or anything decently secure. Their technology and features are quite literally stone age.
Charlie, Delta, & Echo - the credit cards
Now, these three are different outfits but are essentially the same thing. They host a credit card for me, and their security feels very....halfhearted.
- Security questions are basic
- 2FA means a phone text, and that's all
However, I'll give them a wee bit of a pass, because their anti-fraud is actually quite smart, and their apps are up to date, secured, and support normal human things like Apple Pay and PayPal integrations.
Foxtrot - the worst offender
Now, my frustration with Foxtrot is the reason I wrote this blog post in the first place. A couple years back, I had to call them, and their automated system authenticated me with my phone number and SSN. Not so bad so far....
"Now, for next time, you can set up our secure voice authentication. You just need to say 'At Foxtrot, my voice is my password' and skip providing your information next time." The automated voice proceeded right into setting it up and attempted to have me record the phrase, without an option to skip. My only option was to remain silent so the bot would fail, and continue anyway.
EXCUSE ME?
Voice authentication is such a joke it should be only seen in movies, and even then, it should be a joke regardless. My friends are perfectly capable of triggering my Google Home and it will identify them as me, so my faith in any service to correctly identify my voice is absolutely zero. Plus, wouldn't you just need to play a recording?? This is the dumbest security feature, by far.
Now, I had to call them again today, and thankfully, the voice print authentication seems to be gone. Perhaps they became aware that it's just as secure as nothing at all, or perhaps they became aware AI is capable of imitating humans quite well. In any case, good on them for removing it, but a fat raspberry for including it in the first place.
On the call today, the rep asked me for the following info to verify me: my place of work, my current account balance, and my email address.
EXCUSE ME?
So you're telling me that the only thing between me and your website is the phone-based two factor, which there is a checkbox for "remember me" so on my computer, not even that. Let's say a hacker gets into my computer and calls the bank. You're telling me that all three verifications are visible on my account page???
Foxtrot gets a zero on their security score. No, scratch that. Less than zero. Any bozo looking over my shoulder at the library could easily get into my account. Any hijacked browser could get into my account. My only option for two-factor is a text message.
and thus. my enragement
I cannot understate my distaste for all banks - it's not that fucking hard to use FIDO, or time-based 2FA, or provide a hardware key for your clients. I don't care if it's not mandatory - make it a fucking option. I can't even use my 2FA or my Yubikey because none of the banks support it - but they're more than happy to pray that I am the one holding my phone at the time.
And Foxtrot, the vanguard of my retirement, my life savings - is content with a fucking voice print, or just a glance at the website.
Should I switch banks? Maybe. But at this point, I've concluded they're all like this, and "bank-level security", to me, means that you didn't even try, nor do you care.
It's 2024, and I should be able to instantly send any amount of money to anyone else in the world. It baffles me beyond belief on how my email has tighter security than my bank, why it takes several business days for the money to clear from A to B, and why I'm charged fees out the wazoo for the barest hint of modern functionality.
P.S. Oh, and I completely forgot to mention, none of these institutions have even heard of a passkey, let alone support one.