February 12, 2015

1071 words 6 mins read

“Bank grade security” used to mean something (Updated)

Recently Gizmodo ran a good, albeit lengthy, article titled “Here’s Why Your Bank Account Is Less Secure Than Your Gmail” on the topic of multi-factor authentication (MFA) and your bank. It also reminded me of another article from 2007 titled “Password Security – Or Lack There Of". Sadly “bank grade security” used to mean the best of the very best, whereas now any digital security relating to financial institutions tends to be a joke.

Danny Ocean scoffs at your ‘security’
Saying “Bank security” is like saying “The Cadillac of X”. Up to about 20 years ago, “The Cadillac Of” was meant to put a certain mental image in your head. “It” (whatever it is) is the highest end, the nicest, simply “The Best”. Those of the baby boomer generation still hold this as truth in their heads, but most born after the 80s probably never had this mental association.

This is much the same in the case of “bank security”. For that phrase you have this mental image of a heavy duty bank vault, all but impenetrable except for the most determined of criminals (e.g. Danny Ocean and his band of thieves). I remember the early days of the internet when it was very common for software companies to tout their “bank grade security”, something that still happens on occasion. However, like Cadillacs, this mental concept is quickly losing its luster. I expect one day soon that we’ll see young’uns running around who scoff at the idea of banks meaning quality security.

Today, digital security is at the forefront of most startups conscious. You can’t afford to be caught with your digital doors wide open, as an early breach will spell the very rapid end to most any startup. There are an entire fleet of security oriented startups, like Okta for your internal enterprise security (who I work for), Duo for your MFA needs, and CloudLock for your digital assets.

The big push in security right now is Multi-Factor Authentication (MFA). It’s based on the concept of something you have, and something you know. You know your username & password, which unfortunately means someone else can “know” them as well (steal them, hack them, etc). On top of that you add “something you have” which typically means an old school key fob, cellphone, dongle, or some other separate physical device that provides a secure piece of information. The most common is Time-based one-time passwords, or TOTP. Anytime you see “Google Authenticator” in use, this is a TOTP. Why is “something you have” an important addition? Because even if Bad Guys™ “know” your password, they (hopefully) don’t have your cellphone, from which you receive a rotating one-time password, so they cannot get into your account.

MFA, all the MFA.
On the left is a screenshot of

Authy which I use to manage my large collection of TOTP codes for various services. As of this writing, I have 21 accounts in Authy. Admittedly some of them are for my work accounts, but most are for my personal accounts. Many personal services offer more “convenient” (for normal users) MFA options. Apple’s iCloud does push alerts to your iDevice. Steam (the gaming service) sends you an email if you login from somewhere new. Twitter will send you a text message.

What does all this mean? It means if you want to hack my email, my twitter, or my facebook (which uses SMS or TOTP), you need to get past these second authentication factors. While not impossible, it significantly increases the difficulty of an attack. Most hackers are trying to get the most for the least amount of work, so they’ll move on to someone else without MFA. Of course, a truly determined attacker out to get me probably will find a way. However, those same hackers may find my bank accounts as well. So far, not a single one of my banks provides a true MFA solution that I trust as much as my Facebook security. Yes, I honestly believe that my Facebook and Twitter accounts are more secure than where I keep my money.

Steam Guard protects my gaming more than my bank protects my money.
Is this a bad thing? Hell yes it is. Sure, I’m not liable for a hack or theft, the banks and insurance companies will take care of the money itself… but what about the inconvenience? Have you ever had your credit card canceled and re-issued? Annoying. Now imagine you go to ATM before you go to lunch, only to find your bank account balance is zero. What is your landlord going to say when your rent check bounces? Probably charge you late fees AND bounced check fees. Better hope you have enough food around the house to eat, until your bank account is put back in order in a week or so. Better hope that your bank believes that you were hacked in the first place and acts promptly.

This scares me, but sadly the threat isn’t new. All the way back in 2007 I knew that the password security was abysmal. In the last 8 years American Express finally got around to fixing that particular issue. However it scares me that we, as a collective group, trust our money to companies that care so little for our digital security that a child’s piggy bank might be a safer bet. Unfortunately nothing will change until a new upstart comes along and forces the big banks to make a change. Even some of the newer financial startups, like Simple, haven’t done anything more to protect their customers.

Update: Originally I stated the above (now striken) comment that specifically jabbed at Simple which was unfair. While I’m a Simple customer, I haven’t used it much and it turns out my statement, in reference to them, was incorrect. Their communication team reached out to me with a nice personal email and directed me to their Website security policy. The Simple representative noted that while they don’t do MFA on login (which is what I’m used to), they do SMS MFA for transactions that meet a certain risk threshold, including but not limited to “making payments greater than $1,000, sending payment to a new contact, approving instant transfers, and changing personal contact information". So there you go, some new tech financial groups do embrace security, or at least Simple does. I reserve the right to make blanket statements about other banks… and occasionally be wrong.