Last time, I mentioned that my bank seemed to have at least one lax security policy (or at least a lax security policy implementation), and I promised I’d share more.
So, last month my bank started requiring “Two-Factor Authentication” (as they call it), so that just a password isn’t enough to authenticate me to my bank’s web site. Now, this makes some sense, as this is my bank’s site, and a user posing as me could send a check to themselves with the online bill-pay service and clean out my account.
So, the implementation of this Two-Factor Authentication is something they call The Matrix. It consists of an 8 by 5 grid of numbers that I’ve received, and whenever I need to log onto my bank’s site they ask me for three of the numbers, specifying them by their coordinates. (Each number is labeled by a letter for the column and a number for the row.)
Now, this seems okay so far. If my password were compomised, then an attacker still wouldn’t be able to get in without having this matrix as well. And, even if they could intercept the numbers I type in for one login, they wouldn’t be able to use those for the next login. Presumably, my password would change (since I need to change it every so many days) before an attacker could gather enough numbers to be able to do anything.
However, I see a couple really big problems with this approach. This Matrix, the secure piece of technology being added here, is just sent to my email. It’s not encrypted or anything. So, it sure seems to me that anyone able to read my password or the numbers I send for one login attempt would have a much easier time trying to read my email, especially as it’s unencrypted all the way between the bank and my mail provider. I really doubt it would stop phishing attempts as well, as they would just need to do some kind of man-in-the-middle attack (basically be a proxy between me and my bank’s site) presenting my credentials to my bank’s site. Am I missing something here? It may make things slightly harder for an attacker, but I think that it’s primarily just adding (1) more difficulty in use, and (2) a false sense of security.
In another bank-related story, I found it quite interesting that today I received in the mail a savings account statement, that the bank paid 30.8 cents in postage to send to me, which had an entire point of informing me that they paid me 1 cent in interest last month. (I haven’t been using the account lately, preferring a much higher yielding money market account at a different institution.)
And yet, somehow, I don’t get the feeling that any other bank would really be any different…