Face of Nation : Google offers it, some video games require it, but three of Canada’s big five banks don’t even want to talk about two-factor authentication (2FA), an extra layer of online security that some experts say banks should be required to provide to help protect consumers.
It’s a “very, very risky situation” according to Dr. Kevin Streff, a professor at Dakota State University and director of its FinTech security lab. U.S. banks have been expected to use 2FA, also known as multi-factor authentication, since a directive was issued by the Federal Reserve Board 14 years ago, Streff said.
Relying on “single-factor authentication” — logging on to a system with one ID/password combination, for example — “is insufficient in this day of cyberwarfare,” he said.
Under 2FA, a bank requires another step to ensure the person making the transaction is really you. It may call or text you a code that you must enter. Other forms of 2FA involve email, documents and hardware like a USB stick.
Scotiabank, Bank of Montreal and Royal Bank all declined and did not offer any comment. A search of Scotiabank’s website shows 2FA is offered at its international outlets but not, apparently, in Canada. RBC’s website says it requires 2FA to confirm unusual online payments or transfers, or if you go over your daily limit. BMO’s website says it’s required for investment transactions.
A CIBC spokesperson pointed us to the bank’s site, and a page that says 2FA is used for transactions such as adding a new e-transfer recipient, updating contact information, or resetting a forgotten password. It’s not required for day-to-day online banking transactions.
“Protecting our clients is a clear priority,” said spokesperson Trish Tervit. TD also offers 2FA, and is the only one of the big five that gives customers the option of using it every time they log on to the site. Two-factor authentication “has helped to reduce levels of fraud by preventing unauthorized account access,” spokesperson Lisa Bodnar said via email.
Sampalli said advancements in the next few years may change the security around online banking. “What if your device itself has the intelligence to recognize if you are the rightful owner holding it and then proceeds with the transaction?” he asked. “I believe in five or 10 years from now we’ll see algorithms built into systems to reinforce that.”
He added until that time, the federal government should mandate regulations, but in stages, adding it must be tested to ensure that all groups have access to the technology. Sampalli said it’s important for those using online banking to remember they must be responsible, as well. “We as consumers must be educated in good online techniques and practicing safe techniques and good cyber hygiene.”
He said it all comes down to protecting our passwords. “They say security is only as good as the weakest link and passwords are the weakest link in the whole security chain.
