Why isn't banking leading the way in security?

I was recently surprised to read an article on Finextra that highlighted Which? had reviewed UK banking security and concluded that seven of the top twelve UK banks did not offer 2FA for online banking. Why this surprised me is that banks have lead the way with 2FA for decades by using the debit card. To take out money from an ATM or spend it in person, we require something we own (our bank card) and something we know (our PIN code). Surely banking should be leading the way with 2FA online, but it’s not.

We often hear that data is the new oil, which I imagine refers to the monetary value. But when we look at what we’re securing these days, it seems there’s more focus on securing the data than securing the money. That’s like walking round the supermarket with a safe instead of a shopping cart, just to put all the groceries in plastic bags when you walk out. Just like the tech giants are protecting other people’s data, banks are protecting other people’s money, so why aren’t traditional, incumbent banks maintaining the stereotype that they are the safest place?

Not using two factor authentication is a concern, but my next concern comes from the very common misconception that SMS based one-time passwords (OTPs) are a suitable solution. They are not. In fact, they are not even truly 2FA. A better way to categorise any OTP style authentication is 2SV, or two step verification. The difference being that 2FA stipulates two identity factors are used, e.g. something you possess (smart card or phone) and something you know (PIN or password), or something you are (biometrics) and something you know. With OTPs, we use only one factor, we just use it twice. So, we have something we know, our password, and then something else we know, a password or code that has just been sent to us. Unfortunately, what has been happening, all to frequently, and for years now, is those OTPs aren’t making it to their intended recipient and millions are being stolen from bank accounts around the world. Metro Bank in the UK being the latest hit.

There is no doubt that SMS or other OTP solutions are more secure than just a password, but as NIST, the National Institute of Standards and Technology, in the US says “Implement at your own risk”. In my opinion, OTPs are the next worst thing, and this isn’t how banks should be reacting to the new online world we live in. They should be gracefully side stepping the cheap and weak authentication solutions, and dutifully selecting what I’ve recently seen categorised as “strong authentication”, as separate from single factor authentication and traditional 2FA.

Biometrics are frequently toted as the way forward, but too often, why they are recommended is not because they are secure, but because they are convenient. Yes, convenience is a necessity, because, like all service providers, banks must provide customers with a great user experience, otherwise they move elsewhere. But convenience appears to be winning the battle with security, and that is yet another concern of mine. There are some very smart cryptographic solutions out there that don’t rely on phone security like biometric options do, and instead of scanning a fingerprint or face, they merely require a PIN code entered on a phone. You’d be surprised how a PIN code can be more secure than biometrics, but I’ll leave that for another time.

The point here is that banks appear to have fallen from grace, and are no longer the most secure service providers in the market. Though many do offer PIN calculators or code generating apps, these are now considered old and cumbersome authentication solutions, and it appears too few even go this far. Banks must move with the times and not only provide convenient authentication, but secure authentication. At this stage, I would not consider a bank that doesn’t offer strong authentication. Would you?

@MaxCvdP