Financial Organizations and Multifactor Authentication

Money pile

They were motivated and early. And we were excited.

Banks. Early adopters of new tech.

I remember the magic money machine ATM in the 70s. After seeing checks written for “cash” or from my parents to my parents diminish. Simply visit the magic money machine, and you have cash! Even on the weekend!

And, the credit card. “Would you like us to destroy your carbons for security?”

A phone number to call – get your bank balance by using your account and a PIN.

Then, the debit card. And eventually no more carbons. Even quick service restaurants started taking debit/credit cards.

Online banking with a username and a password! Get all that info, and pay people, too. Let’s add some things.

Security questions. Another step of something you know.
Better add two-factor authentication. Give us your mobile number, and we’ll text you when you try to log in.

And at one of those two places is where many banks (I’ve seen) stopped improving their security around the increased amount of information and interaction they manage. Financial institutions, as early adopters of what the Internet offered, were no longer ahead of the security game.

As an industry, they put in time and effort to improve and improve until suddenly it seemed good enough.

But someone’s security is only “good enough” for a short while for online operating entities. It’s kinda like driving your new car off the lot and the joke that it loses quite a bit of value for each new mile the odometer gains.

Please:

👂Acknowledge that #securityquestions are absolutely outdated as a form of additional security and work to replace them.
👂Acknowledge that the beginning form of #MFA (multifactor authentication) – an SMS text with a six-digit code, is the least secure form of MFA, and work to offer alternatives.
👂Regularly review risks around privacy and information security in your organization. This includes your culture and information people may give using means other than a computer. Policies, procedures, processes, and privacy all go together.

I remember when ATMs would give you $5 or $10. Maybe soon we can reminisce when major websites no longer rely on security questions.

Might also want to revisit that four-digit PIN.

#multifactorauthentication#cybersecurity

Related Posts

subdomain hijacking

Subdomain Hijacking and Trust

Cybersecurity /

What if https://www.something.com was the most trusted website in the world. What would you think of… heather.something.combuymystuff.something.com The heather.something and buymystuff.com are subdomains. Large companies often have a lot of subdomains mapped to various IP addresses via DNS. What does this mean? It means they may not have a good handle of all of…

Read More »

Scroll to Top