[LINK] Banks' internet security

[David]

I recently began looking around for a bank to replace the one Which has handled my personal accounts since I was about sixteen.  Why?  Because I'm fed up with having to listen to two phrases of 'music' repeated over & over & over & over & over & over again punctuated by assurances that "we appreciate your patience..." before finally hanging up in disgust after three-quarters of an hour.

This mind-destroying tactic is presumably intended to discourage customers from 'phoning their customer support centres.  I rarely do so, but in this age of internet fraud customers may need to contact someone *urgently.*

But to struggle back on topic...

It seems most banks intend to phase out tokens for two-factor authentication (2FA) in favour of SMS text messaging, with one even offering email (!) as an alternative.  This strikes me as attacking the whole point of 2FA because authentication is all centred in one device again.  Proper 2FA relies on the something-you-have device being independent so an individual can lose one without complete loss of personal identity.

When I mentioned this to one bank staffer she remarked that of course the bank expected people to use 3FA: a face or voice profile to secure their device, followed by a username & password, then an SMS code.

Which brings Google into the picture, not to mention the myriad IP connections to unknown sites which might be active in the user's device at the time.

All of which reminds me of the old security proverb to the effect that digging lots of holes in the hope someone will fall in is NOT security.

Cheers!
_David Lochrin_