Enhancing Bank Security: The Urgent Need for Advanced MFA to Protect Consumers from Online Fraud

Intro

This seems to be occurring more often than it really should. People, unfortunately, fall for text messages or emails pretending to be from a reputable source. It’s only until they’ve clicked the link or even typed in their credentials before they realize they’ve been phished. However, is it truly their fault? Most people deposit their money into various financial systems because they believe their investments, savings, and other income are secured first and foremost. They do this because they don’t trust that the security mechanisms, i.e. a safe or a large jar under the best, are secure enough.

The Story

In another interesting case, we find another unfortunate person has fallen victim. The story allegedly goes like this. The victim received a text message prompting her to log onto a website or call her local branch. After clicking the link but not providing the requested information, she reported the suspicious activity to her local branch, where she was reassured not to worry. Despite taking these precautionary steps, three days later, she discovered that a scammer had managed to change her password, enrolled in online wire transfers, and executed a wire transfer, leading to the loss of $40,000. When she filed a fraud claim with Citibank, it was denied, leaving her without reimbursement for her significant financial loss.

If this story is true, then it seems that the responsibility of securing your financial assets has tipped more toward the consumer than the client. Which should be concerning to anyone with a savings account. I’m certain banks such as Citibank spend a mint securing their infrastructure and monitoring it against APT and other malicious acts. In response, hackers simply find it easier to attack the consumers (the front end) vs the bank directly (the back). However, could financial institutions step up their security game and protect the consumers more so than they are today? Yes, of course they can.

Enable Software-Based Multi-Factor Authentication

Look I know, most banks will say they have multi-factor auth enabled for their customers, but let’s face it, SMS texts and emails are not the most secure method of Auth. I have yet to see an established bank email me with an announcement that App-based multi-factor is now available. To be fair, I don’t have an account with every bank out there, but I have money spread across a few and all of them rely on text messages and MFA. Employing leveraging Microsoft or Google Authentication app, heck even Symantec VIP, would be a better solution and would greatly increase the confidentiality of the login process.

Interestingly, I find these mechanisms available in the other financial institution types. Etrade offers Symantec VIP for multi-factor, not my favorite, but it checks the boxes. Robinhood, Fundrise, and Arrived leverage Google or Microsoft Auth apps. So really, there’s no excuse for banks that hold trillions of dollars in assets to invest in these security mechanisms.

Enable MFA for large transfers

All banks should offer the ability to place large transfers behind an additional multi-factor approval. Take Binance as an example, eh probably not an American Government darling, and there have certainly been other controversies in the news recently, but they do employ multifactor for logins and to transfer out money.

#	Step	Description
1	Transfer	You request a transfer from Binance to another wallet address.
2	MFA	You are prompted to input your Google auth or Microsoft MFA passcode. Note the code recycles every 30 seconds.
3	Final Validation	The transfer’s submitted for process, but wait you’re also required to check your email and approve the transfer once more. It was a process that I once thought tedious that I now think is absolutely necessary in today’s world.

Dear Mr. Bank

AI is just emerging and while I’m trying to figure out if I will have a job in the next 15 years, or anyone for that matter, I would like to know that my nest egg is as secure as possible. So, Mr. Bank, here’s my suggestions::

• Require MFA through Google or Microsoft Auth for all new accounts that are created moving forward.
• Existing accounts grant users the opportunity to sign up voluntarily for up to say 90 days, then on the next sign-in, force them to register for MFA.
• Establish a default setting that any transfer above $500 needs to be validated by MFA, and anything over $5000 requires an additional multi-factor verification.
  • Note – Recurring transfers would fall into this category as well, but for convenience’s sake MFA is only prompted upon creation.
• Allow users to establish trusted devices within their account. This will prevent any anonymous device from immediately logging in.
• If you haven’t done so already, create training videos on YouTube that you can link to that will inform users how to keep their accounts safe and secure.

Look, adding security can be a pain, and often times the security mechanisms that are implemented impact the ease and convenience of an application. However, we’re dealing with folks life saving here. $40,000 may be a drop in the bucket for a large enterprise, but it can ruin the average American. Also, bear in mind, that most Americans barely have $1000 in savings. If this trend continues, trust in our financial institutions may wane, and the last time we lost trust in banks, I’m pretty sure it led to the Great Depression. So protect it dagnabit!!

Cordially,

America