Gosh, We’ve Never Felt Safer

Our local bank announced a new security policy of “two-factor authentication”: you would enter your phone number, and it would send a text message to that number with a one-time code to log into your account. After several weeks of constantly entering my phone number and wondering why it didn’t just use the one associated with my account, a realization came to me.

During lunch, I entered the number for my work cell on a work computer, both of which the bank had no knowledge of previously. Sure enough, the bank sent a one-time code to the completely new phone and authenticated a completely new computer. It made absolutely no check that the phone number was valid.

Anyone could answer any phone number there and instantly have full access to anyone’s account.

I called the bank and told them how their supposedly two-factor authentication is actually zero-factor authentication, but they insisted it was working as designed. I finally moved my money to a different bank.

I recently learned that someone had hacked a whole bunch of accounts at the old bank, which they found odd, because they had recently moved to two-factor authentication in the month before, which was “more secure than a password.”