Gosh, We’ve Never Felt Safer
Our local bank announced a new security policy of “two-factor authentication”: you would enter your phone number, and it would send a text message to that number with a one-time code to log into your account. After several weeks of constantly entering my phone number and wondering why it didn’t just use the one associated with my account, a realization came to me.
During lunch, I entered the number for my work cell on a work computer, both of which the bank had no knowledge of previously. Sure enough, the bank sent a one-time code to the completely new phone and authenticated a completely new computer. It made absolutely no check that the phone number was valid.
Anyone could answer any phone number there and instantly have full access to anyone’s account.
I called the bank and told them how their supposedly two-factor authentication is actually zero-factor authentication, but they insisted it was working as designed. I finally moved my money to a different bank.
I recently learned that someone had hacked a whole bunch of accounts at the old bank, which they found odd, because they had recently moved to two-factor authentication in the month before, which was “more secure than a password.”
Question of the Week
Have you ever served a bad customer who got what they deserved?