On the other hand, 2FA opens up the "I lost my phone" customer support channel which might be just as weak.
For example, you can turn on 2FA for sending money via Bank of America's webpanel. As in, you log in with username/password and need 2FA for some restricted actions.
Well, phone up customer support and they'll remove your 2FA if you can provide them some secret details... all of which are displayed on the webpanel to anyone that was already able to log in.
If they were following a script and the script were careful, saying "I lost my phone" would cause them to try to contact your phone, and when you answered and said you still had it, would put a fraud alert on the account and stop all further attempts to social engineer customer service.
But most companies aren't anywhere near that careful.
Wouldn't that allow somebody who stole your phone to lock you out of your bank if they answered the call? Seems like that'd make a stressful situation potentially worse if thieves knew they could do that. Especially if they called from a number that's linked to the bank anywhere and something like Google's dialer surfaces who it is - your bank calling seems like a potential "maybe I can get more" for a thief so they might be inclined to answer and impersonate.
I would prefer that my bank, if it detects fraudsters trying to pull some sort of trick involving my account, to freeze things until I show up and present ID. That's inconvenient, but clearly better than the alternative.
Banks would never do that, if just because they'd risk losing business in places where there's no local branches. Many of the national banks that offer the best conditions have no presence in a lot of metro areas.
And even if you make sure your bank has a local branches (which really, I've not gone to one in years, why would I need one?), what happens when you are on a trip, and your accounts are frozen? I've had my CCs frozen because the bank considered my expenses during a trip to be potentially fraudulent, but I could clear it up over the phone. Do we have to devolve back to carrying thousands in cash, like in the old days?
Security is always a tradeoff between avoiding fraud and being usable, and the tradeoffs that are great for some people in some situations are unacceptable for others.
My bank did this. They had actually made a mistake on their end; one of their reps put a hold on my account (presumably a suspicious transaction), but didn't put it in right so it registered as being my request.
I called up, asking why there was a hold, they said I put it there, I said I didn't. There was a long pause, followed by "for security reasons, we won't be able to help you with anything related to your accounts until you come into a branch and present photo ID".
It was a bit inconvenient, but I have to say I was pretty impressed.
In an ideal world, the bank would direct you to a notary public who would check your identity and public key fingerprint. (Sadly, the present state of things is probably too dysfunctional to manage that.)
Possibly but you'd want to be damn sure it was actually the bank calling you. What's to stop a scammer claiming to be from the bank calling you.
"Hi I'm from bank xxxx calling to warn about some potentially fraudulent transactions we've detected on your credit card before we can continue please answer a few security questions to verify your identity."
I suspect some people would fall for that and tell the 'bank' their personal details.
I've yelled at most of my banks for cold calling me exactly like that. My response is, "Can this be corrected online? Otherwise, I will call the 800 number myself and if you could provide any specifics that might speed up that next call I would appreciate."
In the past I've also sent letters to bank security teams not to cold call and ask for personal details.
One of my banks actually switched to a standard recorded message that ends in a "Please call our 1-800 number at your earliest convenience." Better.
> On the other hand, 2FA opens up the "I lost my phone" customer support channel which might be just as weak.
"I lost my phone" (or "my phone stopped working") does need some solution, though.
The right way to handle "I lost my phone" seems like one of two possibilities: either come into a branch and provide legal identification matching what you used to open the account (and get "yourself" on camera doing so), or have a token mailed to your physical address on file (which you cannot change at the same time as a lost phone claim).
Shout out here to NearlyFreeSpeech who do this right. They give you a set of verification actions:
You provide a scanned copy of a government-issued photo ID.
You provide a scanned copy of a statement showing both the most recent deposit and a name and address matching one of your accounts.
You complete SMS verification. (SMS must be previously configured.)
You complete 2-factor verification. (2-factor auth must be previously configured.)
You correctly answer your security question. (Security question and answer must be previously configured, below.)
You use an ssh key to create a file with a specific name on one of your sites hosted here. (Must be previously configured, won’t work if account is empty.)
We try and fail to contact you via your currently configured email address. (This one may take a long time.)
You can then pick how many of these you want to require to get your account back (and which you want to configure), including an option not to help at all in the case you lose your account.
Nah. Them having a set of your scanned docs just means that if something like what happened to OPM happens, the attacker now conveniently have scanned copies of your docs.
For example, you can turn on 2FA for sending money via Bank of America's webpanel. As in, you log in with username/password and need 2FA for some restricted actions.
Well, phone up customer support and they'll remove your 2FA if you can provide them some secret details... all of which are displayed on the webpanel to anyone that was already able to log in.
It's a joke.