Strong Passwords Don’t Cut It for Bank Payments

When black market criminals use tighter security than global payment systems, you know the banking industry needs to wake up. Two-factor authentication (2FA) is now a standard practice on the ‘dark web,’ yet most banks require just one password to authorize transactions.

The problem is that most people don’t use unique passwords. After decades of discouragement, “123456”, “password”, and “12345678” are still the most popular consumer passwords (see SplashData’s annual list).

But here’s what consumers don’t realize: even if you set and regularly update complex passwords, hackers can still intercept them using malware and then share them in massive online databases. For determined criminals, passwords are no more a barrier than the lock on your screen door.

2FA dramatically improves upon the lone password by requiring users to provide two verifying pieces of information (factors). Typically, the two factors are a password and a one-time code sent by SMS or email. Sometimes, a push notification, key fob, or fingerprint scan serve as the second factor.

Payment systems should be the last place where a login ID and password alone are sufficient to send and receive money. Sadly, that’s not the case.

Consider that most consumer payment systems allow users to access online accounts with a name and password only. Successful hackers can easily change the notification settings and transfer controls before filling their pockets, and the account holder might not notice the robbery for weeks. 2FA solutions would deflect more attacks, and properly implemented solutions would actually alert the account holder of suspicious activity.

Business payment systems are equally unprotected. Payroll and online accounting systems often permit wire transfers with nothing but a password. In a large enterprise, a hacker could easily add a fake payee to the payroll or accounts payable and siphon money into another account. Again, 2FA would make that nearly impossible.

Interbank payment systems are more secure, but still flawed. SWIFT, the international payment network, relies on public key infrastructure (PKI) and hardware 2FA to start a terminal session. But individual transactions merely require the equivalent of a password, leaving active sessions vulnerable to remote access or abuse,  which we witnessed in the 2016 Bangladesh Bank Heist.

Now compare SWIFT to the cryptocurrency space. Bitcoin is neither regulated nor protected by traditional fraud insurance. Nonetheless, Coinbase, who currently leads the global market in buying and selling Bitcoin, mandates 2FA for its nearly 3 million users to protect their accounts.
It’s time for banks to wake up and accept that passwords alone aren’t sufficient for protecting customers and payment systems. Without two-factor authentication, it’s not a question of if, but when hackers will break through.

This post originally appeared in paymentssource.com on May 24th, 2016.