Back to Blog

Strong Passwords Don’t Cut It for Bank Payments

201405125955b_01_bWhen black market criminals use tighter security than global payment systems, you know the banking industry needs to wake up. Two-factor authentication (2FA) is now a standard practice on the ‘dark web,’ yet most banks require just one password to authorize transactions.

The problem is that most people don’t use unique passwords. After decades of discouragement, “123456”, “password”, and “12345678” are still the most popular consumer passwords (see SplashData’s annual list).

But here’s what consumers don’t realize: even if you set and regularly update complex passwords, hackers can still intercept them using malware and then share them in massive online databases. For determined criminals, passwords are no more a barrier than the lock on your screen door.

2FA dramatically improves upon the lone password by requiring users to provide two verifying pieces of information (factors). Typically, the two factors are a password and a one-time code sent by SMS or email. Sometimes, a push notification, key fob, or fingerprint scan serve as the second factor.

Payment systems should be the last place where a login ID and password alone are sufficient to send and receive money. Sadly, that’s not the case.

Consider that most consumer payment systems allow users to access online accounts with a name and password only. Successful hackers can easily change the notification settings and transfer controls before filling their pockets, and the account holder might not notice the robbery for weeks. 2FA solutions would deflect more attacks, and properly implemented solutions would actually alert the account holder of suspicious activity.

Business payment systems are equally unprotected. Payroll and online accounting systems often permit wire transfers with nothing but a password. In a large enterprise, a hacker could easily add a fake payee to the payroll or accounts payable and siphon money into another account. Again, 2FA would make that nearly impossible.

Interbank payment systems are more secure, but still flawed. SWIFT, the international payment network, relies on public key infrastructure (PKI) and hardware 2FA to start a terminal session. But individual transactions merely require the equivalent of a password, leaving active sessions vulnerable to remote access or abuse,  which we witnessed in the 2016 Bangladesh Bank Heist.

Now compare SWIFT to the cryptocurrency space. Bitcoin is neither regulated nor protected by traditional fraud insurance. Nonetheless, Coinbase, who currently leads the global market in buying and selling Bitcoin, mandates 2FA for its nearly 3 million users to protect their accounts.
It’s time for banks to wake up and accept that passwords alone aren’t sufficient for protecting customers and payment systems. Without two-factor authentication, it’s not a question of if, but when hackers will break through.

This post originally appeared in paymentssource.com on May 24th, 2016.

About the author Marc Boroditsky

Marc is a seasoned entrepreneur with 30+ years computing experience including 25+ years with start-ups. He has founded and financed four start-up software companies in electronic medical records, authentication and identity management and successfully completed the sale of the most recent one, Authy to Twilio and and before that, Passlogix, to Oracle.

He started in computer security with the view that authentication was too difficult for users since they needed to know an increasing number of passwords. This vision lead to his successful enterprise SSO company, Passlogix, which enabled SSO for a broad range of applications including client-server, mainframe and web-based applications. Passlogix lead the industry with more than 1,600 customers and 25 million users around the world. Following the acquisition by Oracle, Marc joined as VP Identity Management and drove growth at a multiple of the market and delivered new products for privileged access, mobile security and cloud SSO.

After leaving Oracle, Marc returned to the start-up world to help lead Authy, a two factor authentication (2FA) as a service vendor, generating nearly 4x growth in the first year, resulting in more than 11,000 protected apps and more than 2 million users. He’s currently the VP & GM of Authentication at Twilio following the acquisition of Authy where he was President & COO.

We can text you a link to get started:

Close