Does anyone know the cause of the large and long standing difference in banking in US vs Europe?
In europe:
-for 15 or so years already, web banking has been with 2nd factor authentication (since its inception I assume). In previous decades we would get devices where you need to type numbers from its lcd screen into the webpage login. Today mobile auth apps are taking over.
-I have never seen a bank have security questions like "mothers maiden name" as backup. No backup questions at all. I guess you go to the bank's office if you forget it?
-"wiring" money between european bank accounts is free (and not called wiring, not sure what in english though), for as long as I remember. It's not some special type of transaction, it's the main way to pay bills, get salary, pay each other, ...
-paper cheques don't exist since over a decade
When I hear how US banking is, it somehow evokes images of an old stuffy 70's office to my mind... lots of paper, maybe a slow cobol mainframe somewhere, which can only support 8 character passwords in all caps or something like that...
A wire transfer(IBAN/BIC transfer) is different from an ACH transfer.
ACH(EFTS in EU) in the US is generally free, but has a delay for clearing and has some mechanisms for reversal. This is primarily a digital check, and can be initiated by the receiver in that way.
A wire transfer is nearly immediate by comparison and offers almost no option for reversal. This option does usually have a fee and is generally reserved for large purchase transfers and emergency situations were verification of receipt is required. Such as buying a house. These transfers are processed via Fedwire inside the US and SWIFT out.
The guideline in the EU is that interstate can not cost more than intrastate, so most went to 0.
> ACH(EFTS in EU) ... is primarily a digital check.
Well not exactly. I have set up ACH transfer between my dad and my account, but a couple of banks didn't let me. They are like both account holder should be the same. Bank told me that the only option I have is to wire the money.
On the other hand, I pay my employees through ACH (ADP take cares of it).
Most other countries allow direct person-to-person transfers with just a name and account number. In Australia you can put in someone's details and payment for something and it will be there the next morning, with no fees, directly through the government interbank system.
In the US if you want a fee-free transfer, you need to use your bank's app and take a photo of someone's check. And no, Paypal/Vinmo are not good alternatives. They're private transfer systems that are not federally mandated and regulated bank-to-bank transfers. I wrote a full post about this:
This is a little outdated. Most banks finally got Zelle setup this year. It hasn't fully caught on but you can get free transfers between nearly all big banks and a lot of small banks simply by setting it up and knowing the persons email or phone number. I've been trying to get my friends to move off Venmo, but the option to do it is usually buried inside of the banking apps so it isn't as convenient.
It's still not quite the same. In Germany, Australia and NZ, you can send money to anyone at any bank, for free, and you don't need to use their phone number or e-mail address. It's mandated by the government.
It'd be more like the Federal Reserve enforcing free customer-to-customer ACH for everyone. There are some banks that do offer free person-to-person ACH (I believe 5/3 is one of them).
Zelle is basically the banks getting together and going around that critical lack of infrastructure. It does look like they have a lot of major and minor banks. Mine is still missing from the list though, and I suspect it will be years until everyone is supported or banks will feel they need to support it to enter the market. So no, the US is still way behind.
not only is there an ODFI-clearing house - RDFI delay caused by the actual "clearing" process - the whole flow starting from the merchant->payment processor step is a sequence of nightly batches with cutoff times factored in to boot.
from the merchant perspective, however, ACH payment is cheaper to process than a credit card payment and is way less likely to end up in a chargeback.
No. ACH is the digital equivalent of depositing a paper check. The debit networks are what you use to withdraw money from an ATM, and require entering a PIN, but most debit cards nowadays can also operate through credit card networks.
debit cards(not to be confused with bank cards) are closer to credit cards than ACH. in some cases - for example "signature debit" vs "pin debit" - just about identical from the flow perspective.
which is why you can use debit cards in most situations where you would use a credit card where instant check of funds availability and hold is required - e.g. hotel incidentals etc.
ACH works on a pull basis rather than a push basis. Instead of telling the bank "send $100 to account XXXXXXXXXX at bank YYYYYYYYY" you tell the bank "give me $100 from account XXXXXXXXXX at bank YYYYYYYYY". That makes it okay for paying a large business that is easy to track down if they take too much, but it makes it unsuitable for paying a normal person because they could just empty out your bank account and then disappear.
Just a heads up it actually works both ways. The originating depository financial institution (ODFI) can submit debits (pulls) or credits (pushes) which are then ultimately transmitted to the receiving depository financial institution (RDFI).
Often banks and credit unions will limit ACH origination to debits (pulls) in digital banking applications for risk and business reasons.
You are right that ACH (and most payment schemes in the US) have substantial deficiencies in terms of security, but that is counteracted with a strong justice system and consumer laws. You shouldn't really fear about someone emptying your bank account (unless you are a business) because Regulation E mandates that banks and credit unions make you whole for any fraudulent transaction reported within 60 days of the statement that includes the relevant transaction(s).
> Inter-bank money transfers in US are handled by a system that needs multiple "business days"
I wired some money from my US bank account to my Swedish bank account. The US bank obviously operates on a batch process basis, because around 6AM EST I got an email from my US bank saying that they've sent the money, and I should expect it within three days in my destination account.
It was already available in my Swedish bank account at that moment, because they have no delays whatsoever because what the hell is there to delay? The difference is like night and day, and I do not understand why American consumers put up with their extremely shitty banks that all seem to be stuck in the 70's. It drives me crazy.
Well, most Americans aren't doing international wire transfers.
I've never had an issue with my American credit union. I draft loans directly out of my account and I can send money to anyone for free (instantly to people with the same bank.) For everything else, I use my credit card for the fraud protection and rewards points.
This is another one of those US quirks. The only time I had to deal with banking fraud was when my wife's credit card was stolen. CCs are pretty low on the trust scale here in Germany, they mostly exist to simplify transactions with US-oriented companies.
Fraud protection (at least as I was thinking of it) encompasses a lot more than banking fraud.
A couple of years ago, a vendor charged me $500 instead of the $50 they had claimed a service would cost. When I complained to them, they called me a liar and refused to do anything.
I disputed the transaction with my credit card company. The money never even had to be refunded to me because it never came out of my account.
This is a rare occurrence, but having an intermediary preventing $450 that I don't owe being directly debited out of my account is vastly superior to the alternative of complaining to my bank after the actual money is gone.
> When I complained to them, they called me a liar and refused to do anything.
Atleast in germany you have a multitude of options you can pull even without a lawyer getting involved. You can also file legal complaints easily and most fraudsters will drop the money at that point and apologize.
Added to that is that most online payment in germany works with a push system, which means you'll see the amount you'll transfer on your banks online form or whichever webservice you use (GIROdirect or SOFORT). If they charge more, don't pay.
SEPA Debit, which is a pull system has more fraud protection and vendors are very unlikely to ever do anything like fraud over Debit as the bank will go after them like some 80s slasher movie killer if they do. Plus you get the money back.
> Atleast in germany you have a multitude of options you can pull even without a lawyer getting involved. You can also file legal complaints easily and most fraudsters will drop the money at that point and apologize.
In this case, all I had to do was log into my credit card website, click "dispute transaction", explain what happened, and forget about it.
Moreover, I don't know what would have happened legally, as it is a reputable, well-established vendor in the local area, and it came down to my word versus theirs - I didn't have a receipt or anything.
> Plus you get the money back.
The money never even leaving my account is much preferable to getting it back.
The US debit system works in a similar way as you describe, but the credit system is still better for that reason.
IIRC from my current law course, if you didn't get a receipt (or other proof of transaction/contract) the vendor has no right to your money. You'll get receipts everywhere.
Fraud is rare enough here that it's not much of a hassle, the legal system being in favor of the customer helps too.
Germany has also a rather non-credit oriented mindset, people don't like taking up debts or credit, a debit card is usually prefered by everyone, seller and buyer.
Three separate cron jobs are needed to clear the transaction, and they only run at midnight, because that's how they were set up decades ago? (My guess)
The US ACH system does rely upon COBOL mainframe systems which only support batch processing. But that constraint does not cause the multi-day process. In fact, since September 2017, the US ACH system has supported same-day ACH processing (with a slightly higher fee of 5.2 cents).
The main constraint has been more related to operations. There are thousands of people whose sole job is to process ACH files. They mostly work at bankers' banks and corporate credit unions (credit unions' banks). But also at financial institutions that range from under $1mm in assets to over $100bn. Most of these jobs could be fully automated away, but they haven't been yet for a variety of reasons.
Since November EU regulation mandates that SEPA transfers should finish within 10 seconds[0]. In practice we're not quite there yet since some smaller regional banks have trouble moving from batch processing to streams, but their deadline extension ends june 2018.
It mandates that banks offer a 10-second-transaction but not that all transactions are that fast. For example, the only German bank currently supporting that charges a 0,50€ fee while regular (slower) transfers are free.
Huh, that's interesting. I remember transferring a few euros for shared pizza to a friend's account a few months back and it took a day. This was between two very large, modern Dutch banks.
Is it still that slow? Since a few months 95% of my transactions between Germany, the Netherlands and the UK (EUR account) happen the same day. It's not like banks actually can earn interest right now anyway. If anything it costs them to hold money currently.
Yes, I forgot to mention that the cutoff now seems to be at around 2pm for most banks (it was much earlier even recently). Transfers after that usually show up on the next day but the value date is often the sending date.
I don't do transactions after 6pm or so, therefore no experience that late. All of this only applies to banking days, no transactions get processed on the weekend.
In Sweden we can transfer money instantly between banks. You essentially register a service tied to your phone number, and people can use that phone number to instantly transfer money to persons or companies without any fees. The service is called Swish [0]. The only requirement is that the receiver has registered the service to his/hers phone number, and that you can authenticate yourself using mobile BankID [1].
This sounds like the same as Vipps in Norway. Anything up to NOK5000 is free. And it is instant.
It has become a huge hit the last year. As for why I guess it's almost as fast as cash and you can add a little note so you can prove (rarely necessary but sometimes useful) that you paid.
Now a number of companies are also embracing it and I've started to receive invoices on Vipps. If it could be the thing that kills "Avtalegiro") I'd say that would be great.
Australia is fairly similar to this. Particularly the fee free transfers between banks (for both private and business)
What’s interesting is that next year most of the banks seem to be launching an instant bank transfer system - big interbank implementation. Right now it takes generally 1 business day if you’ve transacted with that account before and 3 business days if you haven’t. I assume that’s some kind of anti fraud but not 100% sure.
Australia may not be known as a banking superpower but it has the most user-friendly, affordable, efficient financial infrastructure of all the places I lived in.
There's the most kickass Bill Pay system ever and DEFT, which allows paying by several methods including the credit card, potentially gaining reward points for paying rent. (Reward credit cards may be pricey though.)
Overseas wire cost a measly flat AU$20 a few years ago in WestPac, local transfer was free and quick to a low-risk recipient (and most recipients are reasonable enough to go on with a transaction if you send them a PDF proving you sent the money). If you run a business, your company account can be accessed via the same customer ID.
Suspicious transactions are spotted and the bank calls you if they suspect foul play; the false alarms are rare. Fraudulent transactions (at least minor) are reversed - happened to me once and to my wife several times. No US-like secrecy for bank account numbers, you normally publish your bank account for the people to make transfer to. Tokens are used for business accounts, while the consumers don't have to bother with these.
There's generally no banking fee unless the account is dormant, and then it's about $5 or something (not $20 - $40 like in the US or Singapore).
Nobody uses cheques, obviously (although they do exist).
In terms of foreign currency transfer, there is also OFX, a nifty service where you can keep your incoming funds until the exchange is more favourable (nope, Transferwise doesn't have it), and that charges you the fraction of what the banks take.
> Nobody uses cheques, obviously (although they do exist).
Cheques are now mainly used for business to consumer payments, and for large value transactions, where it's done as a bank-drawn cheque usually.
The bank I use doesn't have a branch anywhere near where I live, so when I got sent a cheque a while ago I had to ask how to go about depositing it. Turns out the bank I use for my credit card will happily accept them via their ATMs which print out a receipt with a scan of the cheque.
> Cheques are now mainly used for business to consumer payments,
I vaguely remember a couple of times years ago (late 2000s, I think) I had a cheque sent to me, but it was done electronically in most cases. Point taken though.
> and for large value transactions, where it's done as a bank-drawn cheque usually.
True, but a bank cheque is a different thing altogether.
I knew someone would comment on the borderless account (I opened these, too), but it's not even close.
The borderless accounts are:
1. Limited to a handful of currencies. OFX isn't.
2. In the US at least, can't receive international transfers. OFX can. I'm sure there are other limitations, too.
3. It's unclear how much is to be paid to transfer the money from the borderless account to yours. OFX charges nothing to keep the incoming funds "in custody" for up to a month.
Wow, even that! In the US it's normal to charge US$2.5 or even higher, although some bank accounts refund these charges back to you at the end of the month.
CommBank and NAB spear-headed instant transactions.
CommBank dropped an absolute mint on it, with a goal of sub-second transactions, with decent fraud protection.
After a bunch of talks between the big banks, and VISA and MasterCard, and a little bit to do with the ombudsmen from various government branches, it was decided to share out that architecture, including fraud protection.
The fraud protection is actually really good, and thanks to actual cooperation between the banks, reimbursement is a fairly likely scenario.
There is no such thing as an international wiretransfer. Instead what you have is a set of agreements between gateway banks in each country allowing for the money to be made available from one country to another.
Other than that it's mainly consumer protection and the EU attempts to standarize everyhting vs. US less restrictive and more, leave it to the market to establish standards.
For historical context the Europe had a head start when it came to mobile with their implementation of the GSM standard where as the US was mostly left to find a winner between competing standards.
The EU have not specific advantage to the US today on the contrary one might say.
So basically what you have is a EU who are forcing standards down on countries vs. a US which let the markets mostly figure things out by themselves.
But it seems the standards forced down by the EU resulted in a faster, more efficient system?
As a private individual or person doing business in the EU I don't have to care about the different gateways in various EU countries or the difference between ACH and wire. I just make a transfer via online banking or authorize a SEPA Direct Debit withdrawal by ticking a checkbox in an online shop. There's zero friction.
Whether the transaction is completed instantly or within a business day usually doesn't matter much. There's no faffing about with paper cheques (because seriously what century is this) and I don't have to talk to any humans to do it. Rent and utilities are deducted from my bank account every month until I revoke the authorisation.
Watching American sitcoms with mom or dad poring over a stack of bills and writing cheques seems like a flashback to the 1950s.
I don't think so. The EU isn't better off than the US when it comes to cellphone standards as such and it certainly haven't made them any better at building successful companies.
EU is trying to solve a bunch of things through legislation which the market should be solving on it it's own.
> EU is trying to solve a bunch of things through legislation which the market should be solving on it it's own.
Maybe because they know that the market doesn't solve such problems, it only makes them worse. Market players profit from creating barriers for customers and keeping the system balkanized; it takes a strong actor outside of that market to force a common standard.
See also: why sending files directly between a computer running Apple's OS and one running Microsoft's OS is so ridiculously complicated.
Euro SEPA transfers between Switzerland and EU are typically free. At least the major Swiss banks don't charge anything extra. International transfers in other currencies (e.g., CHF, GBP) still incur a fee, though.
The same applies to most German banks in the other direction but this is by business decision and not by law. Thus some banks do charge a fee for that.
You should use another bank. I've never heard of anything like that when I was living in Germany (I used Comdirect and N26, lots of my coworkers recommended DKB and ING DiBa also).
> Between European bank accounts in the same country. Also, not every European country, unfortunately.
Unless I'm mistaken, transfers in Europe are by law required to cost the same inside and out of the country. My Greek bank charges 1 euro for a transfer, no matter if the bank is in Greece or anywhere else in the EU. My German bank doesn't charge anything, and I pay my rent from my German account.
> They're very rarely used, but they can be useful for cases where you want to buy something like a car without changing the card limits.
None of the banks I have accounts with ever gave me a chequebook. If I want to buy a car, I will transfer the money through SEPA, as normal, for free.
Germany is a very cash-oriented society. Many independent businesses don't take credit cards and most consumers prefer to pay in cash. Germans are very privacy-conscious, and there's a latent suspicion of debt and intangible money because of Weimar-era hyperinflation.
Which is slightly odd, considering that in hyperinflation, paper cash was losing value just as fast as intangible money.
However, the privacy aspect makes cash usage understandable. But it is somewhat inconvenient sometimes - for example, you generally have to be prepared to pay taxis by cash, not bank/credit card as in Nordics.
And there is a culture of hiding assets from the state. I remember a while back the German police where regularly catching pensioners driving to Luxembourg to smuggle large amounts of euros which they did not want to pay tax on.
A cashier's check is effectively a cash equivalent - it's a check guaranteed by the bank, wherein they basically freeze the funds in your account at the time you write the check. The only real purpose of it is to save people from carrying around huge amounts of cash. So that doesn't really answer his question.
Very very very rarely. I've never seen or heard of anyone using either personally and I'm not even sure where I would get a check book or cash in a check.
Germany is very cash. You pay taxi in cash, you pay the restaurant in cash and you pay the train in cash. Credit Cards exist but largely the EC system is prefered since it's not credit based and pulls from your bank account instead. And I only really fall back to EC when I run out of cash and I know I'm going to be at a place that has a card reader.
Oh, I'm sure you can get them somehow, I'm just saying that they're so rare that no bank gives them out by default (nor have I ever seen one or know what to do with it).
Is there still a universal system of acceptance of checks, though, like there was Eurocheques before 2001? Any bank can presumably issue checks, but if no car dealerships take them...?
You can write a cheque on anything as it's just a written instruction. Sadly the story of the farmer who wrote one on the side of a cow turns out to be false.
I think that was because it cost money to transfer between SWIFT and SEPA. SEPA to SEPA is very cheap/free, and so is SWIFT to SWIFT, AFAIK. I haven't tried to send money between the two systems for a long time.
> Between European bank accounts in the same country. Also, not every European country, unfortunately.
As far as I know, it's free between all Eurozone countries. At least I regularly do transactions between countries, and I've never heard it costing a cent.
Transfers can be charged, and often are even within the same country. In Spain it is common to have "up to n monthly transfers for free, then you get charged x%".
Also, I've received wrong payments on a German account from French people many times, and they claim it's because their bank charges the transaction and I receive the sent amount minus fees, with no possibilities for them to specify otherwise (that's happened with dozens of different clients, so I'm very inclined to believe them).
At least both of my banks in France don't charge me anything when doing wire transfer to other European countries. So, I'm not sure how prevalent that is.
I was born Hungarian but now I am Canadian (hurray!) and this difference in banking totally baffles and irritates me to no end.
Rietumu in Latvia ten plus years ago already was using not just those hopping code authentication devices but also client side SSL certificates (at least for small business accounts, I never had a personal with them). Extremely secure but I wonder how well the generic public would deal with that.
It's not a US vs Europe thing. There have been past incidents with Korean websites asking what city you were born in, and since the Seoul area has half the population, that worked for roughly half the users.
True, South Korea is also something special... everyone was required to have internet explorer with activeX for a very long time there to do banking and online shopping
The alternative to that would have been no SSL at all.
The US required that all exported crypto would be limited, so South Korea instead built their own crypto.
And browsers couldn't implement that themselves (also due to export regulations), so South Korea had to implement it as plugin for the then most-used browsers, which was mostly IE.
Actually, the US still partially restrict it (I as a German had to file dozens of forms with the US DoD due to that already), but you are correct, TLS up to 1.3 is entirely public worldwide.
But obviously, by 2000, many sites were already using the South Korean crypto, and deprecating it would be just as complicated as deprecating TLS 1.0 or SHA1 TLS Certificates in the US. The browser vendors consider that impossible — the South Korean situation is just as problematic.
>I guess you go to the bank's office if you forget it?
Yup. An account reset requires a visit to the bank and you'll get the new password mailed to you via postal service and you'll be required (usually) to immediately pick a new password upon first login.
>and not called wiring, not sure what in english though
SEPA Credit Transfer. Beginning next year banks will also test and deploy an instant transfer variant of this.
>Today mobile auth apps are taking over.
Mobile apps are indeed a lot more popular these days but a second factor is still employed.
SMS 2FA is being phased out (atleast in germany) and current alternatively are either having a list of TAN codes, optical TAN generator or a proper Card reader on your PC.
I think this is in large part due to, atleast in germany, banks being liable for all damages if they can't prove their system is reasonably secure. This makes some parts of account management a PITA since you need to show up at their local branch office but tbh, it's much better than the US.
I'm pretty sure all UK banks use multi factor now (mostly card readers and mobile apps), but they certainly weren't like that from their inception. I didn't encounter multi factor for at least five years after my first web-based account. They were all terrible combinations of passwords, secret questions and entering three characters from another password. I remember being fascinated by the multi factor token that my Swedish friends had in th the early 2000s. The last UK account that I had without any form of multi factor auth was probably about five years ago.
Bank transfers have always been free. Previously these were called BACS, and took three days. Now they're "faster payments" and are effectively instant. Bills are paid by Direct Debit, which is a pull system, which sounds scary but generally works well.
There are three main reasons: (1) a huge long tail of financial institutions and (2) an incredibly strong enforcement and justice system, and (3) a lack of new financial institutions.
The United States has around 40x more financial institutions than the United Kingdom (8x when adjusting for population differences). The US has such a long tail of financial institutions because of regulatory and market forces. The US regulators/lawmakers have traditionally provided incentives for smaller financial institutions because of the belief that they fill a very important role in powering our diverse economic engine (a belief I hold as well). This has made change harder to impose and coordinate.
Most United States payment schemes are inherently insecure. Both checks and ACHs simply require the routing number, account number, and name on the account. There is no concept of a one-time use token. So why is the US not plagued with fraud? Our enforcement and justice systems are perhaps the strongest in the world. The secret service and FBI devote an incredible amount of resources to investigating financial fraud, and punishments are typically harsh.
Finally, the lack of new bank charters granted by the regulators (especially post 2008) has reduced competition and innovation in the space. Banks are able to levy high fees as a result. The amount lost to fraud each year is generally more than covered by these fees (with the exception of small financial institutions) so there is not a strong incentive for change.
(and not called wiring, not sure what in english though)
Giro is I think the standard English term for this although it is rarely used because it is a push system while (particularly in North America) banking systems in the Anglophone world typically use cheques which are pull based.
Even coming from Canada, I was rather surprised at how ancient the US banking system is. Like it was stuck in the 80s for 2-3 decades. They are only now rolling out chip cards and frequently it is chip and sign rather than chip and PIN.
America is the best. Therefore if Europe does something different, then it must be worse.
Hah, no, US banking is absolutely in the dark ages. When I first came here they didn't have debit cards FFS. I had to carry a check book and write on it with a pen. They've only just got chip and pin!
Whenever I had to go to the bank for whatever reason, I would check out the teller's desks while they were working on my transaction. It passed the time, but it was pretty interesting.
At least at that time, at that bank branch, a typical teller's desk included: 1 Dell desktop and accompanying monitor, 1 automatic bill counter, 1 desk calculator, 1 check reader, probably a few pens and some with cute designs on them, a few stationery holders for various slips, forms, notices and marketing materials.
All in all, pretty boring affair, but near as I can tell banks are basically stuffy offices from the 80s. Just swap out the Dell for I dunno, an IBM PC or an Apple //.
I'm not going to comment on all the issues you listed, only for the last part.
I think it's a grass-is-greener thing, and you see the bad stuff for one side and the good for the other. There are banks in Europe too, that suck. I had an account in Bank Austria. The username was a number they gave you, and the password had to be exactly 5 numbers. There was a place in the FAQ somewhere that said you can put any password you want, as long as it starts with 5 numbers, and the reason for that is that only these first numbers are taken into account, because of legacy mobile banking (as in, banking from your mobile via sms).
>>...No backup questions at all. I guess you go to the bank's office if you forget it?
True, then use personalId (or passport in case the account is in a different country), change the wee-calculator thing/reset of the phoneId app also requires visit to a bank office. Some banks support national identity system (Estonia, Latvia for instance).
>>"wiring" money between european bank accounts is free
this is not necessary true, and it's not 'european' but eurozone (which is different). The fee is domestic within the EU zone and depends on the bank agreement, e.g. it can 0.5e or even free
> -"wiring" money between european bank accounts is free (and not called wiring, not sure what in english though), for as long as I remember. It's not some special type of transaction, it's the main way to pay bills, get salary, pay each other, ...
Many business accounts in Europe do charge per transaction however
In Norway the banks started using 2F in the late 90s I think. I remember sheets of paper with codes that were only used once. Each action (login or transfer) would prompt for a specific number that had to be entered. Fortunately they changed to electronic tokens in the early 2000s
Insurance companies and paper magazine publishers like using them for payouts.
I know an eccentric person that also uses them. When I cashed such a check the eyes of the employee lit up and it was shown around among the tellers after asking if that's ok (which is a bit out of the ordinary as they usually act very discreet and professional) so I'd say that's a rare thing.
I don't know about the cause, but I just want to say that it's extremely frustrating and at least a little distressing to deal with US banks in 2017 that don't offer proper 2FA, with SMS being the highest security option.
Some of the early politicians nd early presidents (jackson) had some odd ideas about central banks and Jackson in particular actually caused considerable financial problems.
Also private banks did not like being regulated by a central bank
While most of those points generally are true I'd say that banking in Europe is only marginally better.
They still have weird, mostly paper-based processes and decades-old mainframes (though that's not necessarily a bad thing). Not long ago the 2nd factor consisted of a paper slip with enumerated transaction numbers.
You'd have a hard time finding a bank that allows you to easily export data to accounting software. APIs accessible to customers are something unheard of.
All that nagging aside, a reason for US banks being even more stuck in the 70s might be the success of credit cards. Until the mid-90s hardly anyone used those in Europe and they're still not all that common, which in turn means that most cashless payments happen via some sort of card issued by banks directly.
Yeah, it's kind of weird. The positive things mentioned are definitely true, but some stuff that drove me batty in Italy:
* Your bank account is attached to a specific bank branch. Even after we moved across town, we always had to return there, like spawning salmon. Moving it seemed like we were asking them to give their children up for adoption.
* The hours they were open were bad even by Italian standards.
* Lots of little fees and things. Credit cards cost actual money to possess; compared to the US where you get money back if you use one sensibly.
On APIs, PSD2 http://psd2.it/ will be a game-changer for the European banking industry. Over the past 3 years all banks have been scrambling making their customers' data JSONable.
And they've been doing this as a general-case, as systems tend to be global with local characteristics and lots of glue rather than a decade back when they were disparate and lacking glue.
So when, Singapore for example, decides it wants PSD2 too (good example test case r.e. stringent data protection from regulator and competitive market) they can roll-out quickly.
There's Revolut, Monese, N26 to name a few where you can sign up without ever stepping foot into their office (via a phone app, by proving your ID either via video call or make a photo of your ID) and the entire process takes a few hours at most to verify on their end. After that, use your phone security (fingerprint, face ID?). Do you have that in U.S? Probably not.
I'm using ING DiBa in Germany and they lack a secure 2fa method. There are only two options available:
- SMS-TAN, which is vulnerable to SS7 hijacking and name spoofing.
- Index-TAN, aka the enumerated paper slip, which is only "pseudo two-factor": If you computer is pwned, it can ask you for the index matching the attacker's desired transaction.
ING DiBa offers banking apps for both iOS and Android, which can also serve as 2FA for online banking via the browser. The main banking app itself isn't all that good but the 2FA feature works fine.
Wow exactly the situation in india! We’ve had 2FA, mobile alerts, etc. ever since the dawn of the Internet banking in late 90s. Wasn’t so in the US even as recently as 2010.
But in other respects things are stuck in the past in India too, like your account being tightly coupled to a particular branch of the bank, and many commercial establishments charging extra for card transactions.
I have banked with five different banks (private and public) and have never had to face the tight coupling with a particular branch that you talk about?
Indian banking system is actually a joy to use compared to the first world systems that I have seen.
The charges still exist even if the end user doesn’t pay them. If you don’t then the shop/restaurant has decided to pay the fees (depending on country this can be mandated by law or just a custom to do it one way or the other)
wiring money between european bank accounts is not necessarily free but banks that have fees for wiring within the EU must have the same fees nationally, so as a result many bank prefer to drop the fees altogether
They don't issue checkbooks at all, or you just don't get a bunch of free ones when you sign up? Most American banks that I know of don't give you any either, anymore, just a debit card, but you can get them if you want them.
Modern banks really don't. In Germany you truly have no use for cheques anymore. SEPA works both ways (wire transfers and direct debit from your account are free for you and very cheap for business accounts).
While for instance in France, Orange launched their own bank recently, they're 100% mobile, yet you can request a checkbook (for free, afaik they cannot legally charge you).
It's free to send money to other bank accounts in the US, too, and in some cases instantaneous, in no case I know of longer than a couple days.
The problem isn't that the infrastructure isn't there - it is. Older people and a few stodgy institutions rely on checks, but that's not because they have to.
In Germany, what do people without bank accounts do? In the US, there's a lot of these people, but you (or their employer) can still give them a check and they can cash it at a check-cashing business (ugh) or the bank it was issued from.
While I imagine it can exist among the homeless, I have never heard of anyone without a bank account in Europe. The EU even introduced a right to a basic bank account.[1]
If you have an employer, I don't see how you could not have a bank account. Even retired/unemployed, you will need one to receive any kind of pension, benefits or social welfare.
I know that old habits die hard, and France is a good example (cheques could be easily phased out). But governments are able to kill them off when needed. For instance many European countries are lowering legal limits regarding cash transactions, in an effort to curb all kinds of tax avoidance.
In the US, if you don't have a bank account, the government will just send you a debit card that they will load a balance on for your benefits/welfare. For example, here's a description of the Social Security debit card program.
Most of these people do have access to a bank account - most of them are free - if they wanted one, but they choose not to get one for various reasons.
I think in terms of American politics, there would be some resistance in requiring people to have a bank account.
> I think in terms of American politics, there would be some resistance in requiring people to have a bank account.
I think it's fair from the government (and employers) to stick to the most effective way to deliver payments, and not enable third party check-cashing business (which doesn't exist here anyway) and/or companies issuing high-fees prepaid cards.
Since we are specifically talking about checks, I'm not sure you were ever able to cash one out without having your own bank account anyway. And even assuming the scenario where you want to walk in the issuing bank, what if they have zero or limited physical presence?
These cards are essentially issued by the government. There are no fees associated with purchases, only fees associated with multiple cash withdrawals in a month (which some banks also have) and with bank transfers.
There's really not much downside to that alternative - it's basically the government creating a limited-use bank account for you and tying it to a card.
> I'm not sure you were ever able to cash one out without having your own bank account anyway.
Why would that be? The only reason other banks want you to have an account is because they can't know whether it's a good check, i.e., whether or not the payer actually has the funds to pay the check, so they need a way of clawing back the money (by drafting your account) if it's bad.
> And even assuming the scenario where you want to walk in the issuing bank, what if they have zero or limited physical presence?
Well, until recently, they would be a pretty uncommon scenario.
I do generally believe that being "unbanked" is a poor decision, but at the same time, I'm a little uneasy at the idea that we should all be effectively forced into participating in the banking system, which, while it is beneficial in many ways, also serves as a key way to redistribute wealth to the wealthy. I'm not a huge fan of check cashing businesses - which does include large companies like WalMart - but if people are really making the free and conscious choice to not have a bank account and they prefer to pay $5 to get a check cashed, well, I would have a problem with someone telling them they have to get a bank account to participate in society, if what they're doing works for them.
BTW - if you have some links on the cash transaction limits, I'd be interested in reading them. It seems kind of crazy that a country could tell its citizens they can't pay in cash above certain amounts.
In Germany you just have a bank account. You can get one for free if you have a sufficient monthly income or are a student under a certain age. You can also get one fairly cheap otherwise.
I'd say more people have a bank account than an Internet connection. OTOH credit cards are relatively rare.
- We don't use 2FA authentication, I guess because there are more cost effective ways of verifying our identity (probably not going to last much longer with all the breaches)
- ACH in the USA is free and fast (one business day)... and that's the main way of receiving salary, paying bills, etc. Is Europe really any better in this regard?
Not true. If you get any kind of refund on your Wells Fargo credit card, and you want to move it to your checking account, they send you a check by snail mail, which you then deposit. If you use Bill Pay to a recipient that isn't one of the few companies they have electronic clearing with, they make you enter a physical address, for... right, mailing them the check. There is no universal system advertised by the banks I've been with to send money electronically between consumers. If I want to pay my homeowners association's dues (which, coincidentally, I am in charge of, too) I have to use a check. All the above thus includes two scenarios where I essentially end up sending a paper check to myself. I'm European import to the USA, so I may not have figured it all out, but boy, I tried.
Edit:
Forgot about this one: good luck being a foreigner paying the USA government for your immigration proceedings... right, all paper...
People still uses paper checks all the time here in the US. Maybe not for small things but...
- Rent payments to independent land lords are generally via a mailed check.
- Some monthly bill payments aren't doable online.
- Transferring money to people.
- Large purchases.
Source on that one? I've found that people outside of the tech bubble use a paper check at the very least once a year and most likely once a month. I have seen plenty of apartments, renters, even a mortgage company just a few years ago that required payment still in paper checks in the USA.
I'm going to assume your suggestion is anecdotal. It is certainly in decline but it's still widely used.
That 38-per-year number seems ludicrously high. The last time I wrote a check was five years ago, for an earnest money deposit, and I don't know anyone who writes them much more often than I do other than a few elderly people, who still use them as their primary means of payment.
> ACH in the USA is free and fast (one business day)
One business day is slow. Not as ridiculously slow as the three business day arbitrary bullshit, but still slow. Why aren't the transfers instant? There's no reason for them not to be.
Every bill comes with a receiving account number, and where I'm from all bills have been using a standardized OCR-friendly format since the 80's, which means that the payment slip of every bill is identical, which means that when we got internet banking in the mid 90's, you would just type in the numbers from the standardized fields at the bottom row of the bill to set it up. Of course, you've been able to sign up for automatic bill payment since the 90's as well, and on the off chance that you get a bill from someone you normally aren't billed by, all mobile banking apps have the option of using your phone camera to OCR the bill and pay it.
Whereas in the US, sure, most large companies can do automatic ACH withdrawal, but most small companies can't. And if you get an actual bill, no two bills look the same, so you have to figure out what the amount is and where it goes, and you only get the physical address of the receiving company, so if they aren't able to receive ACH tranfers for whatever ridiculous reason, your bank has to mail them a check, which takes five days, for some other ridiculous reason, so you have to make sure the money leaves your account five business days before the due date. (Giro payments are, of course, instant)
> No one uses paper checks here either...
It is possible to never write a check in the US, but it's actually pretty hard. There's a ton of systems and companies and organizations that require you to use checks.
I had to pay my apartment building org $50 for reserving the moving elevator for a whole day. Payment by check only.
I had to pay the final amount for my moving company when they showed up with my furniture. Cashier's checks only. Oh, and cash tips for the movers.
Do you know what I had to do to get a cashier's check? I went to my bank, and I had to WRITE THEM A CHECK for the amount on the cashier's check + their fee, for them to be able to take money out of my account and give me a cashier's check. It's absolutely fucking ridiculous, and noone there saw anything weird about it.
When you move to the US, you cannot file your taxes electronically the first year, and you cannot pay electronically either. So you have to write a check to the IRS. I had to google that shit the first time, I had never written a check in my entire life before that.
I'm renting my apartment from an individual, and she expects a check in the mail every month. Now, I've set it up to pay automatically through my bank, but my bank actually prints and mails her a check. Ridiculous.
The complete and utter shittiness of banks in the US is, for most Americans, an unknown unknown. You don't know it's shit, and you don't know how shitty it is, because you've never experienced non-shitty banks. Since you have nothing good to compare them with, you don't do the comparison, and you don't expect them to not be shitty.
I mean, look at you, you have complete goddamn Stockholm syndrome above where you think a one business day transfer is fast!
(Sorry for the rant, I'm not angry at you, I'm just so frustrated with how shitty shit shit American banks are, and that they never seem to improve.)
The piece about paper checks is not entirely true. I still use paper checks to pay for the daycare and a couple other services. I find it annoying, but a lot of businesses still rely on paper checks.
Online banking isn’t a serious attack vector for fraud, it’s just a faster-updating alternative to a paper monthly statement. 2FA is a silly red herring in these discussions. The problem is fundamentally the transaction model where you pull money from someone’s account simply by knowing some widely-shared secret numbers. These systems are sticky due to network effects. There’s no reason to sign up for an alternative to Visa/MC or ACH when your counterparties aren’t going to.
When you say fraud, do you mean theft or identity fraud? 2FA is extraordinarily relevant when it comes to theft with regard to online banking. The purpose of 2FA is mostly to prevent automated attacks or remote account entry via password resets by email or something similar.
I'm not sure if you're aware, but Europe has proper 2FA in the form of a dongle type device, and not this SMS BS many companies in the US use out of laziness. They also need to use this device for not just online banking, but basic everyday transactions.
>2FA is extraordinarily relevant when it comes to theft with regard to online banking
If theft through online banking even exists, it's at such a low volume as to be irrelevant. Most online banking interfaces are a read-only view of recent transactions. Some provide the ability to transfer funds between your own linked accounts at the same bank. Fewer still provide bill pay for a specific set of partner institutions, and a tiny proportion of the most technologically sophisticated banks provide the ability to transfer money to any arbitrary person. When they do, adding a new payee is loud (sends a bunch of notifications) and requires SMS verification and/or digits off your debit card. The transfer is loud and takes several days to actually happen (so you can cancel it), and is limited to a couple thousand dollars at most. This is a fringe thing that a handful of people use occasionally. Most peer-to-peer transfers are going to happen through Venmo, which piggy-backs off a debit card, or through paper checks. Most online bill pay is going to happen by giving the biller your account and routing number.
The largest vector by far for stealing from a bank account is capturing a debit card number in some legitimate transaction, and reusing it to make fraudulent transactions. The strength of the communication channel between payer's bank and payer is irrelevant, because you don't get to weigh in on debit card transactions (or checks) against your account. They just happen, and then you can dispute them later.
I am not aware of a country in Europe where the online banking interface is not able to transfer money, both domestically and internationally vi e.g. SEPA and other methods - it’s called “online banking”...
Phishing and other things were a large attack vector until 2FA mostly did away with it.
The capabilities of European online banking are irrelevant to the security needs of American online banking. Yes, you need 2FA, because your online banking is actually for making transactions.
In the US, it isn't. On the off chance that the capability is there, it's seldom used. You make transactions by telling the other party your account number.
> and a tiny proportion of the most technologically sophisticated banks provide the ability to transfer money to any arbitrary person.
In the country where I live all internet banks supports this. And all of course use 2FA. Most if not all banks here let's me do any kind or transactions. Not just viewing my data but transferring money, buying stock, setting up new bank accounts, pension management and everything else.
Maybe it's the lack of security at your place which prevents useful functionality.
Well yes, the country where you live needs 2FA on online banking because it actually has transaction capabilities. The US essentially doesn't, so the lack of 2FA isn't a significant problem.
Can you clarify what country are you talking about? Because it’s nothing like this where I am and around.
On the contrary, banks have been pushing for even more online capabilities for years, so you not only can pay whomever whenever wherever you want, you can open accounts, take loans, buy insurance, see your spendings grouped in categories, etc. etc.
The more you can do online yourself, the less staff banks have to pay.
Also, there is none of this weird payment card acount/normal account thing. You just have an account and card(s) tied to it.
For any purchase I do with my card I get a notification instantly on my phone. As I do for other activity in my account.
Where do you live that online banking is read only? I'm from Romania, so a developing country, and we've had full online banking (transfer money abroad, schedule monthly payments, make savings accounts, etc.) since at least 2007 for all the major banks.
If someone would hack my online banking account they could do quite a few nasty things...
> Most online banking interfaces are a read-only view of recent transactions.
What year is this, 1997? Is this normal in the US? I'm beyond amazed. Using online banking for transferring money is such a normal activity here (has been for at least 10 years).
You're mistaken. All three of my US banks allow you to send money out via bill pay, ACH to accounts at other US banks, and wire transfers overseas. It's Online Banking, not Online Statement Viewing.
uhm. no?! I've paid all my bills and transferred money between friends/family using online banking for the last 20 years. Sweden had full online banking since at least 1997.
Perversely, initiating an ACH credit is apparently seen as more risky than receiving an ACH debit. I believe this is ultimately due to the originator being responsible for any transaction that turns out to be fraudulent.
In general I think the US is comfortable to limp along putting band-aids on broken systems, because the failings are seen as being intrinsic to the "natural state" of things (see also: common law and court precedent reigning), and the losses are ultimately sustainable. The possibility of a fraudulent transaction can never be eliminated, so therefore it's whatever party facilitates/blesses the transaction that fully bears the responsibility. Meanwhile the EU doesn't seem afraid to create new foundational semantics - eg get rid of the concept of "pulling" money, and then dictate that banks cannot charge customers for the equivalent of initiating an ACH push [0].
[0] Bank of America actually charges for this. They also charge for walk-in cashing of checks drawn on themselves - meaning they are inducing their own customers to write fraudulent checks!
> tiny proportion of the most technologically sophisticated banks provide the ability to transfer money to any arbitrary person
My experience is that every US bank has an "external account" transfer feature (for use with your other accounts) that can initiate ACH credits or debits, as well as a "Bill Pay" that will do ACH credits to any routing/account number. But (as I alluded to) banks limit the dollar amount of transactions initiated through them, as they are responsible for cleaning up any mess due to "fraud".
Every time I'm confronted with these types of questions I just roll my eyes and add a 'Mothers maiden name' text entry to my password manager with a 16 digit random string.
I shares worries I've seen expressed elsewhere that this opens up a social engineering attack vector where an imposter gets through to phone support and says "oh I just typed a bunch of gibberish for the answer and can't remember it." Wouldn't a false, long, maybe hyphenated, but plausible surname be better for this reason?
I also generate them with a password manager. FWIW, I always start with “it’s a long gibberish string” and no one has ever been satisfied with that. I’ve always had to recite it. Anecdotal I know.
Sure, but you're not spending all day running customer service "DoS attacks" against people's bank accounts. Even if "it's gibberish, and I forgot it, can't you please help me out" only works one time out of a thousand, do you really want to bet your bank balance on a weak link customer service rep who's just a tad too eager to help?
I think it’s all debatable. That human will always be a weak link. It just takes one representative to forget to ask or get convinced with “oh it’s my wife’s mother’s maiden name and my wife isn’t here and I’m in a real bind”.
But in exchange, my security answers are no longer compromisable online. I think overall it’s a positive trade off, but that’s just my hunch.
I agree, I think they’re a real problem. I think it’s possible to eliminate human error over the phone too. Perhaps design a system that doesn’t let the representative into your account until they type in the 2FA token your phone provides or something (I don’t really know, I’m far from a security expert)
I just wrote a mini rust script (https://github.com/rtaycher/make_password) to spit out 5 random dictionary words for secure passwords I need to share. Everything else gets auto generated by keepass, i should probably just figure out how to write a keepass plugin
1Password allows you to generate word based passswords instead of random strings. I do this because it’s much easier to type manually if I’m logging into a system where I can’t copy paste from 1P
To protect against such attacks, I write some normal English before getting to the randomness, something along the lines of “This MUST be quoted exactly or it is wrong”. That’s ~40 characters “wasted” (they’ll normally have distressingly low character limits, but I find them to normally be at least 50 characters), but I’m optimistic about it offering reasonable protection against such an attack.
In practice, I’ve never actually had to quote such a string to anything but a machine, so it is mere optimism on my part.
Which makes it less secure. Customer support rep may find it reasonable to dismiss it as random characters and let the attacker bypass the check entirely.
If the attacker knows it looks like gibberish, they can try "Heh, whoops, I just put in random characters at the time. Can we try something else?"
I think a false, convincing, and unlikely answer is reasonable. "My childhood dog's name was Alexander Hamilton."
OT: Just wondering why so many people are using password managers. When you use a password manager you have one single point of attack and failure. I wouldn't like to give all my credentials to one single entity.
Unfortunately I haven't found a reasonable alternative.
I have to use HUNDREDS of passwords every few weeks. HUNDREDS! Some for work, some for personal. Occasionally a service gets broken into so I can't have all of them be the same password and I can't have a system where I add, say "FB" to the end of the password to denote a service as that makes it pretty vulnerable.
So I am forced to use a password manager. I hate it and I'm terrified it'll get broken into one day. But what alternative do I have? I enable 2 auth on everything that I can but those are a very, very small handful compared to all of the usernames and passwords I have to use.
How do you not use a password manager is my question.
Well, personally, prior to using a password manager, I had one user name (plus variations for when that user name was already taken) and something like three different passwords for all of my services.
The passwords weren't horrible, brute-forcing them would have taken a while, but if you have the same user name and password in many services, then it just takes for one of those services to get compromised to have many of your accounts be compromisable.
And generally speaking, unless you're a high-ranking target, it's far more likely for a service to get compromised than for someone to even bother attacking your device.
And yeah, sure, I could have just remembered more different passwords and user names, but I'm a human and that requires effort.
Now when using a password manager, I can easily choose different user names, e-mail addresses, passwords and far more complicated passwords as well. And all of that with basically no effort.
This also improves privacy, as with different user names it's much harder to link up my different accounts' postings. And I can now easily maintain multiple accounts for the same service, too, allowing me to spread out postings across those, so that you can't follow back my post history for all eternity to link up all kinds of information that I've posted over time.
That's why I don't use a cloud password manager. I use one that allows syncing my devices directly with my phone via wifi. Doesn't even touch a file hosting service like Dropbox.
Yes, that makes the physical devices a vulnerability, but the attacker would still need to guess or brute-force the master password to decrypt the vault. It's also a much less juicy target than a million customers of a cloud service.
And as someone else pointed out, using the same password everywhere is a non-starter. Nor is memorizing the passwords for more than a tiny fraction of the roughly 1000 entries in my password manager.
The password manager is typically on a machine you control. If your machine is owned, you've got issues regardless. A password manager provides a way to effectively utilize higher-entropy, per-account passwords. As with all security-related matters, it's a tradeoff. I expect many choose password managers for this reason.
In terms of physical control of the machine? In terms of what software is loaded on the machine? Would you elaborate on what you mean "typical password manager user" and "does not control"?
Also why would you use internet banking for your primary bank account its just increasing your attack surface.
I only have internet banking enabled for my secondary account (which has 2fa) which never has more than £100 in it and I only did that so I could xfer money to my p2p account.
I use diceware-type passphrases (a bunch of entirely random real words) for security questions for this reason. Bit weird to say "I was born in 'correct horse battery stapler'" but it doesn't seem to bother banking phone reps much.
I love just how pervasive the influence of xkcd is! I do the same as you by the way, and no one has ever called me on using something that is obviously not a name.
I go out of my way to come up with particularly ridiculous answers to these questions in cases where I know someone might eventually want me to answer them over the phone.
The next time I need to answer a secret question that might be used over the phone I'm going to write the answer in as:
"No thanks, that information is private and I'd rather not share it over the phone. I know, you're probably going to say that you can't help me without this information and you're doing this to help prevent identity theft but I stand by my choice to not partake in answering your question. Can I speak with a manager?"
I’ve toyed with the idea of replacing my signature with 8 random hex characters. Possibly selected spontaneously, different each time. Or writing “handwritten signatures are outmoded; use digital signatures that actually mean something” or similar.
I feel like this article takes a lot of words and time to suggest the reasonable solution: make up fake answers to security questions and store them somewhere, preferably a password manager. Sure, it would be greatly preferable to use 2FA and people should really get on that, but lamenting on all the ways security questions can be inappropriate for people when there's an obvious solution feels like drawing it out for the sake of filling up that word count.
Sure there are workarounds we can use as consumers, but getting the message out there will help push the companies to a better system. Something like 2FA over SMS is common in other countries and way better. Journalism is helping give security a bigger mind share in the public eye so they can understand how current systems are flawed and demand better ones. Its a good time to tackle the problem given all the recent hacks/leaks (like SSNs). Corporations will only budget for this stuff when their users demand it.
> And how many Indian- or Brazilian-born users went to a high school without a mascot, or grew up on a street with no name?
Was helping my (Indian) grandfather and came across a similar issue–very little applied to him. We finally got him to settle on some questions, but then when he forgot the password and went back to reset it, it kept dinging him because one of the questions was like “what was your third grade teacher’s name” and he had forgotten how he had Anglicized it.
BMO in Canada is the same, but six characters. And although you can use alphanumeric characters, it automatically doubles as a phone banking password, so (at least at one point) they were all translated into characters 2-9 in their system. So even online, you could log in with the phone digit equivalent of your exactly 6 digit password.
Yeah it's shitty, but I mean at least they have a 100% guarantee on all online stuff where if you didn't give away your pin/password/card, and didn't make it your name/address/number/other personal info they will refund you. Which I mean isn't much help but at least is something. I wish they had 2FA.
Dollar to a donut, there is or was a mainframe involved in authentication that has an 8 character password. I even bet the company that sold it was IBM. I remember finding out at one job that the "reason" for the 8 character password requirement for one of our logins, was "you can type as much as you want, but eventually we just take the first 8 characters and use that to log you into the mainframe as thats all it accepts".
I remember DB2 had some weird limits. I think it was something like database names couldn't be more than 8 bytes, which was something to do with some filesystem on z/OS or something that couldn't have directories with names longer than that (probably not quite right, but it was something like that).
z/os, oh how I remember interfacing with thee, and hating every minute of it.
From what I remember you're spot on, every "file" or "record name"/whatever (mainframes are not unix) was restricted to 8 characters and upper case, also EBCIDIC just because IBM. So many silly legacy things around those mainframes.
That said, they literally never had an outage on it the entire time I was there so +1 for reliability and availability. They even replaced the whole mainframe piece by piece.
I’ve seen limitations that even go back to paper records. I worked at a medium sized company where at least 20% of database variables were limited by the number of characters on a paper card system developed in the 50s.
> lack of understanding
That is the thing... Id the programs and designers lack understanding of something as basic as passwords what else are they misunderstanding? Sql injection?
My other favorite is "use only the special characters...."
Then there’s the State Bank of India’s vertiginous “What is the website that you rarely visit?” which reads like a Zen koan whose purpose is to make you reflect on the unknowability of the answer.
(Although, I think it could actually be a decent one for some people; you could probably mentally associate it with a specific site and have a decent chance of remembering in the future. Not as good as random answers stored in a password manager, but better than most security questions.)
Mother's maiden name is one of the easiest. If she's on Facebook, odds are it's listed because that's how her high school friends knew her. Alternatively, if grandma & grandpa are listed, you can go there too.
I've been presenting on these flawed questions for years. In one of my demos, we take a volunteer from the audience and we see how many of the top 10 banking questions we can answer from their public Facebook & LinkedIn profiles. I've never gotten less than 4 or more than 8.. and - as an attacker - I'd take those odds.
I give the bank a fairly obvious fake last name they could spell without asking me, since it's famously attached to a bumpkin. I get a lot of strange looks for that one. I can barely remember how to spell my mother's maiden name since it wasn't anglicized.
Interesting to note that overseas support really struggle with a lot of these security questions. So many are central to the Western world and they can't seem to spell it at all because they aren't familiar with our culture.
I never once felt like those security questions are secure at all. Some are just horrible, especially the maiden name one and birth city. Granted, the password manager works well for technical people, but it doesn't work for non techs or anyone who's had a bank account for more than ten years or so.
Thankfully, I have zero ties to my birth city since my parents moved to a different state before I was a year old. Sure, it wouldn't be hard to find in a records search but it's not going to be sitting there in my social media profile at least.
It's worse for me, cause Chinese people don't change names when married. It is zero-effort to learn the maiden name since it is still their actual name. However, many Chinese websites still have this question available.
I always give a fake name/addr/, etc. Very hard to remember all those answers, before I know how to use a password manager.
If you want an absolutely egregious example of how bad this can get here is an article I wrote a few months ago about the security practices of an American Credit Union.
I always thought security questions were a ploy to get you to take surveys without explicitly being told you were taking a survey.
If your bank (or any company who has your gender and birthday) asks you what your favorite color is, they could now come up with stats such as "83% of women in between the ages of 23 and 38 prefer purple". That type of data could be sold to and be used by clothing vendors and other businesses.
It's also 1 more data point collected on your private life.
Possibly, but at least some people don't actually give real answers. It's better to have a set of nonsense words for these "security questions". Much safer to say your mom's maiden name is Zxxxxxy6ghjki.
This seems to be primary an American thing. I have never experienced the usage of security questions with non-American companies. Even Apple uses it, which is weird considering they're so proud of their privacy-first strategy.
Set a "verbal password". Most banks support these, but most customer service reps haven't heard of them (this is slowly improving). And it seems if you "forget" this verbal password there's no guarantee the bank won't give you an alternate work around like asking for more answers to stupid security questions.
I'd say my mother's full maiden name is pretty hard to find (I am not American) -- until, of course, someone finds it in one of the breached database dumps. If I were indeed using her name.
What banks should really do instead of just using passwords or 2-factor authentication is to use client TLS certificates in addition to the standard username and password.
The bank can advertise instructions on how to generate a certificate signing request, have you bring it in when you open an account, have the bank issue you a client certificate and have them give you instructions on how to import it into your web browser. The bank can also tell you to do this for each device you plan to use to access your online account(s).
I can just imagine my mother getting flustered after reading the words "certificate signing (sic?) Request" and stop reading at "client certificate". I can think of very elaborate security measures. The trick is to make them sound easy and relatable to a ranch hand and 1960s housewife. These people smart but they don't have the same life experiences
It may sound difficult at first, but with plenty of help (step-by-step tutorials, etc.) provided by the bank, then it shouldn't be too hard to implement. It could be started as a trial for a certain subset of customers and then rolled out to larger and larger groups as time goes on.
Banks could provide an incentive by stating that using this is much more secure than just using a password, and that it's also largely automatic (unlike 2FA).
In school, did you ever do the "give instructions to make a peanut butter and jelly sandwich" activity? I'm guessing not.
I'm willing to bet you could have a video with transcript and pictures of the user's exact home set up and many people still couldn't figure it out. You are dealing with people who still don't understand why you don't have to double click links since they have to double click apps and don't know the difference between Google, the Internet, and Internet Explorer.
People are often stuck with modes of thought and operation from when they were younger, and for many, that was pre-computer. At work, we got a hand written letter asking for support setting up their account because they were having trouble with their email that their daughter set up (despite ample support options on the site).
> I'm willing to bet you could have a video with transcript and pictures of the user's exact home set up and many people still couldn't figure it out.
I think you're giving most people less credit than they deserve in terms of figuring things out. Yes, there are people who are technically illiterate, but they probably still conduct most of their business in a manner similar to the pre-commercial internet days. That is, they either use the bank teller drive-through lanes, ATM, or go inside the bank to do banking business. They may not even try logging into their online account.
But that doesn't mean that the bank shouldn't provide options for the more technically literate users who either already understand the concepts or can pick it up with some step-by-step instructions.
I certainly don't like banks providing half-baked security solutions like easily guessable "security" questions or passwords that can only be up to some relatively short length and highly restricted character-set which can be brute-forced or easily obtained from a plain-text dump of their compromised database.
I don't think most users would have a terrible time. I think most users would not bother with setting up anything fancy, but could if they had ok instructions. But I think there are many who would absolutely flounder. As a technical person, I would like more security for sure.
"Security" questions should be gone. Everything important should be 2FA or have a key fob. I think just about everyone who has a phone and does online banking can understand "input the code we just texted you."
The key fob (or equivalent application on one's phone) is a better option compared to email/SMS based 2FA since the latter is not secure [1] [2]). The latter is still a lot like the half-baked security measures I mentioned in my earlier post.
I still think having certificate/private key imported into my browser as a one-time (or periodic) task more convenient compared to having to use a key fob or soft token from a phone app everytime I have to log in.
In a computer security class I had at Harvard, the professor made the comment: "Your mother's maiden name is considered a 'secret.' Which is funny, given the building we're in."
We were in the Maxwell Dworkin building, named after the surnames of Bill Gates' and Paul Allens' mothers. Their mothers' maiden names were literally carved in a huge stone sign outside the building.
Considering the security question forms are brute-force proof, I think it's better to keep fictional answers which cannot be accessed by social engineering for these questions.
In India we have SMS based 2FA for transactions in spite of these questions, Some Chinese banks seems to provide HW based 2FA for general accounts.
That's not really any better. If a site is hacked that has your made up name, that gets published on the carder sites [1] along with your other information (email, credit card number, phone). It may not work to get a new credit card in your name, but it can be used to reset your password on some other crappy site that uses that information for "forgot password".
That may work in cases of online password resets, but I believe it has been demonstrated that they are not great for social engineering reasons. A hacker can just say, "oh I just mashed the keyboard for that" or worse, the agent thinks it is an error or glitch and let's the hacker in.
I think best to use a real, but different last name on all your sites.
Do most websites have call centres where you can try to trick agents? Also, how gullible are call centre agents at financial institutions? If they're really giving out access to random people claiming to have forgotten the security answer, it's pretty clear-cut the bank should be on the hook for damages if money gets stolen. Nothing like the prospect of having to pay out damages for gullible call centre agents to motivate training agents to be smarter.
Additionally many institution's gaurd against this by having systems that hide the security question from the customer service representative and only authenticate on a correct answer. If they are showing the "secret questions" to their entire customer service department you don't even need to worry about outside attacks because your organization is ripe from the inside
The customer support rep once let me into my 2FA Bank of America account when I simply lost my phone. Just had to answer some questions you could find in a WHOIS query.
"Surely financial institutions are more secure" is only a pleasant thought.
In this case a long passphrase (a la xkcd: https://xkcd.com/936/) is probably the best choice. It still looks legitimate, while being more secure than any random real name.
Rational or not, I haven't been worried about this kind of abuse of my security form data. Instead I'm paranoid about divulging some very personal facts all over the internet, such as elementary school or details about growing up. It feels like it's exactly what various three-letter agencies might love to get their grubby hands on. As a result anything made up is enough to allay that fear.
Most sites just send password reset info to your email. I thought these questions are usually used just as an extra layer on top of that? So someone would need to hack your email and guess your question, which makes it less of an issue if you keep a secure email account.
Sites?
When I call my bank to de-block my debit card after 3 wrong PIN attempts, they use the same 'security questions' to 'secure' the call (establish that it is truly me calling).
In 2018, anyone here that is working on an internet facing application should push for TOTP or U2F, please. Texting, security questions, et all, are nothing but security theater.
In europe:
-for 15 or so years already, web banking has been with 2nd factor authentication (since its inception I assume). In previous decades we would get devices where you need to type numbers from its lcd screen into the webpage login. Today mobile auth apps are taking over.
-I have never seen a bank have security questions like "mothers maiden name" as backup. No backup questions at all. I guess you go to the bank's office if you forget it?
-"wiring" money between european bank accounts is free (and not called wiring, not sure what in english though), for as long as I remember. It's not some special type of transaction, it's the main way to pay bills, get salary, pay each other, ...
-paper cheques don't exist since over a decade
When I hear how US banking is, it somehow evokes images of an old stuffy 70's office to my mind... lots of paper, maybe a slow cobol mainframe somewhere, which can only support 8 character passwords in all caps or something like that...