undefined | Better HN

0 pointszzzcpan6y ago0 comments

I guess it depends on the country and the bank. My bank, for example, does mandatory 2FA for 15+ years and uses some anomaly based approach to decide how aggressively to ask for 2FA, like if you send money somewhere unusual, it does phone call 2FA, instead of an SMS, and if you just pay your usual bills from the same IP address and the same PC it doesn't even ask for 2FA at all. It also has other optional security features like white lists for IP subnets, internet-only credit cards, etc.

0 comments

6 comments · 2 top-level

zAy0LfpBZLC8mAC6y ago· 4 in thread

That sounds terrible. I mean, I assume they don't assume liability for bad decisions?

If "the PC" or "the IP address" was not contractually agreed to be an authentication factor (that you thus should protect from unauthorized use), it's a terrible idea to use them for authentication, while also (presumably) putting all liability on the customer.

GuB-426y ago

In France, and I believe it is the case in many countries, in case the customer wants to roll back a transaction, the bank has to give the money back, unless it can prove that the transaction was legitimate.

So basically, they can't put liability on the customer unless 2FA is used. The second factor is usually the credit card PIN.

Banks have to maintain a balance between convenience and risk of fraud.

zAy0LfpBZLC8mAC6y ago

> unless it can prove that the transaction was legitimate.

And what is the standard of evidence for that?

> So basically, they can't put liability on the customer unless 2FA is used. The second factor is usually the credit card PIN.

That doesn't sound like a second factor? Or are you talking about POS transactions?

> Banks have to maintain a balance between convenience and risk of fraud.

Really, they don't. The bank should never decide to take on risks for me. There is nothing wrong with offering a feature where the customer can select to allow certain transactions without 2FA. There is everything wrong with forcing that feature on customers.

zzzcpanOP6y ago

Why would that be a terrible idea? If someone has unauthorized access to my PC and knows my password from the account, he can log in and pay my bills and only the usual amounts, as paying too much would trigger 2FA.

zAy0LfpBZLC8mAC6y ago

Because there is a risk associated with it that you didn't agree to.

moviuro6y ago

I'm fiercly in favor of 2FA, and with DSP2[0] coming soon(TM), I have been pushing for sane 2FA at my place, in some select projects where it can be done with as little friction as possible.

I'm very interested in your bank and how they do it, I'll see if voice 2FA is something feasible at my place. Could you share the bank's name though? Management likes to have solid evidence that someone else is already doing it when the security team proposes "weird solutions".

[0] https://ec.europa.eu/info/law/payment-services-psd-2-directi... , https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=CELEX:32...

j / k navigate · click thread line to collapse

0 comments

6 comments · 2 top-level

zAy0LfpBZLC8mAC6y ago· 4 in thread

That sounds terrible. I mean, I assume they don't assume liability for bad decisions?

GuB-426y ago

So basically, they can't put liability on the customer unless 2FA is used. The second factor is usually the credit card PIN.

Banks have to maintain a balance between convenience and risk of fraud.

zAy0LfpBZLC8mAC6y ago

> unless it can prove that the transaction was legitimate.

And what is the standard of evidence for that?

> So basically, they can't put liability on the customer unless 2FA is used. The second factor is usually the credit card PIN.

That doesn't sound like a second factor? Or are you talking about POS transactions?

> Banks have to maintain a balance between convenience and risk of fraud.

zzzcpanOP6y ago

zAy0LfpBZLC8mAC6y ago

Because there is a risk associated with it that you didn't agree to.

moviuro6y ago

I'm fiercly in favor of 2FA, and with DSP2[0] coming soon(TM), I have been pushing for sane 2FA at my place, in some select projects where it can be done with as little friction as possible.

[0] https://ec.europa.eu/info/law/payment-services-psd-2-directi... , https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=CELEX:32...

j / k navigate · click thread line to collapse