Ask HN: How to convince my bank to not require SMS based 2FA?

4 points1strepublicusr5y ago4 comments

I got a notice from my back (First Republic Bank) that later this year they will require SMS based 2FA.

How can I convince them his is a bad idea? First off the NIST basically declared SMS 2FA insecure. How does a bank not know this? Sim Swaps, social engineering the phone company, etc..

Second, if you travel at all suddenly you can easily have internet access (hotel, cafe, airport) but not have SMS access.

Has anyone had success convincing their bank not to require SMS 2FA?

Requiring 2FA I don't mind. I'd prefer TOTP. I'd put up with email 2FA (Steam does this). But SMS absolutely not!

First Republic Bank is a Bay Area bank so I partly brought this up here hoping there might be enough actual customers here that agree and would be willing to contact the bank and voice your objections.

4 comments

LinuxBender5y ago

The bank will only do what regulations require them to do. No money will be spent beyond that.

One potential path might be to find a report from the FBI that discusses the financial risks to the banks. Contact the investors of that bank and the government entities that are required to insure the bank and the parent company of the bank. Start the discussion with them about amending and enhancing existing regulatory requirements. Ensure they do not see this as a cost item but only as a marketing benefit to the bank. Depending on how deep you want to go down this rabbit hole, you could start a fund raising effort to get lobbyists to also speak to those investors and governmental insuring entities. Research if additional mitigating controls might lower their insurance costs. Maybe also encourage the banks or parent companies to partner with a set of MFA vendors so they can distribute bank branded tokens that only work with their banks. Sub-optimal, but it might encourage them as they would see it as bank lock-in. Doesn't really affect end users if all the banks do it. See if you can also get a congress member to talk to the insuring bodies.

If that doesn't work, get famous people to tweet about it and link to your initiative site that describes the risks and benefits. Public pressure sometimes works.

I should add that if you get traction on this, there should be a way for people to opt-out of this and use SMS if they want to. Just require the banks to give them scary worded things that make them double-opt-in to using SMS.

koolba5y ago

By voting with your wallet and switching to a different bank.

Close your account and let them know that you are leaving because you do not consider their current 2FA mechanism to be secure.

lrvick5y ago

Switch to who though?

What US bank supports even last gen U2F let alone current gen FIDO2?

lrvick5y ago

Pretty much every bank in the US is obsessed with having identical security practices so they can feel like they can say they are industry standard if they are hacked.

There are banks with hardware 2FA in European branches that still restrict to SMS only in the US.

US banking security is a joke. IMO move your number to a VOIP provider with hardware 2FA support and transfer lock it to limit the worst of SIM Swap risk.

j / k navigate · click thread line to collapse

Ask HN: How to convince my bank to not require SMS based 2FA?

4 points1strepublicusr5y ago4 comments

I got a notice from my back (First Republic Bank) that later this year they will require SMS based 2FA.

How can I convince them his is a bad idea? First off the NIST basically declared SMS 2FA insecure. How does a bank not know this? Sim Swaps, social engineering the phone company, etc..

Second, if you travel at all suddenly you can easily have internet access (hotel, cafe, airport) but not have SMS access.

Has anyone had success convincing their bank not to require SMS 2FA?

Requiring 2FA I don't mind. I'd prefer TOTP. I'd put up with email 2FA (Steam does this). But SMS absolutely not!

4 comments

LinuxBender5y ago

The bank will only do what regulations require them to do. No money will be spent beyond that.

If that doesn't work, get famous people to tweet about it and link to your initiative site that describes the risks and benefits. Public pressure sometimes works.

koolba5y ago

By voting with your wallet and switching to a different bank.

Close your account and let them know that you are leaving because you do not consider their current 2FA mechanism to be secure.

lrvick5y ago

Switch to who though?

What US bank supports even last gen U2F let alone current gen FIDO2?

lrvick5y ago

Pretty much every bank in the US is obsessed with having identical security practices so they can feel like they can say they are industry standard if they are hacked.

There are banks with hardware 2FA in European branches that still restrict to SMS only in the US.

US banking security is a joke. IMO move your number to a VOIP provider with hardware 2FA support and transfer lock it to limit the worst of SIM Swap risk.

j / k navigate · click thread line to collapse