A bit paranoid about online banking; two-step verifying could help

Two-step verification is in vogue for logging into secure websites. You type in a password, then you wait for a code to be sent to you, typically via text, a smartphone app, email, or a recorded phone message.

Google uses two-step. Apple recently introduced it. Dropbox too.

And soon, CIBC will roll it out for online banking. It appears to be the first major bank to do so in Canada. (I checked the websites of BMO, TD Canada Trust, RBC and Scotiabank and found no boasting about an imminent two-step system.)

Under CIBC’s system, certain transactions, such as a large bill payment, resetting a password and adding payees will trigger a demand for a verification code. That code will be sent via a method a customer selects — text, email, or phone call.

We have been spooked by the flood of news about stolen password databases, and about how a determined criminal can crack virtually any account. Then, there’s the government sanctioned snooping, through outfits like Communications Security Establishment Canada and the U.S. National Security Agency.

Two-step verification has its skeptics. It’s just window-dressing they say. It can be circumvented by someone who has managed to take over your computer and can monitor your keystrokes, or by someone who intercepts your transmissions.

But for fraudsters without that skill set, two-step can be barrier. They’ll go looking for other accounts that are easier to crack.

Canadian banks have been criticized for lax online security. Until recently, some limited you to passwords with a maximum of eight characters.

There’s a long thread about this at reddit.com.

On a TD Canada Trust message board, there are calls for the bank to provide two-step verification. TD does offer something it calls TD IdentificationPlus. Customers fill in answers for five security questions (such as, What was the name of your first pet?). Under certain conditions, such as signing in from an unfamiliar machine, there will be a demand for a security question answer in addition to the password.

But the security experts say that’s not as good as true two-step verification, where a random code is sent, because the answers many people give for security questions can be easily guessed by anyone with a bit of knowledge about a target’s personal life. (A common bit of advice is to lie in your security answers; but then you have the complication of remembering the lie.)

Ultimately, nothing is secure. There will always be a way to break in.

How many barriers you need to put up (use an extra-long random-character password; bank only at a two-step institution; have low withdrawals limits) will depend on how vulnerable you think you are, and how much you have to protect.

Or, you could skip the online banking, and do everything in person. A former FBI director seemed to be heading in that direction after he almost fell for a phishing email that asked him to confirm his banking details. He said his wife responded by telling him to not bank online anymore.

You could also simply keep an eye on things. Check your bank account every couple of days at least to make sure nothing odd has happened. Set up alerts so that you get a text message everytime there’s a transaction over a certain amount.

It’s probably not necessary, yet, to keep all your money under your mattress.

- - -

CIBC describes its new two-step system.

Security expert Bruce Schneier: The failure of two-factor authentication

TD Canada Trust describes its TD IdentificationPlus system

The story of the former FBI boss and his brush with phishing.

Commentary published at globeandmail.com: Why Canada’s banks have weaker passwords than Twitter or Google

The website tidbits.com has a roundup of security concerns.

- - -

Two-step information for:

• Google

• Apple