While trying to log into my Banking Web site (from a PC), after I had successfully remembered my log-in ID and password, something different happened. The site put up a Pop-up window saying it was testing security and wanted to send me a code to my Cell phone (or call me with the code).
After my initial confusion and then annoyance, I was heartened to see this kind of security come up. Banking security is very important, and the edge of the network (i.e. users logging in) are where the system is usually the weakest. The Desjardins Data breach is a good example of the need for banking security and data security.
Good Test ?
My hope is that this is simply a test, and you will see why.
After I realized I did not have my Cell phone handy, I simply cancelled out of the Security Message screen, which then took me back to the regular bank log-in screen. I thought for a second, and decided to see what would happen if I tried to log-in again. What I saw underwhelmed me. I was able to log-in, no problem, and no “challenge”.
My sincere hope is this is simply a test by my bank, because if I have been “challenged” for an alternate log in, I should not be allowed to log in after an initial failure. The application should continue to challenge me, until I pass the challenge, or until I fail a set number of times. Once someone fails I would hope my account access would be locked.
Banking Security ?
My hope is this is my bank attempting to test out new security for authentication (without enabling 2 factor authentication), and when they do a full roll-out, the rules will be stricter. I like the concept, but if this is how it will work it isn’t a great data protection system.
More Banking Security Resources
- CYBERSECURITY IN THE FINANCIAL SECTOR AS A NATIONAL SECURITY ISSUE — Report of the Standing Committee on Public Safety and National Security