Security Laboratory

Security Laboratory

Two factor authentication for online banking


By Stephen Northcutt
Version 1.2

Eight or nine years ago, I was asking about banks that support two factor authentication. At that time I found eTrade bank and Charles Schwab and not much more. SANS NewsBites carried a story about HSBC and I as asked people if they knew of banks that had two factor. Today, there are plenty of options and I think we are only seeing the visible part of the iceberg. Be aware that 2 factor authentication is not magic, rather it is a step in the right direction. Two different readers mentioned a bank that has two factor, but only allows 6 character passwords, which is dumb. But with all the available choices, if you do online banking and they do not offer two factor, you should probably switch to one that does. Here is the story from NewsBites:

HSBC Bank USA Requiring Two-Factor Authentication for Some Transactions
(February 20, 2014)
HSBC Bank USA now requires retail customers to use two-factor authentication for certain online transactions. Retail customers will
be required to use the additional technology for money transfers, wire transfers, and account beneficiary changes. Customers may choose between a hardware token or a mobile application to generate the additional security code. The bank will supply the technology at no extra charge.
http://www.bankinfosecurity.com/interviews/hsbc-requires-dual-authentication-i-2189
[Editor's Note (Murray): The report describes this action as "ground breaking." Not. Many banks have been requiring strong authentication of commercial customers for years and offering it as an option to retail customers. However, what may be novel is that HSBC is REQUIRING this strong authentication for at least some sensitive retail transactions.
(Honan): Nice to see HSBC Bank USA take security seriously and introduce two factor authentication for their US clients, something they have been offering for UK clients since 2006
http://www.finextra.com/news/fullstory.aspx?newsitemid=15169
(Northcutt): This is not magic, modern malware waits till you are authenticated and then executes transactions, but it is a HUGE step in the right direction. I will look into closing a bank account that does not have two factor and opening one with HSBC. eTrade and Schwab also have banks that offer two factor authentication. If readers know of others please drop me a note: (stephen@sans.edu), thank you!

The responses are shown below. Note, we have not validated any of the information, but if you have an online bank account that does not have 2 factor authentication this might be a place to start.

Banks that offer, (or require), two factor authentication

  • Fidelity does as well. you have to ask a fidelity advisor, as far as I know. that is how I got mine. I told the advisor that that was the biggest reason I was not willing to consider using Fidelity banking services. There is nothing on the website about it the last time I looked, though. It is a verisign hardware token. particularly important since the usernames are not case sensitive, and the numeric equivalent of the username is used several other places.
  • First Technology Credit Union has this as an option.
  • "La Banque Postale" in France offers 2 factor authentication since 2 or 3 years with :
    a) the account number + password entered in a virtual keyboard;
    b) a temporary password sent to the account owner in a SMS on his registered mobile phone.
  • Merchants bank of Vermont, no details were provided.

  • For certain high value transactions, Merrill Lynch requires a recorded, they call you at a previously know number, teleconference between you, an ML employee whom you know, and an ML employee who is a witness as well as certain 'secret' information from each of us (not that I regard my social security number or bank account number as particularly secret, but the employee passwords hopefully are.) I went through several of these when buying my house.
  • Paypal, may not be a bank exactly, but they have a SMS service.
  • Valley National Bank, a regional USA bank in the North East does the SMS message to mobile phones.
  • Westpac bank in Australia has required two factor for years on:
    A) turn on pay anyone
    B) change your daily limit for pay anyone. Upper limit $10,000 AUD, nearly the same in USD
    C) use of pay anyone
    The default two factor is SMS, so not the strongest, but good enough. They do not require two factor to log in, or to pay bills. They have simple passwords and do NOT make you change them. They do tell you when you last logged in., they will lock the account on multiple failed logins. However as you don't have keep changing the password and it is not complicated, forgetting a password would be very rare I imagine.
  • Ulster bank, (part of RBS), Ireland, requires commercial accounts to use Two factor and certain operations for personal accounts, so they have the capability.
  • A reader from the UK mentioned, "'m in the UK. In my house we use the Co-Op Bank & RBS. All use the same style of Europay, MasterCard and Visa, (EMV), card-reader as Nationwide & Barclays on your follow-up. It's the norm for all banks here, EMV smartcards are the only option.

  • USAA Savings Bank offers two-factor authentication as well. They employ a mobile authenticator app made by Symantec or give the less secure option of text message. NOTE: More people wrote in talking about USAA than any other bank, this is not a scientific study by any means, but something to be aware of.
  • If you live in the USA and travel internationally, you probably want to consider an EMV credit card. However, if you are going to Australia, you probably want to do additional research, one reader said they are doing away with signatures in May 2014.
  • One reader is a storm center handler wrote and said, "Also take note that unlike here in the US, in Europe the small print in the Credit Cards, (CC), contracts usually pushes all liability for fraud back to the customer. The banks there take the position that since they are offering "best in class" protection, it MUST be the customer's fault if something goes wrong."

Other approaches and technical solutions


  • One time use only PANS. All U.S. payment cards suffer from an inherent problem- it's known as the "replay attack". The numbers on your card can be re-played, over and over again with or without your authentication or authorization.
    This type of fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several years. Just one of the technologies that could be used are dynamically created or 'changing' card numbers that are only valid for one merchant at a time (however, that merchant can use the number multiple times -including processing returns!) One example is Dynamics. Editor's Note: this is really nifty technology, but it may be in the wrong place at the wrong time. Chip and PIN is gaining momentum in the USA. On the other hand, several readers have written about e-Cards with Euro banks, you tell the bank who you want to buy from and how much you want to spend and they issue a one time PAN.
  • TANs and iTANs. In Europe, especially in Germany, they use a TAN protocol to establish one time only use for a purchase. Wikipedia explains this far better than I can; makes me feel good about my donation. If you want to take it a notch higher, there is FinTS.
  • Yubico offers a variety of solutions including a hardware version of the Symantec VIP tool. It is worth knowing about and was mentioned by several readers.
  • Verisign ID Protection, I have been using this for over two years and it is reliable.
  • RSA, with apologies to Gen. Forrest, who either did or didn't say "Git thar fustest with the mostest", they were certainly an early adopter. They lost a bit of credibility when they got hacked and did not recall all the issued dongles, but one thing that sets their solution apart from Symantec and Verisign: if you forget to take the dongle out of your board shorts and go swimming or surfing it still works, the other two drown.
  • Mastercard 3D Secure, does anyone know what this is?
  • Voltage seems to have an interesting set of solutions including end to end encryption of the PAN. Editor's Note: we have not been in communication with a user yet, so do your own research.

  • Kathy gave me an iron key, (Model D200 8GB Rev. 1) two Christmases ago and gave herself one as well, but we could not install on either of our MacBook Pros, now that we are running Mavericks, I will try again. Nope, same unsupported error message.