On January 30, The Times reported that in a review of online security at 12 leading British banks, the United Kingdom-based consumer organization Which? and United Kingdom-based cybersecurity firm SureCloud found that only five of the 12 banks – including First Direct, HSBC, and Barclays – at the time of login provided accountholders with two-factor authentication (2FA). (2FA can be defined as “an additional layer of security for your online accounts beyond your password,” such as an additional piece of information sent via another channel (e.g., a hardware or software token, a code texted to you, or a call to your phone).
The seven banks that failed to enforce 2FA at login were the Co-operative Bank, TSB, Lloyds, Clydesdale/Yorkshire Bank (CYBG), Santander, NatWest, and Metro Bank. Responses to the study by several of those banks were less than enthusiastic about the rankings, but 2FA will no longer be an option for United Kingdom banks. UK Finance, the trade association for the United Kingdom bank and financial services sector, stated that 2FA for high-value online payments would be a legal requirement as of September 2019.
Note: The issue of 2FA adoption is hardly unique to the United Kingdom, and certainly not to the banking sector. In an October 2018 study of the prevalence of 2FA offerings by 34 top consumer websites in the United States, password-app company Dashlane found that 76 percent of sites do not offer users a full set of 2FA options. Among the financial services companies included in the survey, Bank of America and Wells Fargo received the maximum score for offering multiple 2FA options, while Citibank, Discover, American Express, and Chase offered only SMS or email authentication.
Nor are all forms of 2FA equally effective. Hackers can circumvent 2FA by “spoofing your SIM card, intercepting the unencrypted message as it is sent over the network or trying to steal databases filled with information about mobile accounts from telecoms operators.” In addition, the United States National Institute of Standards and Technology (NIST) commented in 2016 that SMS was not recommended for 2FA because of its inherent vulnerabilities (e.g., lack of encryption), and last year published draft guidance “that recommends against companies and government agencies using SMS as the channel for out-of-band verification.“
“Some warn,” The Economist noted, “that SMS is better than nothing, for users who cannot navigate more complicated systems.” That justification sounds far less persuasive in light of the 30 percent increase in e-commerce fraud attacks in 2017. But it is also unclear how much “better than nothing” other multifactor authentication (MFA) technologies are. As Professor Josephine Wolff of the Rochester Institute of Technology recently observed, empirical data is still lacking about how well various 2FA or MFA solutions work. When 2FA becomes mandatory for United Kingdom banks later this year, both the banks and regulators need to examine what “best practices” truly means for 2FA and MFA, and how to evaluate which of those practices are substantially “better than nothing.”