An open letter to financial institutions from Yuriy
To the bank, credit card company, and investment firm I work with: I trust you. I really do.
If I didn’t, I wouldn’t put my hard-earned money in your hands. While I’m not a Certified Financial Analyst, I am financially savvy, so I understand that we have a mutually beneficial relationship. From a high-level, banks use the money I deposit to sell loans and invest in other financial instruments. Credit card companies make money on interest charges, other fees, and transaction fees from merchants. The brokerage firm makes money through fees on my account. On the other hand, all I expect is that you are honest about your services, provide returns, and keep my money safe.
Here’s the key: If you can’t keep my money safe, nothing else matters (of course, there’s a level of risk with investment accounts, so let’s focus on the deposit factor here.) And on the internet, I am my own worst enemy when it comes to security, as are most users of online services. I log into at least one of my online financial accounts every day, and visit all of them at least once a week. With over 3 billion usernames and passwords floating around the internet, and the fact that most people reuse their simple passwords, how are you protecting my money by protecting me from me?
Please, tell me what I should do. If you know that over 80% of people reuse their passwords, how are you educating me and influencing my behavior? Yes, you keep your servers safe, have a high-level of security, you monitor IPs and devices, so you tell me that if there’s any fraudulent activity, my money will be protected, so I should chill out. Okay, great, thank you, but define fraudulent activity? If I lose $10,000 and you must “investigate” what happened, that hurts –I’m not broke, but I’m not a millionaire, so that amount of money is important. It is easy for someone to mimic me online and I’ll have no idea what’s going on until it’s too late. You will think it was me until we find a way to figure out what happened. And then you’ll indemnify my account.
Apple recently emailed their users stating that they are requiring two-factor authentication once the user upgrades to iOS 11 or macOS High Sierra. Apple has had its fair share of hacks, but they don’t (directly) manage my money. If Apple is requiring two-factor authentication, why aren’t my financial institutions at least encouraging it?
I set out to find out if my financial services firms even provide an option for 2FA. I didn’t have to check with my brokerage account, Wealthfront, because they had encouraged it from the start of enrollment, so I simply turned it on. My primary bank account and credit card company? Not even an option. I checked everywhere in my account settings and didn’t find anything.
On to Twitter. I asked both companies what their deal was with two-factor authentication and why they didn’t have it. My bank is working on it –great, I am looking forward to it. My credit card company told me to chill out. The same company that makes you fax documents when disputing a claim (I wish American Express was more accepted globally.) Getting into both accounts after I moved overseas only required an answer to one security question. Funny, my power company wouldn’t even let me access their site until I used VPN to get back into the US.
I’m not asking my financial institutions to buy a third-party solution for two-factor authentication. Large financial firms are risk-averse and aren’t keen on betting completely on third-party solutions. Fine. Build a 2FA API for your online services. You have the financial means to do it.
Lastly, two-factor authentication isn’t the end-all, be-all solution to online security. But it is a low-cost, high-impact solution, part of the entire security picture. So please, protect me from me and give me two-factor authentication.