A talented hacker might be able to easily crack the password for your bank account – especially if it falls under the easy-to-guess formula of your first name and last initial. However, if you have two-factor authentication enabled, it’s going to be a lot tougher for them to actually log in. So, in addition to updating that password to a mix of numbers, letters and characters, read on to learn more about how two-factor authentication works and how safe you can feel once you add it to your accounts.
What is two-factor authentication?
Two-factor or multifactor authentication is a way to verify that you are who you claim to be. Think about the physical world; someone might ask for a government-issued ID, plus a copy of a utility bill with a matching address, for example. Two-factor authentication puts another layer in your digital identity to help companies know it’s really you and fend off bad actors.
Two-factor authentication – also known as multifactor authentication – combines a piece of information that you know, such as a password, with something that you have, such as a phone, a code card or a physical key that you must slide into your device.
Examples of online banking authentication
- A one-time code texted directly to your mobile phone number
- A one-time code sent to your email
- A one-time code sent to an authenticator app installed on your phone
- A secret security question prompt that includes information you gave to your bank, such as your mother’s maiden name, your pet’s name or some other unique detail about your life
Your bank’s mobile app may also use biometric authentication, which uses your face or fingerprint to verify your ID in addition to the password saved on your phone.
So how secure is two-factor authentication?
The Federal Trade Commission likens two-factor authentication to “using two locks on your door.” It creates one more obstacle for anyone trying to get into your house – or in this case, your digital life. Of course, this comparison serves as a reminder that two-factor authentication isn’t foolproof. A committed thief wouldn’t be deterred by a deadbolt.
The level of security of two-factor authentication also relies on what that second factor is, and according to a recent warning from the Cybersecurity & Infrastructure Security Agency, your text messages are becoming increasingly vulnerable.
“Do not use SMS as a second factor for authentication,” the announcement reads. “SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.”
The warning, which was issued at the end of 2024, stemmed from cyber espionage activity conducted by actors affiliated with the Chinese government. While you may not immediately think of yourself as a target of government-related espionage, the message is clear: Sophisticated hackers are getting a lot more sophisticated than your phone.
Money tip: One way to prevent your financial accounts from being compromised is to stay on top of your bank statements. Read through your bank account’s financial statement, which provides a detailed record of all the transactions that occurred in your bank account over a specific period.
Potential loopholes for hackers
“While no security system is foolproof, adding multifactor authentication is a smart way to reduce the risk of account takeover,” says Gary Zimmerman, CEO of MaxMyInterest. But some types of two-factor authentication are weaker than others, he says.
For example, if you use your email login and password for a financial account, hackers could easily access both, since they can verify your identity through email. It’s like giving thieves the keys to your front door and hoping they don’t discover the keys work for your safe, too.
Breaking some types of two-factor authentication is not uncommon, says Dr. Josephine Wolff, a professor of cybersecurity policy at Tufts University. Hackers can design fraudulent websites that look nearly identical to the real ones. Then, purporting to be from a bank or broker, they email people that their account is about to expire, or they’re missing data. But the email instead sends the customer to the fake site, which fraudulently captures any login information being phished from them.
The hacker enters this information on the real bank site, generating a text message with a one-time code to the user. Unsuspectingly, the user then enters that code on the fake website, and the hacker enters it on the real site, gaining access to the account.
SIM swapping – a hacking technique that manages to take over someone’s mobile phone number – has increased dramatically in recent years, too, which is why the government is recommending against one of the most common setups for two-factor authentication. According to data from the FBI, people lost around $48 million to the tactic in 2023.
How consumers can stay secure when online
Although two-factor authentication is not perfect, it’s better than nothing. And in a world where headlines of identity theft and data breaches appear seemingly every day, any additional layer of protection is wise. In addition to exploring two-factor authentication features for your financial, social media and email accounts, follow these steps to keep yourself – and your money – safe.
- Use strong passwords: No, “1234” does not fall under the category of strong. A mix of uppercase and lowercase letters, numbers and special characters is more challenging to crack. And of course, don’t share your password with anyone.
- Think before you click: Hackers leverage urgency to get you to fall for their tricks. If you receive any texts, emails or phone calls with a message that sounds scary, don’t do anything immediately. And remember that your bank isn’t ever going to contact you over the phone requesting confidential information or send you an attachment.
- Update your authentication protocol with tough-to-crack steps: Whether using your fingerprint to access your email or your face to access your bank account, some forms of biometric authentication are really hard for hackers to duplicate. Be wary of voice-activated access, though, as artificial intelligence makes copying the sound of your words a lot easier.
- Look into authentication hardware: A hacker might be able to take over your phone, but they would have to come into your house to steal a physical authentication key. If you want to take security a step further, Wolff suggests going with a physical device such as a security key as a second factor for high-value accounts.
- Review your accounts on a regular basis: If someone manages to steal your account information or your login details, it’s critical to spot any theft as quickly as possible. Make it a priority to take a look at your account activity each day. If anything looks amiss, contact your bank immediately.
Keep in mind: In addition to keeping vigilant of your bank transactions online, you also need to consider how your bank, or credit union, is protected. Look for a bank that’s federally insured by the Federal Deposit Insurance Corp., or FDIC, or a credit union that’s a member of the National Credit Union Administration, or NCUA. Should your financial institution fall victim to an online attack, or any other failure, your money is insured up to a limit of $250,000 per depositor, per insured bank, per ownership category.
Bottom line
Two-factor authentication is valuable even if it’s not foolproof. As banks and technology companies work to avoid fraud losses, you should expect to see new types of security emerge over time.
The bad guys will always be looking for ways to go up, around or through the digital fence to get to your money. With that in mind, carefully follow best practices for protecting their financial information to eliminate — or at least mitigate — your risk.
Read the full article here
