I would like to ask if you could please provide a new implementation of the Two-Factor Authentication so we can better protect our investments against criminals.
I have recently heard a story of a man who had his smartphone stolen on BBC radio 4. The criminals were able to steal all the money on his bank account, and even worse they applied for a loan in his name through the app, which had been approved within minutes, so they were able to steal this amount as well. Hence I have decided to remove all banking and investment applications from my phone, and to manage my bank accounts and investments from my computer at home. Hence I do not want to use the Two-Factor Authentication method which relies on the app on the phone.
The most common way of using Two-Factor Authentication with financial institution is by receiving a 6 digit number by SMS. This certainly increases the security, but this is considered insecure as apparently it is really easy for criminals to get around this. So it would be great if you could provide more secure TFA instead.
The most secure way of implementing Two-Factor Authentication is by using U2F/WebAuthn. The user needs to buy a hardware token such as a Yubikey. The secret key is stored on the hardware, and it is never seen by the computer, hence this approach remains very secure even if the computer of the user was compromised. The main downside is users have to buy one token, or preferably two in order to have a backup in case the primary token is lost. And for this approach to work best, it is important for the website to allow users to register more than one security token so backup tokens can also be recognised.
A very common implementation of Two-Factor Authentication is to scan a QR Code with an application such as Google Authenticator or Authy. This does not cost anything, is simple to use, and it is relatively secure. The main downside is that the secure token is accessible through the QR code, and it has to be stored on the user phone. Smartphones are subject to security vulnerabilities hence it is not impossible for software tokens to be accessed by criminals. The security of this approach can be increased a lot by storing the software token on a Yubikey using the Yubico Authenticator application on a computer or phone. This reduces the risk dramatically, but the secret seed can still be stolen at the time it is being transmitted from the website to the user device.
The best implementation I am aware of are on website such as Google and AWS where they allow users to register multiple U2F/WebAuthn hardware tokens, as well as software tokens, so we have the choice and the ability to register multiple tokens in case we loose one. It would be really great if you could provide at least one of the two secure methods described above. I hope this message will also help users increase their own security by following better practices.
More can be done to improve the security. Assuming criminals are able to access someone’s online account, how difficult is it going to be for them to sell the investments and transfer the proceed to their bank account ? Some investment platforms make it very difficult to change the details of the nominated bank account to stop criminals from quickly put theirs and transfer the money. Some investment platform ask for a bank statement and proof of ID and charge a fee for changing the bank account. Also it is possible to send a code by post so only the real owner of the account can change the bank account. Are there already such protections in place on your platform, or do you have any such plans ?
I would really approciate if you could implement such security features on your platform.