The cost of making online banking safer means losing a little of the “anywhere, any time” convenience that makes it so great.
You can see this trade-off in the reaction to a security process called two-step authentication that Toronto-Dominion Bank has been rolling out for the past couple of months. This measure will make customers safer, but it’s going to bug some seniors because it’s a hassle to use unless you have a cellphone and are comfortable with texting.
TD is currently offering clients the option to designate one or more of their electronic devices – laptop, desktop computer, tablet or phone – as a trusted device that won’t require additional authentication when they log in to a bank or investment account. For other devices, maybe a just-purchased computer, one used at work or one in a hotel’s business centre, you’ll need a special access code to complete the login process. This code is sent to you on your smartphone by text, or you can call TD to get your account unlocked.
Two-step authentication (sometimes referred to as two-factor authentication) replaces the security questions that are frequently used to ensure the person who logged into an account online is actually a customer. Cybersecurity experts think these questions are a lame way to protect client privacy – they’re often guessable if a hacker has even a little information about you.
Online brokerage BMO InvestorLine and robo-adviser WealthSimple are among the financial institutions that have adopted two-step authentication. A few banks use a version of this type of security when clients want to complete certain transactions online, say changing personal contact info. But TD’s move may be the most sweeping introduction of two-step authentication in online banking so far. A couple of the bank’s clients have contacted me directly to complain, and many others have been discussing the pros and cons on my Facebook personal finance page.
A TD spokeswoman described two-step authentication as being more secure and offering more protection for customers. “In light of what’s happening in the wider cyberecosystem, it’s more important than ever that we do this,” she said.
If you’re one of those people who is never without their smartphone, two-step authentication is a non-issue. But what if you’re not part of the smartphone generation? That’s the issue raised by David Murray, a retired Globe reader and TD customer in Niagara-on-the-Lake, Ont. “The problem arises when the customer (such as an 'oldie’ like me) does not have a cellphone and is away from his/her home landline.”
TD acknowledges that travel has been clients' biggest issue related to two-step authentication. If you want to use a device that isn’t known to the bank, you’ll either have to find a way to call the bank on a landline, or use your cellphone and possibly incur roaming costs. Note: It’s not a great idea to log into your financial accounts from a computer in a hotel because of the risk it’s infected with spyware that captures your personal information.
We hear more and more about data breaches at banks and other businesses, but they almost always involve the institution itself. We saw that in May, when Bank of Montreal and online bank Simplii Financial warned that fraudsters may have accessed personal data for a combined 90,000 or so clients.
But criminals also go after data at a personal level as well. That’s the story behind the malware (malevolent software) and phishing e-mails designed to get control of your computer or your personal information.
TD says its customers will be prompted to switch from security questions to the two-step authentication in the months ahead, and that the roll-out will continue through 2018. The Facebook discussion on two-step authentication suggests clients are evenly split about whether they like and value it. In an e-mail, one unhappy TD customer told me he is thinking of leaving the bank over this new security measure.
Convenience is the price to be paid when improving the security of online banking. The alternative is to be more vulnerable to a criminal element that is always probing for weakness in online security. You should be more worried about a bank that isn’t using two-step authentication than one that is.