Wells Fargo Backdoors RSA 2FA Authentication

17 points by camkego ↗ HN
Wells Fargo allows customers to increase the security of their online account login and authentication by using a RSA physical one time password generator to increase login-time authentication security.

This is all fine and good, these small USB-drive sized devices spit out numbers which provide a very secure way of proving that you have the device, and that you are who you say you are. This is an additional step that users need beyond their username and password for increased security.

But wait! Wells Fargo also allows "Advanced Access" 2FA authentication via SMS text message.

So, if you pay for a RSA token, you get choice at login time of using the RSA token or SMS text auth to authenticate yourself.

If you read hacker news, you know that SMS text auth has been deprecated by the NIST and there are dozens of cases where phone numbers have been taken over by hackers to bypass SMS text auth.

SMS text auth is generally regarded at quite insecure by the security community.

The best part is you cannot disable the SMS text auth as an alternative method of authentication to using the RSA secure token.*

So, Wells Fargo has managed to design and build a very secure 2FA login mechanism using RSA tokens, and completely defeat the security enhancement by forcing SMS text auth as an alternative.

Can someone please explain why banks such as Wells Fargo create such poor security mechanisms?

*You may delete all phone numbers from your account by calling WF customer service, and this disables the option of offering SMS text auth at login time. This cannot be done online. This is not recommended because then WF cannot reach you by phone.

4 comments

[ 1.8 ms ] story [ 19.3 ms ] thread
take your clickbait post somewhere else. hn is not your personal army
To anyone writing checks, these features are not intended to provide security, but instead to tick a checkbox on a compliance audit.

Odds are if something goes wrong, they'll find a way to pass the buck to another party. Or just get a gig at another bank.

People lose their tokens and need a way to recover their account access. People don't want to have to go into a physical branch to verify ID and reset it. The security of everyone suffers to increase the convenience for a few.