Wells Fargo Backdoors RSA 2FA Authentication
This is all fine and good, these small USB-drive sized devices spit out numbers which provide a very secure way of proving that you have the device, and that you are who you say you are. This is an additional step that users need beyond their username and password for increased security.
But wait! Wells Fargo also allows "Advanced Access" 2FA authentication via SMS text message.
So, if you pay for a RSA token, you get choice at login time of using the RSA token or SMS text auth to authenticate yourself.
If you read hacker news, you know that SMS text auth has been deprecated by the NIST and there are dozens of cases where phone numbers have been taken over by hackers to bypass SMS text auth.
SMS text auth is generally regarded at quite insecure by the security community.
The best part is you cannot disable the SMS text auth as an alternative method of authentication to using the RSA secure token.*
So, Wells Fargo has managed to design and build a very secure 2FA login mechanism using RSA tokens, and completely defeat the security enhancement by forcing SMS text auth as an alternative.
Can someone please explain why banks such as Wells Fargo create such poor security mechanisms?
*You may delete all phone numbers from your account by calling WF customer service, and this disables the option of offering SMS text auth at login time. This cannot be done online. This is not recommended because then WF cannot reach you by phone.
4 comments
[ 1.8 ms ] story [ 19.3 ms ] threadOdds are if something goes wrong, they'll find a way to pass the buck to another party. Or just get a gig at another bank.