Why is this online banking security feature common in other countries, but not Canada? - Action News
Home WebMail Tuesday, November 26, 2024, 11:03 AM | Calgary | -13.1°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Nova Scotia

Why is this online banking security feature common in other countries, but not Canada?

Some experts say Canada is lagging behind other countries when it comes to online banking security.

Google offers 2-factor authentication to access your emails, so why don't banks?

(CBC)

Google offers it,some video games require it,but threeof Canada's big fivebanks don't even want to talk abouttwo-factor authentication (2FA), an extra layer of online security that some experts say banks should be required to provide to help protect consumers.

It's a "very, very risky situation" according to Dr. Kevin Streff, a professor at Dakota State University and director of its FinTechsecurity lab.

U.S. banks have been expected to use 2FA, also known as multi-factor authentication, since a directive was issued by the Federal Reserve Board 14 years ago, Streff said.

Relying on "single-factor authentication" logging on to a system with one ID/password combination, for example "is insufficient in this day of cyberwarfare," he said.

Under 2FA,a bankrequires another step to ensure the personmaking the transaction is really you. It may call or text you a code that you must enter. Other forms of 2FA involve email, documentsand hardware like a USB stick.

CBCNews requested interviews with Canada's big five banksabout online security and two-factor authentication.

Scotiabank, Bank of Montrealand Royal Bankall declined and did not offer any comment.

A search of Scotiabank's website shows 2FA is offered at its international outletsbut not, apparently, in Canada.

RBC's website says it requires 2FA to confirm unusual online paymentsor transfers,or if you go over your daily limit.BMO's website says it's required for investment transactions.

A CIBC spokesperson pointed us to the bank's site, and a page that says 2FAis used fortransactions such as adding a new e-transfer recipient, updating contact information, or resetting a forgotten password. It's notrequired for day-to-day online banking transactions.

"Protecting our clients is a clear priority," saidspokesperson Trish Tervit.

TD also offers 2FA, and is the only one of the big five that gives customers the option of using it every time they log on to the site.

Two-factorauthentication "has helped to reduce levels of fraud by preventing unauthorized account access," spokesperson Lisa Bodnarsaid via email.

Two-factor authentication is not to be confused with two-step authentication, which can include a secondary password or question but not a second device.

Federal regulations required

Srini Sampalli, a cybersecurity researcher and computer science professor at Dalhousie University in Halifax, says 2FA is only really safe if the bank's code is sent to a second device, not the one on which you're doing your banking. If you're banking on your phone, TD may send the code to the same device.

Though banks are held to the "highest encryption standards" and transactions are "very, very safe," Sampalli says they should have some level of multi-factor authentication built into their security practices, especially for larger transactions.

"If the federal government can mandate some kind of a policy that all banking institutions should harden their online security practices, then perhaps it will become standardized and we will see uniformity," he said.

But, he cautions, 2FA is not the ultimate solution since "nothing is 100 per centguaranteed in cybersecurity."

Streff,at Dakota State,says Canada's lack of regulation in this area is "well-documented" and that, from a regulatory perspective, it's "lagging behind" other countries, including some in Europe.

He said it's up to the government to decide how much regulation is required.

"I don't want to paint this with a broad brush that banks in Canada aren't responsible or aren't using a second factor of authentication," he said. "There's really just an absence of regulation which leaves it up to the banks to make their own choices."

So, why don't banks offer 2FA? First, there is the cost of implementing and maintaining it. Streff calls the cost "incremental."

Secondly, there's inconvenience some customers might be annoyed by the extra steps.

"Security has to balance convenience," Sampalli said.

Sampalli says requiring 2FA is not simple there are many factors to consider, including whether consumers should be allowed to opt out, and to what extent.

He said some people in remote areas might have difficulty with 2FA if the second step involves receiving a code on a separate device.

"So, it's not just a technology issue;it's a people issue. It's convenience and technology together," he said.

New advancements coming

Sampalli said advancements in the next few years may change the security around online banking.

"What if your device itself has the intelligence to recognize if you are the rightful owner holding it and then proceeds with the transaction?" he asked.

"I believe in fiveor 10 years from now we'll see algorithms built into systems to reinforce that."

He added until thattime, the federal government should mandate regulations, but in stages, adding it must be tested to ensure that all groups have access to thetechnology.

Dr. Srini Sampalli of Dalhousie University says two-factor authentication is only really safe if the bank's code is sent to a second device.

Sampalli said it's important for those using online banking to remember they must be responsible, as well.

"We as consumers must be educated in good online techniques and practicing safe techniques and good cyber hygiene."

He said it all comes down to protecting our passwords. "They say security is only as good as the weakest link and passwords are the weakest link in the whole security chain.