[ResearchAtPlay]

I can confirm that Scotia Bank, another major Canadian bank, does not support 2FA. This has always bothered me and is especially concerning because Canadian bank accounts can be used to log into Canada's immigration services (CIC). That immigration account is protected only by one more layer of self-selected security questions, after which the intruder potentially has access to a swath of personal data, including passport numbers, and a very detailed personal history section.

In my opinion, Canadian banks are way overdue to switch to 2FA.

[verelo]

Nor does TD. They don't even do phone notifications of logins.

Ironically i signed up with one of the local credit unions in Toronto to take advantage of a high interest savings account for a future tax debt of which I am sitting on the cash for, and found they supported SMS 2FA, and texts when anyone (even me) logged into the account. I wish TD supported this, but then again, as long as their money is backed by the government i don't really care all that much.

[kevin_nisbet]

Actually I think TD just launched a SMS based two factor, I set it up on the weekend (I got prompted when I logged into EasyWeb, and it's also in my security settings). It's SMS based, and can be configured on how aggressive it is (when you change IP/computer, or every time you log in).

I would much prefer to see a second factor like TOTP, U2F, etc as the problems with SMS based second factor are well documented, but I'll take what I can get.

[ar0]

Even TOTP is not a good 2fa system for a bank login, at least if that account allows you to send money somewhere: TOTP codes do not differentiate by transaction type, so if a fraudster has taken over your computer, it can wait for you to login using TOTP and then send a wire transfer in the background (using the same TOTP quickly enough if necessary or just asking you to log in again, pretending your first code was wrong).

That’s why proper banks should use 2FA mechanisms that will ask the user to confirm the transaction on a second device (e.g. photoTAN or similar).

Of course, this won’t help against attacks if both devices are compromised or you are using the second factor device to access the system, but it’s still better than TOTP.

And, of course, TOTP is still way better than SMS 2FA or no 2FA.

[_hl_]

If someone has hijacked your computer, they could simply steal your session cookie and do whatever they want regardless of some TOTP secrets or being quick enough. In fact at that point any 2FA becomes meaningless - it's already game over.

Unless of course your bank does some proper, additional verification for large volume transfers.

[ar0]

Of course, that‘s the point: with photoTAN et al. it will request a one-time token for each wire transfer, and the token is based on the information (amount and recipient) of the transfer, which the user needs to confirm on its 2FA device.

[verelo]

Correct! Thanks for posting this, i just enabled it.

For anyone who wants to set it up you can find it by...

1) Logging into Easy Web

2) Click your name in the top right

3) "Password and security"

[ahelwer]

SMS-based 2FA is less secure than just a password. You unfortunately decreased the security of your account :(

[kevin_nisbet]

Can you elaborate?

I'm not sure I understand why you believe SMS codes as a second factor compromise the security of the password authentication.

[derefr]

It’s very easy to socially engineer a cellular ISP into redirecting arbitrary customers’ calls/texts to you, with just publically-available information.

[Rafert]

How is requiring a SMS token in addition to a password less secure than just requiring the password?

[ahelwer]

Because SMS is used in password-recovery workflows, meaning it isn't a second factor at all - it's a single, easily-breakable factor.

[verelo]

Maybe, that depends on the implementation. I don't believe they allow password resets from Easyweb via SMS, so i believe in this case it's at worst "as good as it was before", and only when they've managed to hijack my phone number.

[soperj]

TD is actually terrible. If you forget your password and you can answer one of the questions about the person (Ie: what was your high school mascot?) they actually just let you change the password at that point.

[Pxtl]

Hah, I remember when TD actually started supporting proper password lengths and published a bunch of fluff pieces about good password practices, as if none of their users remember their old short password restrictions.

[mabbo]

> one of the local credit unions in Toronto

Got a name? And do you recommend them? Long-time RBC customer, which means they treat me terribly. Mortgage is coming up for renewal soon enough.

[verelo]

I signed up for both Meridian and EQ bank. Both supported various 2FA options. I only used them as a higher interest savings account (One was 1.5% the other was 2%, so yeah, low but not terrible - I've since moved that tax liability to Wealthsimple's high interest account), cannot really vouch for their service outside of saying they gave me the interest and the initial capital back without any drama.

[ams6110]

SMS as a 2FA has been discredited, but I suppose it's better than nothing.

[ahelwer]

Nope, it's worse. Websites will use it as an authentication method in password-reset workflows, which means hacking your account reduces to intercepting or redirecting text messages (easily accomplished). Rampant cryptocurrency theft over the past year has conclusively demonstrated that SMS-based 2FA is worse than no 2FA at all. The worst offender? Gmail. It uses your phone number for password recovery and is in turn used for password recovery by every other website.

[lotsofpulp]

Gmail allows you to use SMS, but does not force you to and gives you other secure options.

[ahelwer]

That's true, but I single it out because:

1) Many people have had their Gmail account for a long time, starting before SMS-based 2FA was widely known as a security disaster (this is in fact still not widely-known)

2) Google still actively encourages users to add a recovery phone number

3) Users could have added a phone number years ago then forgotten (this was the case with myself)

4) Users often have many websites using their Gmail account for password-reset workflows (this is definitely the case with myself)

All of these combine to make Gmail the ideal hacker entrypoint. See this hack: https://www.reddit.com/r/ethtrader/comments/8klw4f/someone_j...

[gruez]

>2) Google still actively encourages users to add a recovery phone number

i would consider the average person to be pretty bad at handling otp backups. how else would you do recovery?

[auxym]

To my knowledge none of the big canadian banks support U2F or TOTP.

Accounts can also be used to log in to the CRA website.

[flyGuyOnTheSly]

When you sign up to CRA's online control panel... they actually make you tick a box that says in essence:

"we're not responsible if we get hacked and lose all of your CRA related data to some random hacker... that's your fault"

[miketery]

CRA = Canada Revenue Agency (Canada's IRS)

[kazinator]

= CCRA: Canada Customs and Revenue Agency

[himom]

Grrr. Google Authenticator and such are free. It would be mostly user support costs to deploy. Heck, could even SMS or robodial (Twilio etc) a TOTP code for people without smartphones.

[shawnz]

> Heck, could even SMS or robodial (Twilio etc) a TOTP code for people without smartphones.

SMS is not secure for this purpose since there are many attacks which allow you to sniff SMS messages.

[icebraining]

There's no need for that, TOTP runs everywhere, including J2ME apps installed from WAP.

[Scoundreller]

> can be used to log into Canada's immigration services (CIC)

I've looked around an account I'm a representative on, and other than passport numbers, not much sensitive personal data.

CIC is still a lot of pen and paper these days, but perhaps it depends on one's immigration pathway...

The bank's information can be used to log into CRA however...

[swat535]

What really bothers me about these banks is that they attempt to keep their platforms secure by things like disabling the back button. Just so that hypothetically, if somehow a person has access to your physical machine, they can't just press back and view a cached copy of your account. Yet they fail on actual security practices. No 2FA - check Maximum password length of 6 characters - check Storing / Sending passwords in pain text - check The list goes on.

It boggles my mind that institutions with such financial power, fail to employ these practices.

It's clearly not a question of cost..

[miguelrochefort]

Tangerine doesn't support 2FA, and passwords must be 6-digit numbers...

[sebtoast]

I just wanted to say that Scotia's corporate accounts do have 2FA with a physical token generator, so they do have the technology they just don't enforce it for consumer accounts.

[throwaway2048]

Its pretty ridiculous that all the big banks give you a smart card, but not a $5 smartcard reader to login with...