[belorn]

If a bank use passwords at all, its a big red sign that they only care about the appearance of security. A password do not strongly identify a person, and should not be used for anything that involve high value and easy stolen property.

Most banks I know uses pin and either a hardware token or a bound smart phone. Its far from perfect, but at least someone has to steal a physical object or hack the phone system to start their brute-force attacks.

[err4nt]

"Most banks you know"? I'm genuinely curious, I don't know of any bank like that in Canada, and I'm in the US weekly and I've never heard or seen it there. I've seen token generator keychains, but what do you mean about the phone?

[VLM]

"what do you mean about the phone"

Both my personal use credit union, and the bank my volunteer gig uses, have an outsourced authenticator who logs the ip addresses I use, and if I'm attempting to log in from a new address they SMS or voice call a number on file with a six digit number I type in to authenticate the new device. Neither the CU or bank have anything to do with each other, but use the same system, so I'm guessing its some kind of nationwide outsourced system that "many" financial institutions use.

Still have to enter your password to verify its me on my computer today, and not my kid screwing around on my computer, they only SMS authenticate perhaps once a month.

The same outsourcer apparently does password recovery when you get locked out. The bank requires full password recovery process if you don't log in for 45 days, which is an unholy annoyance for a sleepy volunteer org. The life of a treasurer is never easy I guess.

Its moderately annoying as my phone lives on its charger in the bedroom if I'm at home, and the desktop in the office is at least 75 foot walk away, so when the authentication service feels like pulling my chain, I swear a lot and make a trek and inevitably the login times out so I have to start all over again once I fetch the phone. Which fits in with stereotypical security theater, you "win" if you make it inconvenient, no need to actually make it secure.

(edited to add I live in the USA, upper midwest, vaguely near Chicago, everyone else responding is at least 4000 miles away, I interpreted your request as how they use phones to auth in the USA, so, well, this is how they do it)

[aylons]

In Brazil, most banks use two-factor authentication in some form for internet transactions.

One of my banks gives me the option to receive the code through SMS, generate it through a phone app or with a dedicated keyring token. This is a option I can make at the time transaction-time.

The other requires me to authenticate each new machine I login from, through an SMS. A bit less secure.

Biometrical authentication is also a thing. The biggest banks already have some form of it (fingerprint or hand palm), and I can even make transactions w/o a card, using only fingerprint and password. Actually, I only carry credit cards nowadays, the bank account card stays at home and use fingerprint to withdraw.

[dagw]

I've been online banking in Norway and Sweden since 1999 and I've never seen a bank that just uses passwords.

For phones you download an app and enter a unique security code that you get from your bank. This, combined with some uid on your phone, creates a unique salt and basically ties that copy of the app on that phone to your bank account, so only your phone can log into your account. Your phone now becomes the "something you have" in addition to the "something you know" (your chosen bank password)

[emeidi]

Every Swiss bank I have accounts with (Credit Suisse, Postfinance, Raiffeisen) have internet banking protected with two factor authentication. The second factor can either be a chip card with a reader (protected by a PIN, and you then enter a code shown on screen and it returns another number), an SMS token or an iPhone app which reads a picture of the screen (!) and returns another token number (with a SMS token fallback).

[afro88]

It's pretty standard in the UK

[davb]

None of my personal accounts in the UK use two factor authentication. Same goes for the majority of friends and family.

Only one (former) account ever done this, and it was own used when adding a new payee records. It used EMV CAP (http://en.wikipedia.org/wiki/Chip_Authentication_Program) with a separate smartcard (not my EMV compliant debit card).

All of my business accounts offer two factor authentication, recently shifting from SecurID-style TOTP tokens to EMV CAP authenticators.

[72deluxe]

Barclays bank uses two-factor authentication for logging into their online banking (using your card, so that you have to enter you PIN for your card on the little authentication machine to get a code to log in), although you can also set up a PIN to log in without it (I haven't bothered - it's safer not to, right?!). You also need your membership number and a memorable word AND a number as far as I can remember (I do it automatically now)

They also require this authentication step to be carried out for sending money to someone else online for the first time. They also require you to enter your PIN against your card using the same mechanism when you go into a branch, as they cannot access details about your account without you doing it. I suspect it stopped people mugging others and they walking as saying "Can I withdraw £100 on this account here please?" with the card they'd just pinched.

The Barclays one is called PINSentry and they've had it for nearly 10 years I think? My device still hasn't ran out of battery (it gets switched on when you insert your card).

My wife is with Natwest I think and she needs the little card device for setting up new payments but logging in does not need it.

[lsh]

NAB (National Australia Bank) require a bound mobile phone for a lot of operations. Its a real pain, given that I now live overseas.

[chrismorgan]

I don’t have a mobile phone; my experience with NAB’s Internet banking is that there are a few things which want that, such as viewing or changing daily limits, but so long as you never set up SMS Alerts just about everything else is fine. I don’t believe I’ve ever run into any problems with them due to not having a mobile phone. If you’ve already set up SMS Alerts, I don’t know what the situation is.

[fwr]

Do you not have to confirm outgoing wire transfers by inputting a code sent to your phone?

[barry-cotter]

Americans don't do wire transfers, they write checks. The level of kidding in the previous sentence is extremely low.

[NateDad]

Wire transfers tend to have a $35-$50 fee and require you to schlep down to the bank during business hours and fill out annoying paperwork. So, yeah, we don't use them except in emergencies.

[mcv]

Do we have a misunderstanding of the meaning of "wire transfer" here? Surely you can just send money to someone else's account through the bank's internet banking website?

How else do you pay for stuff like rent, and, well, anything, really?

[nknighthb]

No. You cannot.

Rent is usually paid by check, though poorer people who may not have bank accounts of any kind often use cash, too. Large-scale landlords (corporations renting many units) sometimes take credit cards or be able to setup automatic debit from a bank account. Obviously this sacrifices a good deal of control and if they screw up (intentionally or otherwise) you get to deal with all sorts of shit.

"Electronic bill payment" in the US often means your bank mails the receiver a check. Some subset of businesses are setup to turn that into a direct transfer. In no case has it ever been worth the hassle. I try very hard to avoid anything that can't be paid for with a credit card, since that is, by far, the lowest-friction payment method in the US.

Everything else, cash, check, credit/debit card, or sometimes direct debit. Only active businesses are going to be set up to take cards or do direct debits. If you want to give money to an individual, you give them cash or a check.

American banking is radically behind.

[aianus]

In Canada you can email people money up to $2000 but it costs $1.50 per transfer so I tend not to use it. You can also pay most bills from large institutions online (utilities, credit cards, tuition, taxes, etc).

I've paid rent using cash, checks, and pre-authorized debit (you give them your bank account number and sign a contract and they withdraw from your account every month). For vehicles or property it's usually a certified check. Anything else goes on my credit cards.

[VLM]

I believe you're a UK but no offense intended if you're not. As an actual american I only write about three or four checks per year, everything else is online.

We do pull and push.

Pulls are an unholy PITA to set up where you give them all kinds of personally identifiable information which they hopefully won't lose, then they make multiple couple cent deposits to your account, then you tell them what the amounts were and they tell the bank, which creates a certain relationship which in the Future is very historical trust based. So click here on your car insurance site to make your biannual car insurance payment exactly like the last 20 payments (well, slightly different amounts, but ...) Ditto the mortgage website, the electric bill, a couple others. Basically very long term relationships, I'm unlikely to just randomly stop paying the monopoly electricity provider. This is a direct acct to acct transfer.

Pushes are easy to set up but more of a pain to use on a monthly basis. No one has control over pushes other than yourself. You send money to a postal address, and who knows what they do on the back end, individual old fashioned checks or batch up or wire transfers who knows. This is more for credit cards or temporary less formal associations. You go to your bank website, tell them the postal address (they'll save it for later use) tell them how much, click send, off it goes.

Speaking generically, most USA people use credit cards or paypal or the zillions of small time competitors when someone wants money from them, and they interface with the bank for you. So Paypal can eat money directly out of my checking acct to send cash, up to certain limits. This is vaguely ATM like, sort of a web interface to a ATM. Or it just gets added to the CC balance. So it would be really weird for me to pay directly for gasoline or even food, I generally CC that, and then send one very large "push" bill payment from the bank to the CC per month.

So Americans mostly do electronic pushes, pulls, and aggregators online, although we do have checks for non-electronic people.

I write a check to the school district for book + other fees, like $50 per year per kid. Technically its illegal to demand payment for free public schools but the PTO spends it on "free" after school activities so its kinda a donation and I think we get our monies worth. Also my wife buys an organic grown fraction of a cow from a local farmer every year or so, and the butcher shop takes electronic for processing but the old school farmer still does paper checks. Some tradesmen (plumber, carpenter) only take old fashioned paper checks, although that is very rapidly changing as they all get smart phones. I switched to a CU probably 7 to 10 years ago and since then I've written a couple dozen checks total, I'd have to find it to verify because I keep it locked up.

Some really old people, like non-computational, obviously write a lot of checks. I have an elderly uncle who had to pay an extra bank fee for writing more than two dozen a month, which seems weird to me.

Poor people with serious legal / financial issues are unbanked and mostly go pure cash. There's a whole industry grown around ripping off those people when they try to interface semi-legally with the financial system. This is probably less than 1/4 the population. Like if you owe child support or a court judgment, all your electronic money will simply disappear, but not your cash, leading to some peculiar behaviors.

[72deluxe]

Wow, this sounds insane. Here in the UK they have recently improved the electronic transfer system so that money appears in the other account (clears) in 2 hours or less (practically instantly for accounts at the same Bank). I do not know whether large bank transfers using BACS or CHAPS incur a fee but most people happily send money to other people electronically as few people have cheques anymore. The banks seem to have stopped issuing cheque books, and no shop that I know of will accept them, so it effectively killed cheques. The older generation probably struggle without them.

They have recently pushed out the mobile payment system called PAYM (someone obviously got paid a fortune to think of pay + mobile, eg. pay + m ... . . paym) where you can send money to anyone else with their mobile number. They need to have registered their mobile number with their bank for this to work (and not all banks have signed up to the system) but it should make sending money really easy.

People seem to use Paypal a lot for sending money around but they're greedy with fees so I am keen for this PAYM system.

[mcv]

A pin is just a very short password. A bank using only a password would of course be ridiculously negligent. All banks I'm familiar with use 2 levels of authorization: 1 to log in, 1 to authorize payment.

I have 2 bank accounts. One with ING (a major Dutch/international bank), which uses a password (without special characters unfortunately) to log in, and an authorization code to authorize payment. In my case, that authorization code comes from a piece of paper with a bunch of one-time codes on it. This is an old system that dates back to when you called them directly by modem, rather than over internet. Nowadays I could also have the code sent to my phone. But phones can also be stolen, so I don't see the point.

My other account (at Triodos, a much smaller Dutch bank) uses a pin + hardware token at both stages. I wouldn't also having a ridiculously long password there.

[aianus]

All of the bank accounts I have in Canada let me send $2000 with nothing but a password. They also won't let me use non-alphanumeric passwords and don't support any two-factor authentication. Same in the US.

Of course, if anyone did try to steal my money this way, the bank would reverse the transfer and give it back to me.

[mcv]

Sounds very insecure for a bank. Will they really automatically reverse any transfer you object to? What if they don't control the target account? What if there's no money on the other account anymore? What if it was a legitimate payment, you got what you ordered, and then you had the payment reversed?

I see a big hornet's nest of potential problems in a system like that.

[aianus]

I guess they try to pull it back and if it's not possible they eat the cost. I imagine any bank that tried to force people to use 2FA and/or get rid of the zero-liability policy would lose a lot of customers.

[alistairSH]

Not in the US. Not one of my banks or other finance-related websites uses two-factor authentication by default. I haven't looked to see if any offer it as an option, but I tend to doubt it (it certainly isn't advertised).

[NateDad]

The US's personal banking industry is like 20 years behind the rest of the developed world. Not sure why, probably because the banks have all the money to lobby to keep things the same.

[danielweber]

The US's personal banking industry is like 20 years behind the rest of the developed world

People say Canada is a half-generation behind the US in banking innovation, which is generally in Canada's best interest. They've never had a banking crisis.

Not sure why, probably because the banks have all the money to lobby to keep things the same.

This response is worse than wrong, it's assuming bad intentions.

For personal accounts, banks are responsible for your money, even if the hackerz keylog your password and log on as you and steal your money. US banks already have all the incentive in the world to drive down fraud on personal accounts, and yet they seem to have decided it's not worth the time and money to clamp down on it.

Most likely it's because there are always other ways of fighting fraud. The US banking system is full of reversible transactions. From the outside, it sure seems the best use of limited resources is to choke the irreversible endpoints.

[TheCoelacanth]

> The US's personal banking industry is like 20 years behind the rest of the developed world

>> People say Canada is a half-generation behind the US in banking innovation, which is generally in Canada's best interest. They've never had a banking crisis.

The financial crises in the US have all been caused by investment banking, innovations in retail banking are unlikely to ever cause a financial crisis.