[err4nt]

"Most banks you know"? I'm genuinely curious, I don't know of any bank like that in Canada, and I'm in the US weekly and I've never heard or seen it there. I've seen token generator keychains, but what do you mean about the phone?

[VLM]

"what do you mean about the phone"

Both my personal use credit union, and the bank my volunteer gig uses, have an outsourced authenticator who logs the ip addresses I use, and if I'm attempting to log in from a new address they SMS or voice call a number on file with a six digit number I type in to authenticate the new device. Neither the CU or bank have anything to do with each other, but use the same system, so I'm guessing its some kind of nationwide outsourced system that "many" financial institutions use.

Still have to enter your password to verify its me on my computer today, and not my kid screwing around on my computer, they only SMS authenticate perhaps once a month.

The same outsourcer apparently does password recovery when you get locked out. The bank requires full password recovery process if you don't log in for 45 days, which is an unholy annoyance for a sleepy volunteer org. The life of a treasurer is never easy I guess.

Its moderately annoying as my phone lives on its charger in the bedroom if I'm at home, and the desktop in the office is at least 75 foot walk away, so when the authentication service feels like pulling my chain, I swear a lot and make a trek and inevitably the login times out so I have to start all over again once I fetch the phone. Which fits in with stereotypical security theater, you "win" if you make it inconvenient, no need to actually make it secure.

(edited to add I live in the USA, upper midwest, vaguely near Chicago, everyone else responding is at least 4000 miles away, I interpreted your request as how they use phones to auth in the USA, so, well, this is how they do it)

[aylons]

In Brazil, most banks use two-factor authentication in some form for internet transactions.

One of my banks gives me the option to receive the code through SMS, generate it through a phone app or with a dedicated keyring token. This is a option I can make at the time transaction-time.

The other requires me to authenticate each new machine I login from, through an SMS. A bit less secure.

Biometrical authentication is also a thing. The biggest banks already have some form of it (fingerprint or hand palm), and I can even make transactions w/o a card, using only fingerprint and password. Actually, I only carry credit cards nowadays, the bank account card stays at home and use fingerprint to withdraw.

[dagw]

I've been online banking in Norway and Sweden since 1999 and I've never seen a bank that just uses passwords.

For phones you download an app and enter a unique security code that you get from your bank. This, combined with some uid on your phone, creates a unique salt and basically ties that copy of the app on that phone to your bank account, so only your phone can log into your account. Your phone now becomes the "something you have" in addition to the "something you know" (your chosen bank password)

[emeidi]

Every Swiss bank I have accounts with (Credit Suisse, Postfinance, Raiffeisen) have internet banking protected with two factor authentication. The second factor can either be a chip card with a reader (protected by a PIN, and you then enter a code shown on screen and it returns another number), an SMS token or an iPhone app which reads a picture of the screen (!) and returns another token number (with a SMS token fallback).

[afro88]

It's pretty standard in the UK

[davb]

None of my personal accounts in the UK use two factor authentication. Same goes for the majority of friends and family.

Only one (former) account ever done this, and it was own used when adding a new payee records. It used EMV CAP (http://en.wikipedia.org/wiki/Chip_Authentication_Program) with a separate smartcard (not my EMV compliant debit card).

All of my business accounts offer two factor authentication, recently shifting from SecurID-style TOTP tokens to EMV CAP authenticators.

[72deluxe]

Barclays bank uses two-factor authentication for logging into their online banking (using your card, so that you have to enter you PIN for your card on the little authentication machine to get a code to log in), although you can also set up a PIN to log in without it (I haven't bothered - it's safer not to, right?!). You also need your membership number and a memorable word AND a number as far as I can remember (I do it automatically now)

They also require this authentication step to be carried out for sending money to someone else online for the first time. They also require you to enter your PIN against your card using the same mechanism when you go into a branch, as they cannot access details about your account without you doing it. I suspect it stopped people mugging others and they walking as saying "Can I withdraw £100 on this account here please?" with the card they'd just pinched.

The Barclays one is called PINSentry and they've had it for nearly 10 years I think? My device still hasn't ran out of battery (it gets switched on when you insert your card).

My wife is with Natwest I think and she needs the little card device for setting up new payments but logging in does not need it.

[lsh]

NAB (National Australia Bank) require a bound mobile phone for a lot of operations. Its a real pain, given that I now live overseas.

[chrismorgan]

I don’t have a mobile phone; my experience with NAB’s Internet banking is that there are a few things which want that, such as viewing or changing daily limits, but so long as you never set up SMS Alerts just about everything else is fine. I don’t believe I’ve ever run into any problems with them due to not having a mobile phone. If you’ve already set up SMS Alerts, I don’t know what the situation is.

[fwr]

Do you not have to confirm outgoing wire transfers by inputting a code sent to your phone?

[barry-cotter]

Americans don't do wire transfers, they write checks. The level of kidding in the previous sentence is extremely low.

[NateDad]

Wire transfers tend to have a $35-$50 fee and require you to schlep down to the bank during business hours and fill out annoying paperwork. So, yeah, we don't use them except in emergencies.

[mcv]

Do we have a misunderstanding of the meaning of "wire transfer" here? Surely you can just send money to someone else's account through the bank's internet banking website?

How else do you pay for stuff like rent, and, well, anything, really?

[nknighthb]

No. You cannot.

Rent is usually paid by check, though poorer people who may not have bank accounts of any kind often use cash, too. Large-scale landlords (corporations renting many units) sometimes take credit cards or be able to setup automatic debit from a bank account. Obviously this sacrifices a good deal of control and if they screw up (intentionally or otherwise) you get to deal with all sorts of shit.

"Electronic bill payment" in the US often means your bank mails the receiver a check. Some subset of businesses are setup to turn that into a direct transfer. In no case has it ever been worth the hassle. I try very hard to avoid anything that can't be paid for with a credit card, since that is, by far, the lowest-friction payment method in the US.

Everything else, cash, check, credit/debit card, or sometimes direct debit. Only active businesses are going to be set up to take cards or do direct debits. If you want to give money to an individual, you give them cash or a check.

American banking is radically behind.

[mcv]

Okay, this explains quite a lot about the state of US banking, and why credit cards are so popular there. In Netherland, almost nobody uses credit cards, because they're less safe and more expensive than our other options. The only reason I've got a credit card at all, is to make international online payments. Even for domestic online payments, we've got a much better system. But internationally, there's nothing. Just credit cards.

I do get the impression that the US should be a great market to start a more modern bank and compete all the crappy old banks away. I'm sure all internationally operating banks have tried this. So why are they not successful?

[aianus]

In Canada you can email people money up to $2000 but it costs $1.50 per transfer so I tend not to use it. You can also pay most bills from large institutions online (utilities, credit cards, tuition, taxes, etc).

I've paid rent using cash, checks, and pre-authorized debit (you give them your bank account number and sign a contract and they withdraw from your account every month). For vehicles or property it's usually a certified check. Anything else goes on my credit cards.

[VLM]

I believe you're a UK but no offense intended if you're not. As an actual american I only write about three or four checks per year, everything else is online.

We do pull and push.

Pulls are an unholy PITA to set up where you give them all kinds of personally identifiable information which they hopefully won't lose, then they make multiple couple cent deposits to your account, then you tell them what the amounts were and they tell the bank, which creates a certain relationship which in the Future is very historical trust based. So click here on your car insurance site to make your biannual car insurance payment exactly like the last 20 payments (well, slightly different amounts, but ...) Ditto the mortgage website, the electric bill, a couple others. Basically very long term relationships, I'm unlikely to just randomly stop paying the monopoly electricity provider. This is a direct acct to acct transfer.

Pushes are easy to set up but more of a pain to use on a monthly basis. No one has control over pushes other than yourself. You send money to a postal address, and who knows what they do on the back end, individual old fashioned checks or batch up or wire transfers who knows. This is more for credit cards or temporary less formal associations. You go to your bank website, tell them the postal address (they'll save it for later use) tell them how much, click send, off it goes.

Speaking generically, most USA people use credit cards or paypal or the zillions of small time competitors when someone wants money from them, and they interface with the bank for you. So Paypal can eat money directly out of my checking acct to send cash, up to certain limits. This is vaguely ATM like, sort of a web interface to a ATM. Or it just gets added to the CC balance. So it would be really weird for me to pay directly for gasoline or even food, I generally CC that, and then send one very large "push" bill payment from the bank to the CC per month.

So Americans mostly do electronic pushes, pulls, and aggregators online, although we do have checks for non-electronic people.

I write a check to the school district for book + other fees, like $50 per year per kid. Technically its illegal to demand payment for free public schools but the PTO spends it on "free" after school activities so its kinda a donation and I think we get our monies worth. Also my wife buys an organic grown fraction of a cow from a local farmer every year or so, and the butcher shop takes electronic for processing but the old school farmer still does paper checks. Some tradesmen (plumber, carpenter) only take old fashioned paper checks, although that is very rapidly changing as they all get smart phones. I switched to a CU probably 7 to 10 years ago and since then I've written a couple dozen checks total, I'd have to find it to verify because I keep it locked up.

Some really old people, like non-computational, obviously write a lot of checks. I have an elderly uncle who had to pay an extra bank fee for writing more than two dozen a month, which seems weird to me.

Poor people with serious legal / financial issues are unbanked and mostly go pure cash. There's a whole industry grown around ripping off those people when they try to interface semi-legally with the financial system. This is probably less than 1/4 the population. Like if you owe child support or a court judgment, all your electronic money will simply disappear, but not your cash, leading to some peculiar behaviors.

[72deluxe]

Wow, this sounds insane. Here in the UK they have recently improved the electronic transfer system so that money appears in the other account (clears) in 2 hours or less (practically instantly for accounts at the same Bank). I do not know whether large bank transfers using BACS or CHAPS incur a fee but most people happily send money to other people electronically as few people have cheques anymore. The banks seem to have stopped issuing cheque books, and no shop that I know of will accept them, so it effectively killed cheques. The older generation probably struggle without them.

They have recently pushed out the mobile payment system called PAYM (someone obviously got paid a fortune to think of pay + mobile, eg. pay + m ... . . paym) where you can send money to anyone else with their mobile number. They need to have registered their mobile number with their bank for this to work (and not all banks have signed up to the system) but it should make sending money really easy.

People seem to use Paypal a lot for sending money around but they're greedy with fees so I am keen for this PAYM system.