Blog / Defense-In-Depth / Fake It Till You Make It: Canadian Bank Multi-Factor Authentication Edition

Fake It Till You Make It: Canadian Bank Multi-Factor Authentication Edition

Multi-Factor-Authentication. 2 or more distinct of I AM. I HAVE. I KNOW. Much strength. Little cost. You would think *money* would be the first thing that had multi-factor, no?

A few years ago I wrote of the trials and tribulations of trying to get a Canadian Bank to give me multi-factor. TL;DR: for some transactions you can get a SecureID fob, but not for all, not for login. And, you can recover the password of a file w/ the last balance, so the login is enough to totally destroy all defenses.

So it was with some excitement that i saw that the Royal Bank of Canada had implemented a push-based multi-factor using their mobile App. Except… it neither works, nor is secure. It is what I would refer to as “Security Theatre”.

First, the doesn’t work. It will not send me a notification. No chirps, not a beep. Android 12, Pixel 4. So, when you try and login to the web site using the desktop you get this first message:

Seems promsing. But, I did not get the notification. Am i blocked? Wait, no? What are my options then? Surely it cannot be to just flat out bypass the multi-factor authentication, can it?

Of course it can. Any attacker that can get the first factor can simply bypass the second factor by saying “no thanks”. They then get this option (below).

OK, um, resend. I guess that is ok. As long as there is some limit to avoid e.g. a DoS attack.

Send a text message? I am not a fan of SMS, its not secure, but i guess its better than nothing, it would prove *someone* owned a sim card or knew how to hack SS7/SS7. So a bit better than nothing, a last resort.

But what’s this? A drivers license or passport? My passport was scanned in quite a lot of world hotels and airports. Its not “Something I Have” and its not “Something I AM”. Its “Something I and thousands of other people know”. Remember a few years ago when Starwood hotels was breached? And Marriott? Yeah, well, that data is permanently out there.

To add insult to injury, the “Personal Verification Question”. This is not a second factor. I’ve written about this before. You honestly think the name of my first high school is an inherently unknowable property of the universe?

So what is the intent of this “fake” multi-factor authentication system? It seems its to make things seem more secure, without actually doing anything. An item in a brochure saying “RBC has multi-factor”. But in practice, its just an irritant to the real users, and nothing much to the attackers.

Why is it in 2021 my Github, my Gmail, is more secure than my Bank? Google plans to roll this out by default to billions of people, is the average ability of those people less than the average bank customer?

Fix this. You collect $B in fees. Your profit keeps going up. When the breach occurs, you will blame me somehow, with your army of lawyers and agreements. But it was you that put this house of cards in place.