Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
Editorials & Other Articles
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsMFA-optional banks leave safe doors (and accounts) wide open for thieves to pillage - The Register
One day in May, Mom got a call from the institution that runs her retirement savings account, who had identified a suspicious transaction and asked her if it was legit. She said no and they immediately protected her account.
Then she checked her bank account at a different institution to see if it was compromised and found thousands of dollars transferred out of her checking and savings accounts. The thieves knew exactly how much they could withdraw each day, and used both withdrawals and transfers to a strange account. But the financial institution hadn't flagged the fraudulent activity.
The thieves were so slick that they broke into her Gmail account and created spam filters to filter any mail from her bank or retirement savings provider to the trash so she wouldnt get alerts about the transfers or about the fake accounts they made in her name.
She spent hours on the phone reporting the theft to an unhelpful and incredulous fraud department who asked Are you sure a relative didnt do this?
We dont know for certain how the crims got into my moms accounts, but we know she used the same or similar passwords on all of her accounts, and at least one of her accounts was part of a data breach a few years ago, so that info was probably available somewhere online. The miscreants then could have used this info to get into her retirement account, her bank, and her Gmail.
None of this would have been possible if she had MFA enabled on those accounts, but neither Google nor her financial institutions require it.
Many consumers assume every bank requires 2FA, but that's not the reality, said Gregory Shein, CEO of Nomadic Soft, a SaaS company that serves fintech clients. Some financial institutions still treat it as an optional feature because they're balancing security against friction. Every extra login step can reduce conversions, increase support tickets, and frustrate less technical customers.
Then she checked her bank account at a different institution to see if it was compromised and found thousands of dollars transferred out of her checking and savings accounts. The thieves knew exactly how much they could withdraw each day, and used both withdrawals and transfers to a strange account. But the financial institution hadn't flagged the fraudulent activity.
The thieves were so slick that they broke into her Gmail account and created spam filters to filter any mail from her bank or retirement savings provider to the trash so she wouldnt get alerts about the transfers or about the fake accounts they made in her name.
She spent hours on the phone reporting the theft to an unhelpful and incredulous fraud department who asked Are you sure a relative didnt do this?
We dont know for certain how the crims got into my moms accounts, but we know she used the same or similar passwords on all of her accounts, and at least one of her accounts was part of a data breach a few years ago, so that info was probably available somewhere online. The miscreants then could have used this info to get into her retirement account, her bank, and her Gmail.
None of this would have been possible if she had MFA enabled on those accounts, but neither Google nor her financial institutions require it.
Many consumers assume every bank requires 2FA, but that's not the reality, said Gregory Shein, CEO of Nomadic Soft, a SaaS company that serves fintech clients. Some financial institutions still treat it as an optional feature because they're balancing security against friction. Every extra login step can reduce conversions, increase support tickets, and frustrate less technical customers.
https://www.theregister.com/security/2026/07/05/mfa-optional-banks-leave-safe-doors-and-accounts-wide-open-for-thieves-to-pillage/5266161
2 replies
= new reply since forum marked as read
Highlight:
NoneDon't highlight anything
5 newestHighlight 5 most recent replies
MFA-optional banks leave safe doors (and accounts) wide open for thieves to pillage - The Register (Original Post)
justaprogressive
Monday
OP
bucolic_frolic
(56,497 posts)1. That's true, the industry is far behind
There are authenticator apps but maybe 25% of banks have never heard of them. 2FA can be a text, a call, or questions that customers authorize.
It's advisable by some to keep 2 checking accounts at different banks. It's a whole world of pain when your only account is inaccessible for weeks.
indusurb
(382 posts)2. This is why I do no online banking
No online accounts, no passwords to hack, if online thieves want to get into my bank they are going to have to hack the bank itself, not just my account.
Online financial activities are all great and convenient, but you are trading security for convenience, and when it comes to money I opt for security.