What the title says. Before you had to choose either SMS / call via phone or a very clunky code grid.

  • axby
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Unfortunately I think this is the norm with big banks in Canada, and it is similar to a credit union in the US from when I briefly lived there. Security seems to be a second priority to people losing access (presumably only briefly, since they have brick and mortar locations everywhere).

    Wealthsimple and Questrade seem to support TOTP but I’m not sure if you can still bypass it with SMS. I don’t think so but I haven’t dug into it.

    I’ve used CIBC before and they also seem to require keeping SMS 2FA enabled. Also they send me fraud alerts over SMS, “respond Y to authorize this suspicious transaction”, and I’m dreading the day where I have to enable roaming while travelling just to send a text. They send push notifications through the app to login on a new device though, so maybe in 10 years they’ll do it for transaction approval too.

    Also aside about TD: is there really no way to download a CSV file of all your transactions? My partner uses them and I think we were limited to 18 months, and may have even had to download each much separately (luckily I can use use a program like cat to workaround this, but that seems like a pain for most people). CIBC has irritated me in a lot of ways but I think I can download transactions from back to 2012 when I first opened my credit card, maybe earlier.

    Do you or anyone know about other big banks? My partner and I are looking into a joint account and I want to be able to download all transactions to CSV. Ideally we could get TOTP only (no SMS 2FA) but I’m not counting on it.

    • rinze@infosec.pubOP
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      Wealthsimple and Questrade seem to support TOTP but I’m not sure if you can still bypass it with SMS. I don’t think so but I haven’t dug into it.

      Questrade allows TOTP, SMS and some other methods, but you can select which ones you want to enable. I have only TOTP and it works as expected.

      • axby
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Thanks, I suspected this (I only see “authenticator app” when I log in on a new device or periodically, but I wasn’t sure.

        Related: for finance related services like Questrade, I’ve stored my TOTP keys on a U2F key, Yubico in my case. Besides the hassle of managing physical keys, is there any drawback to this approach? I’m slightly worried I’ll lose all my keys in a house fire or something, but I assume there’s a recovery option.

        • rinze@infosec.pubOP
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          That I don’t know. I store the TOTP keys into an app on my phone an into a separated KeePass DB that’s different from my regular one. Two copies of that is good enough to let me sleep at night.

    • jadero
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      Over the years, I’ve been with all the big Canadian banks and a couple of different credit union networks. They’re all trash, in my opinion. I’ve sent security notices to all of them and never had a response, nor any evidence that they addressed the problems. TD just happens to be the place we landed after giving up on everyone else.

      As for transaction downloads, I couldn’t tell you. I gave up on ever having access to my data, so I just record it manually.


      Security notice examples:

      TD was running their SSL/TLS in a way that made them vulnerable to downgrade attacks.

      A credit union finally upgraded their login page to allow a real password instead of just a 6-digit PIN. It took repeated complaints and some customer lobbying to get that, but the new page also blocked access to pasting and autofill, negating the utility of a password manager.

      • axby
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        Ah, I hadn’t heard of the SSL issue, thanks for sharing!

        I’ve noticed that Tangerine only allows for a 6 digit pin, but I think they might also allow for a security question and SMS 2FA? I started signing up with them and gave up when they required a Canadian cell number (I hadn’t yet switched due to high costs, but recently they’ve become surprisingly reasonable—ignoring roaming) and I saw the 6 digit pin password requirement.

        I think it was also BMO that a friend told me required a maximum 8 character password until very recently?

        Anyway overall, thanks for reassuring my suspicion: I should just pick one of the banks and not let “perfect” (or even “decent”) be the enemy of “almost adequate but not great”.

        • jadero
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          Also, for what it’s worth, TD is not just the only bank I know of, but the only website I know of that allows for a user-generated username to be used for login. My TD username was generated by the password generator of my password manager :)

          So they don’t get it all wrong.