Being an expat and self-employed means I have had more bank accounts and credit cards than I actually want or need. On the other hand, it has also given me opportunities to compare banks, systems and see what works. And what doesn’t.
Before I moved to Germany I only knew the U.S. system and it felt normal and right to me. My first German bank account didn’t have online banking. My next one did but came with paper. Paper? Doesn’t that defeat the purpose of online banking?
Well, no. In fact, I learned to stop worrying and love paper, the second piece of two factor authentication for security. Be it paper or a text message, over the years I upgraded by leaving the U.S. banking system. Every now and then however, I still trip over them, via credit cards like VISA and MasterCard, which I feel are not as secure as my German bank accounts.
U.S. Banks - SiteKeys and how the teddy bear will keep you safe
My experience with U.S. banks and security involve pictures and a phrase, which supposedly let you know the page is authentic. From Bank of America’s FAQ
It helps you know it’s really us - when you see your SiteKey, you can be more confident you’re at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site…
It helps us know it’s really you - we display your SiteKey when we recognize the device you are logging in from. If you don’t sign in from the device you told us to recognize, we’ll ask a challenge question.
Sorry, I am not impressed.
German Banks - Two factor authentication with TANs
Google’s Matt Cutts wrote a great post about two factor authentication and securing your Gmail account, potentially the gateway to all your financial information. While the idea of receiving one time use PINs via text message may seem foreign to Americans, Germans have been doing it for ages.
When I first moved to Munich in 2007, I laughed at the TAN block with a thousand codes that I had to enter with every bank transaction. Paper and an extra step? How old fashioned and what a pain. Over time, it became an automatic part of my workflow. Then I switched to mobile TAN and it became even quicker. I could even wire money from my office computer if I had my phone with me.
ING’s extra step
On the ING DiBa online banking site, after entering your login credentials, there is a second authorization screen asking for certain digits of a pin:
Instead of an input field, however, you come across a number pad which you have to actually click with your mouse (or tap on your touch device). Just a guess on my part, but this probably is an extra layer of security that prevents automated hackers from coming in.
These two clicks make me feel safer than a SiteKey or second password, like the ones I have to enter when making purchases online.
Credit Cards: Two passwords and a broken system
Visa and MasterCard both use a 2nd password to protect your credit card from fraudulent use online.
Verified by Visa - FAIL
Living in Germany, I don’t use my credit cards often. When I do it is often for online purchases that don’t do EC Lastschrift (direct debit purchase from my bank account). Or like this morning, I wanted to pay with a credit card so my item would ship faster. But I got stuck on this Verified by Visa screen:
In English, basically it says I need to enter my current passcode and a new passcode twice (zweimal). So I am expecting three total password fields, but I only see two. I tried various combinations of entering or not entering various passwords and gave up after 3-4 tries - before I lock myself out of my account. So instead of paying with my business credit card, I used my personal card, a MasterCard.
MasterCard SecureCode - at least it let’s me spend my money
So then I realized I didn’t have the “SecureCode” saved in 1password (or maybe I never used this before). So I had to go through another level of security by entering some more information:
I’m not convinced the system is actually secure, however. Why? They ask me for my:
- Credit card expiration date: I assume a hacker has this already
- Birthday: easily found online
- Bank account number: maybe they have my credit card because they stole my wallet, in which case they probably have my debit card too. And my account number is on that as well.
But isn’t an alphanumeric password safer than a numeric PIN?
Theoretically, yes. But the system is broken. Either I don’t need to change that password EVER or I have to change it often but the technology won’t let me.
I personally prefer a one time number that is physically with me either on paper or via text message than the change your password every x days/months fiasco that is too complicated even for this tech savvy college graduate.
Would it work in the US?
TANS work in Germany because the German Post is much stricter about addresses. Names have to match exactly or mail will not be delivered. Identity verification per Post is safer here.
In my experience in Boston, mail was often stuffed into our box if the mailman could not find a match elsewhere in the building. It was like “Ng” is so weird that it basically meant “everything else”. Or mail was just tossed on the ground.
Visa and MasterCard are U.S. companies and stuck in the backward American financial ways. I mean seriously, this American admits she initially laughed at paper TANs and then one day, this came in the mail:
Checks?! How before I was born.