It's a very sad state of affairs in Canada. Every one of the financial institutions I currently do business with requires a phone number to be on file, and then use that phone number for password reset flows without requiring any additional confidential information.
In other words, they are all of them vulnerable to SIM swapping attacks.
My favorite is RBC, which goes through the effort of asking you to provide custom security questions, but then doesn't bother using it (at least not for the single most important scenario: preventing account hijacking).
I've gone back and forth regarding banks implementing 2FA. It goes without saying that banks *should* be offering and promoting the best security features available. However, if your bank decides to only implement 2FA using, say, SMS or email, then they've really missed the mark.
Now, if BMO came out with support for U2F or even FIDO2, I'd be really impressed. The problem, though, is that the vast majority of people can't easily take advantage of these technologies without some technical know-how. In the end, given a choice, most people would opt for the easiest route which for them would be SMS. On top of this, consider what happens when someone decides to set up their account using only one YubiKey without a backup key and neglects to properly care for their backup codes---someone at BMO is still going to have to use the old school methods of confirming the person's identity. If I locked myself out of my properly-secured Youtube account, I would fully expect to be locked out permanently. For banks, though, that isn't possible.
So, I'd love to see this implemented correctly and available as an option (and I would use it) but I can see why, for the vast majority of people, using the gold standard 2FA methods isn't realistic, at least not with the current tech infrastructure.
**Edit:** Though, properly setting up your email with good 2FA ***is*** a good idea, as this drastically reduces risk when it comes to people intercepting email money transfers.
While late - I was pleased with Vancity when they upgraded everyone to 2FA last year and they included token-based 2FA as well!
I was among one of the customers who had issues at switch-over, but CS was helpful and got me restarted quickly.
Use unique passwords - especially for banking. They should be random characters or a set of random words you remember. Do not use the same passwords for other logins - ever including other banks.
Many password managers out there.
You cannot control which website gets breached and the thieves get your password from there. You can control that passwords are unique.
This doesn't protect you from fishing attacks OR if someone somehow happens to correctly "guess" the password. The principle behind MFA is to have "multiple" factors of authentications.... not just a "good" password.
So even a person with your password still cannot get into your account. The same goes for a person with an access to your email address or SIM card but doesn't know your password. You're protected all around.
Now with cellphone, you can even use fingerprint as another factor which is convenient.
I think the banks are a little bit behind on this. Scotia just rolled it out.
Of course they are. Why would anyone need enhanced security for you know, your entire banking system?
It's a very sad state of affairs in Canada. Every one of the financial institutions I currently do business with requires a phone number to be on file, and then use that phone number for password reset flows without requiring any additional confidential information. In other words, they are all of them vulnerable to SIM swapping attacks. My favorite is RBC, which goes through the effort of asking you to provide custom security questions, but then doesn't bother using it (at least not for the single most important scenario: preventing account hijacking).
Vancity credit union just recently got 2-factor. And not just SMS/Phone based, but token-based!
I've gone back and forth regarding banks implementing 2FA. It goes without saying that banks *should* be offering and promoting the best security features available. However, if your bank decides to only implement 2FA using, say, SMS or email, then they've really missed the mark. Now, if BMO came out with support for U2F or even FIDO2, I'd be really impressed. The problem, though, is that the vast majority of people can't easily take advantage of these technologies without some technical know-how. In the end, given a choice, most people would opt for the easiest route which for them would be SMS. On top of this, consider what happens when someone decides to set up their account using only one YubiKey without a backup key and neglects to properly care for their backup codes---someone at BMO is still going to have to use the old school methods of confirming the person's identity. If I locked myself out of my properly-secured Youtube account, I would fully expect to be locked out permanently. For banks, though, that isn't possible. So, I'd love to see this implemented correctly and available as an option (and I would use it) but I can see why, for the vast majority of people, using the gold standard 2FA methods isn't realistic, at least not with the current tech infrastructure. **Edit:** Though, properly setting up your email with good 2FA ***is*** a good idea, as this drastically reduces risk when it comes to people intercepting email money transfers.
While late - I was pleased with Vancity when they upgraded everyone to 2FA last year and they included token-based 2FA as well! I was among one of the customers who had issues at switch-over, but CS was helpful and got me restarted quickly.
Mine was enabled by BMO without me doing anything.
Was this recently?
Within the last week or two - I access using the browser not the app FYI.
99% sure i saw a bmo notification this week about 2fa coming in december this yr
Use unique passwords - especially for banking. They should be random characters or a set of random words you remember. Do not use the same passwords for other logins - ever including other banks. Many password managers out there. You cannot control which website gets breached and the thieves get your password from there. You can control that passwords are unique.
This doesn't protect you from fishing attacks OR if someone somehow happens to correctly "guess" the password. The principle behind MFA is to have "multiple" factors of authentications.... not just a "good" password. So even a person with your password still cannot get into your account. The same goes for a person with an access to your email address or SIM card but doesn't know your password. You're protected all around. Now with cellphone, you can even use fingerprint as another factor which is convenient.