What do you think is more secure- a complicated password or a 4-digit pin?
Watch as Mike Slaugh from USAA Financial Crimes Prevention shares how multi-factor authentication can provide an extra layer of security to your accounts.
Learn more at usaa.com/securitycenter
Forward all "fishing" attempts to email@example.com I get them almost weekly now. First hint: Member number msiing in upper right corner. Contact information missing on bottom of email. Otherwise, they look pretty convincing. Never click any link and delete right after forwarding!
I would appreciate a collaborative approach involving information sharing when such an email Is forwarded. A response indicating the actions taken, source IPS, or as close to source as could be identified, and the precise purpose and techniques being used should we have fallen for it rather than forwarded to abuse. Even just a response with an ID that categorizes your phish into a group of the exact same ones reported and a smaller central database accessible to USAA members would work. As they say, knowledge is power, and this type of information could be used to help protect others and allow knowledgeable USAA members to investigate with that information in a crowd sourced type of way that would provide more resources than would be reasonable for USAA to supply on its own. Thoughts? Roadblocks?
I already do multifactor authentication using my cellphone. However, an even stronger authentication is possible using a physical security key like Yubikey that uses FIDO2 or U2F public standards. These keys are nearly foolproof and extremely easy to use. I already use a security key for one of my other financial institutions. Does USAA plan on supporting these keys anytime in the near future?
Like DewClaw, I'm interested in knowing if adoption of YubiKey is on USAA's roadmap ?
Thanks for your comment. We absolutely appreciate your partnership and support in using multifactor authentication. USAA believes this is the best approach in preventing fraud. While we don’t have a FIDO option for our members, we are continuously exploring new, enhanced methods to bridge security and simplicity together. Thanks again for your input.
@Jasg27, Thank you for your comment, I have reached out to the Security team with your suggestions.
Seems like getting a code in a text message would be even stronger than a PIN?
USAA previously implemented MFA with a stand-alone app that generated a one time PIN. That's been replaced with a pin generator buried deep in the USAA app or with a text message. The former is very inconvenient and the latter the least secure method of all. Does USAA have plans to improve the functionality of the app and do away with texts? USAA used to be a technology leader. This is a huge step back. It seems to me that using an existing authenticator such as Authy would be an immediate improvement.
I agree with Jasg27 regarding information sharing. When I forward a phishing email, I'd like to know what USAA's next steps are, if any.
I'm proud that USAA has led the financial industry in supporting interfaces to crypto exchanges (Coinbase).
Now please, please, observe the strong lessons learned in the crypto world that "SMS 2FA" (sending passcodes via text messages) is not very secure at all, due to the ease of a SIM port hack at the cell phone provider. USAA should use Google Authenticator instead which is a good intermediate and practical step before going all the way to hardware keys--which would also be a good idea to offer for high value accounts.
Just google "why sms 2fa is bad" for many articles on this topic, such as https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517...
Sorry, but I am confused......don't we use PIN plus "coin" already on the computer.....and what about using our phone?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.