While I'm willing to believe banks are very security minded in terms of their core infrastructure, banks do not appear to be with regards to their customer access and usually seem to move very slowly to secure that end of things.
Hell, many/most of these large institutions seem to still only support SMS for 2FA and even that's a relatively recent introduction to actually mandate.
Which is to say, I expect banks to be about the very last significant account you use to mandate this technology (if it takes off), not the first.
As the parent pointed out, banks don't care about customer access or even customer security per se. They care about not getting fined or accused of not being "as secure as possible." You and I know that using SMS for 2FA is a non-great idea. Banks mostly know it too. The reason they continue to use it is because regulators will not ding them for using it, and there's currently no better alternative that the average muggle customer can handle.
One of the banks I work with had 2FA fobs since the beginning of 2000s. Now they have the same "fob" as an app in the phone, and using it is mandatory IIRC.
Most banks lock your phone access to your IMEI + phone model + some phone specific data, so people knowing your details can't login without your phone. Web side needs 2FA or special activation depending on the bank.
Forgot your password? You need your biometric ID and your actual face to match at that very moment to make that work.
These are by regulations, yes, but this is very far from a "security theater".
Yes, I understood what the parent post tried to say, and just wanted to provide a counter example which is not a security theater in its nature.
Ah, also the same bank doesn't send SMS anmymore. Everything arrives to their app. Only they fallback to SMS if the app fails to acknowledge receiving the notification, which happens once a year?
Also, banks do not mail financial information by default to prevent wiretapping by 3rd parties.
Email, unless you encrypt it yourself, is not encrypted at rest. This means any mail server or relay which your email lands on can be openly mined and analyzed transparently, and without any evidence (which is how GMail works, BTW).
If you're sending sensitive financial information over the mail, it can be read, classified, tied to you and be used against you if required.
So, we have a directive to not email anything financial to the recipient by default.
If banks were security minded for their customers they would have enabled read only app passwords 15 years ago. Instead, they made it unsafe to use third party software with their online banking front ends to deter you from owning your data.
U2F is starting to take off, thankfully. I'm worried about what happens if it gets lost/stolen/mugged and the token is gone, but at least no SS7 attack.
If Google wants to force WEI to become common, all they really have to do is mandate that sites have to implement WEI in order to be listed in their index.
I absolutely agree. I was making the case for how Google could manipulate a theoretically-resistant banking industry.
I get banking is regulated from a variety of directions. However, the path of lobbyist influence->federal manipulation is so well worn it impacts many (probably most) exertions of power.
Are you saying the outcome of previous antitrust cases (especially against big tech) hurt those businesses sufficiently that they act as a deterrent? It doesn't look that way from my position here in the peanut gallery.
Hell, many/most of these large institutions seem to still only support SMS for 2FA and even that's a relatively recent introduction to actually mandate.
Which is to say, I expect banks to be about the very last significant account you use to mandate this technology (if it takes off), not the first.