Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

MFA-Optional Banks Leave Safe Doors Wide Open for Thieves to Pillage



MFA-optional banks leave financial institution clients vulnerable to cybercrime, leaving millions at risk due to a lack of multi-factor authentication measures. The author shares his personal experience with MFA-optional banks, highlighting the importance of implementing strong security measures.

  • MFA-optional banks leave millions of clients at risk due to lack of multi-factor authentication measures.
  • The convenience of not having MFA can lead to a false sense of security, putting clients' accounts at risk.
  • Many financial institutions still treat MFA as an optional feature due to balance between security and friction.
  • The author's personal experience with an MFA-optional bank resulted in $30,000 being stolen from his mother's account.
  • Other experts agree that convenience can come at the cost of security, but also acknowledge concerns around friction.
  • MFA is not foolproof and can be vulnerable to social engineering attacks using SIM cards or biometric login methods.
  • Passkeys with cryptographic key pairs are considered a more secure MFA method than one-time passcodes (OTPs).
  • The consequences of MFA-optional banks can be severe, with some clients not getting their money back if it's stolen.



  • The security landscape of financial institutions has been exposed as a major vulnerability, leaving millions of clients at risk due to the lack of multi-factor authentication (MFA) measures. MFA-optional banks have become a haven for thieves, enabling them to pillage their clients' accounts with relative ease.

    Financial institutions are putting their clients at risk in the name of convenience. Many consumers assume that every bank requires 2FA, but this is not the reality. Some financial institutions still treat it as an optional feature because they're balancing security against friction. Every extra login step can reduce conversions, increase support tickets, and frustrate less technical customers.

    The author, Avram Piltch, had a personal experience with MFA-optional banks when professional thieves invaded his 84-year-old mother's entire financial life and managed to make off with $30,000 from her bank accounts alone. The thieves knew exactly how much they could withdraw each day, and used both withdrawals and transfers to a strange account. But the financial institution hadn't flagged the fraudulent activity.

    The author attributes this to his mother using the same password in multiple places left her wide open for exploitation. However, her bank's lack of a required second authentication factor also contributed. The bank doesn't let you transact without a password, and it doesn't issue you an ATM card without a PIN, because it knows that there has to be a required minimum level of security.

    Andrew Shikiar, CEO of the FIDO Alliance, an industry association that advocates for stronger login security, agrees that convenience can sometimes come at the cost of security. "Different segments of the population adopt technology faster or slower. If I'm a bank, I have to consider that very closely because I don’t want to lose any banking relationships." He also believes that there is some concerns around friction that have held some banks and other service providers back from really pushing this more aggressively.

    According to Microsoft, MFA prevents 99.9 percent of attacks on your accounts. However, other experts say this number is exaggerated. Some types of MFA, such as issuing a one-time passcode via an SMS message or an email, are inherently flawed. A determined thief can use social engineering to get a SIM card with your phone number on it, then get to your texts.

    The right way to do MFA today is with a passkey. Passkeys are cryptographic key pairs where there’s a private key on the user’s device and a public key on the server. To access the key on the device, the user must either enter a PIN, touch a physical security key like a Yubikey, or enter a biometric login such as their face or fingerprint.

    Despite these benefits, many banks are sticking with their OTPs. Some banks may be using better MFA only within their mobile apps. For example, when the author went to set up MFA for a family member's account with US bank Chase, using its website, Chase offered the chance to receive an OTP via email, SMS, or a phone call.

    Gregory Shein, CEO of Nomadic Soft, a SaaS company that serves fintech clients, believes that many consumers assume every bank requires 2FA. However, he also notes that some financial institutions still treat it as an optional feature because they're balancing security against friction. He says that there is some concerns around friction that have held some banks and other service providers back from really pushing this more aggressively.

    The consequences of MFA-optional banks can be severe. The author's mother was lucky, as she got her $30,000 back after spending hours on the phone reporting the theft to an unhelpful and incredulous fraud department. However, many people will not be so fortunate. According to a 2019 article from Microsoft, if you have money stolen from your bank account, there is no guarantee that you will get it back.

    The Consumer Financial Protection Bureau notes that you have 60 days from the date of a bank statement to dispute any transactions. The bank also has 45 days to investigate, unless your bank account was just opened in the last 30 days or the fraudulent transactions took place outside the US.

    In conclusion, MFA-optional banks leave safe doors wide open for thieves to pillage. Financial institutions are putting their clients at risk in the name of convenience, and it is essential that they take stronger measures to protect their clients' accounts.


    MFA-optional banks leave financial institution clients vulnerable to cybercrime, leaving millions at risk due to a lack of multi-factor authentication measures. The author shares his personal experience with MFA-optional banks, highlighting the importance of implementing strong security measures.




    Related Information:
  • https://www.ethicalhackingnews.com/articles/MFA-Optional-Banks-Leave-Safe-Doors-Wide-Open-for-Thieves-to-Pillage-ehn.shtml

  • https://www.theregister.com/security/2026/07/05/mfa-optional-banks-leave-safe-doors-and-accounts-wide-open-for-thieves-to-pillage/5266161


  • Published: Sun Jul 5 10:41:30 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us