Online bank security

[Flintomatic]

Hello,

I recently decided to open an English-language bank account in Japan and so I searched for related posts on these pages and found plenty of useful information. I ended up going with Sony Bank, the setup was easy and smooth and everything seems to be going fine.

However, I was surprised to learn that there’s no option to set up 2-factor authentication (2FA) for logging in. The login process requires entering only your account number and password (which couldn’t even be created using special characters, only numbers and letters).

I contacted the bank and they confirmed that there’s no 2FA at login, nor is there any plan to introduce it.

It’s true that once you’re in your account, performing transactions or changing any settings within your account *does* involve inputting another password and/or using a small device which they sent that generates a one-time user code. But still, the very simple login process offers access to a LOT of personal information, including your address, account details, and transaction history.

The only way to know if someone has accessed your account is by checking the “last logged in” entry, but by that point it would of course be too late.

So I’d like to ask a couple of questions if anyone would be so kind enough as to offer up their opinion:
1. Do you find it surprising that there’s no 2FA login for this online bank?
2. Do other Japanese online banks require 2FA at login? (keep in mind that some might only have asked for it the first time you logged in after you let the bank “remember this device”)?

Thanks very much for your time.

[deezy]

Prestia SMBC offer 2FA as an option which I use as the password only allows you to use letters and numbers and no symbols.It's the same device that generates a one time user code.They also have biometric login on mobile devices
Shinsei have a matrix card that they give you coordinates for and you have to change the password if you don't log in at least once a month.
it does surprise me that you're not given the option at least. I wouldn't want to use a bank that doesn't have a high level of security.

[RetireJapan]

Shinsei have a matrix card

Shinsei scrapped the cards a couple of years ago: now you use an authenticator app for transactions. Login is just simple username and password though.

[beanhead]

No 2FA for logging in but needed for transactions seems to be the norm here.

[captainspoke]

...
Shinsei scrapped the cards a couple of years ago...

Hmm, I used that card (admittedly ancient) just the other day.

And tho I get occasional suggestions to change my password, I haven't gotten any prodding to switch to an app.

[Teflon]

...
Shinsei scrapped the cards a couple of years ago...

Hmm, I used that card (admittedly ancient) just the other day.

And tho I get occasional suggestions to change my password, I haven't gotten any prodding to switch to an app.

That's odd. I don't use the matrix card or an app. When I do a money transfer with Shinsei, it prompts me to input a temporary 4 digit code sent to my phone as an SMS message. This change was introduced after Shinsei was bought by SBI. Prior to that I used the matrix card, but I definitely prefer using a code sent to my phone. It's just easier.

[Flintomatic]

Thanks for the replies. Interesting. I do find it strange that some of the banks here seem to give little protection to personal data. Even services like Netflix offer 2FA!

[PaulP]

Yes the banks seem to secure the transaction better than the account access. I have an account with a bank I will not name, that if you know my branch and account number the only thing standing in your way of accessing my account is a four digit pin. it's shocking. However you have to use a mobile app to authenticate a transaction so apparently they think that is enough.

You mentioned you use Sony Bank, I am a customer of that bank too. Security seems adequate but as you mentioned, I get no sense they intend to add any additional features ever to the English language version of the banking app. What I did find is if you access the Japanese side you can login and it has more features like the ability to download you transactions in Excel. I just wish they would add Pay Easy so I could pay my taxes through this account and then get rid of the less secure account I only use for that purpose.

[CluelessToshika]

...
Shinsei scrapped the cards a couple of years ago...

Hmm, I used that card (admittedly ancient) just the other day.

And tho I get occasional suggestions to change my password, I haven't gotten any prodding to switch to an app.

That's odd. I don't use the matrix card or an app. When I do a money transfer with Shinsei, it prompts me to input a temporary 4 digit code sent to my phone as an SMS message. This change was introduced after Shinsei was bought by SBI. Prior to that I used the matrix card, but I definitely prefer using a code sent to my phone. It's just easier.

Another option is to set it up to use the Symantec "VIP Access" 2FA app thingy, which allows you to confirm transactions on your phone via that app (not the Shinsei app). Has the advantage that it works wherever you have internet access (but not necessarily phone, a situation I've found myself in occasionally).

[banders]

True. I never really thought about it. I used to use the same password for everything (I know) but now I use the random password my Apple devices suggest, which is a long combination of lower and upper case and symbols. To hack those by brute force would be impossible, I reckon.

I’ve had cases where the OTP doesn’t arrive for a long time. That can be annoying. Last had this with Wise when I had to authorize my new device and the code didn’t arrive until after the time limit for entering it.

None of this is any use if your details are hacked from the server, of course. You get warnings if your passwords appear in a (known!) data leak, but you have to go look at the list in System Settings to see it.

In the last few years, I think three times we’ve had unauthorized purchases on credit cards where our details have obviously been hacked. Luckily the CC company phoned to confirm so we could stop them. We had to order new cards, though.

So, yes, I would use the option if it was available.