Canadian Money Forum banner
1 - 20 of 69 Posts

·
Registered
Joined
·
4,416 Posts
Discussion Starter · #1 ·
Seems BMOIL are modifying their 2FA verification process. See email below.
I have some concerns about just how this will work.
  • They say they will send a code to our phone. The only phone listed with them is our home landline. Will they call that number with an automated code? Or will they text assuming everyone has a smart phone?
  • If we assume it will be an audio phone call, then what happens when we are away from home? They say to call them for a code. We would first have to find a public or hotel phone and that would only work 5 days a week during business hours.

We do have a pay as you go emergency phone, but it does not work in USA nor at areas with poor cellphone coverage.

Do any of the other brokerages have satisfactory 2FA access for those who do not use cell phones?

PS: Interesting that checking phone number cannot be done with the new Investorline 2.0 platform - they say to use the original site.
The security of your BMO InvestorLine account is our top priority. That’s why we work hard to bring you the fast, convenient online investing experience you’ve come to expect, while applying advanced security measures to protect your financial details.​
To increase the security of accessing your account(s) online, as of October 13, 2021, BMO InvestorLine is retiring challenge questions as a two-step verification method. Instead, a one-time verification code process will be used as the only method for two-step verification. When prompted, this method will require you to enter the one-time verification code that is sent to your phone, to allow you to access your account.​
To ensure we have your correct phone number for your two-step verification please follow the below steps:​

1. Sign-in to your Self-Directed account(s)
2. If you are using the 2.0 experience, click on Original Site in the top left-hand corner
3. Then select Security Settings under Account Services
4. Click Edit under two-step verification
5. Review or update the phone number(s) listed and click Save
If you have any questions, or if you are not at the phone number listed for your two-step verification and need a code, then please contact us Monday to Friday between 8 a.m. to 5 p.m. ET at 1-888-776-6886. A BMO InvestorLine representative will be happy to help.​
 

·
Registered
Joined
·
7,145 Posts
Seems BMOIL are modifying their 2FA verification process. See email below.
I have some concerns about just how this will work.
  • They say they will send a code to our phone. The only phone listed with them is our home landline. Will they call that number with an automated code? Or will they text assuming everyone has a smart phone?
  • If we assume it will be an audio phone call, then what happens when we are away from home? They say to call them for a code. We would first have to find a public or hotel phone and that would only work 5 days a week during business hours.
... yes on the landline question. Don't think they'll "text" if they didn't specify this. Have an answering machine to receive the code and access the code from your answering machine (of which you can replay).

We do have a pay as you go emergency phone, but it does not work in USA nor at areas with poor cellphone coverage.
... see above with answering machine as I seldom uses my cellphone (or only for "real" emergency purpose).

Do any of the other brokerages have satisfactory 2FA access for those who do not use cell phones?
... can't answer since I don't do banking with cellphone.

PS: Interesting that checking phone number cannot be done with the new Investorline 2.0 platform - they say to use the original site.
... BMOIL can do the conversion to version 2 for me as I ain't doing their work.
 

·
Registered
Joined
·
12,135 Posts
Most financial sites I deal with now have 2FA engaged. BMOIL is the last major one for me and i am looking forward to better login security. Yes, I have a mobile with texting ability and my account credentials in all instances use my mobile number for 2FA. Using my landline for a 'home number' has not made sense to me for some time. If I have a major issue when I am away, that is where I want texts to go.

Some, like Scotia, still allow a 'trusted device' option so that the cookie allows login without going through 2FA. That is highly convenient when I login to Scotia from my home laptop which is 95% of the time. The rest of the time I really do want 2FA to my cell engaged as a security measure.

But for a similar reason, I do not have banking apps on my mobile so that if the app is compromised, I don't want 2FA going straight back to that phone!!

OTOH, some FIs provide you with an option to send 2FA to email rather than SMS text and I use that option rather than text sometimes.

Added: I have no idea why it is taking BMOIL years to morph to a full 2.0 website format.
 

·
Registered
Joined
·
4,416 Posts
Discussion Starter · #4 ·
... BMOIL can do the conversion to version 2 for me as I ain't doing their work.
Thanks for the input. I have asked them the same questions, so will see what they say.
We do have Ooma and it will record a voicemail message IF they leave one. We can access that by internet from wherever we are. Maybe others could too!

Re the 2.0 conversion. They told me that it will now only be required by May of 2022, but the Investorline log-in page requiring it to be done in 1 or 10 days still comes up at regular intervals.
 

·
Registered
Joined
·
5,406 Posts
Do any of the other brokerages have satisfactory 2FA access for those who do not use cell phones?
Interactive Brokers had a physical card with codes long before others started using text messages. They now prompt you to approve from the smart phone app (just requires WiFi, not cellular text)

I see reports of people getting hacked by SMS 2FA everyday now. It's a very come scam in the US. It's very easy to dox someone nowadays to get enough info to convince the teen at the mobile kiosk in a mall to swap your SIM because you lost your phone etc

Legacy banks and brokerages should be using Authy or another TOTP app.. SMS was never designed for security. These banks are in the stone ages
 

·
Registered
Joined
·
7,145 Posts
Thanks for the input. I have asked them the same questions, so will see what they say.
... that's great. Thanks too for asking/checking.
We do have Ooma and it will record a voicemail message IF they leave one. We can access that by internet from wherever we are. Maybe others could too!
... they would have leave the code/message on the answering machine/voice messaging system if you don't answer/pick up their call.

Re the 2.0 conversion. They told me that it will now only be required by May of 2022, but the Investorline log-in page requiring it to be done in 1 or 10 days still comes up at regular intervals.
... May 2022 - great! They can keep reminding me periodically and I'll worry about it in May 2022. :whistle:
 

·
Registered
Joined
·
7,145 Posts
Most financial sites I deal with now have 2FA engaged. BMOIL is the last major one for me and i am looking forward to better login security. ...
...are you sure? I don't see 2 levels security over at Investor's Edge although supposedly they have upgraded that some time this summer.

Anyhow, I'm not concerned of what level security the banks are moving to since 1. I use the only and same device (my old school computer) for all my bankings, and 2. their 100% security guarantee when their rules are followed (which I do to an "T or whatever").
 

·
Registered
Joined
·
4,416 Posts
Discussion Starter · #8 ·
Most financial sites I deal with now have 2FA engaged. BMOIL is the last major one for me and i am looking forward to better login security.
I also welcome any improvement in security. But it does need to work for everyone.

When at home in Canada, I hardly ever use my Canada only pay as you go cell phone. I don't give the number to anyone, so never answer any calls (which are mostly spam). My wife does have the number!

My 90+ year old neighbor has a BMOIL account - no cell, so they will have to use his landline.

Others, live in places with internet, but poor or no cell service and maybe no landline. Additional problem (This is the case in cottage country even quite close to Toronto)

What works for those with full cell service as their only phone, won't work for many others. Any plan should take this into account. Will see what BMO says.
 

·
Registered
Joined
·
12,135 Posts
Agreed that 2FA via a SMS text isn't possible or convenient for everyone, so in all?most? setups I have worked with, they do have other options listed when one sets up 2FA, including landline (or email as I mentioned in #3). The text is automatically converted to an audio voicemail to a landline.

I don't disagree with m3s that SMS text isn't the most secure methodology going due to SIM card swapping but it does take concerted effort by a hacker to do that plus they also have to know your banking login credentials to trigger 2FA to begin with. Another very good reason why NOT to have banking apps on one's mobile in my opinion. Nothing is beyond hacking but the more difficult and inconvenient it is, the more likely the hacker will move to an easier target (as in a home security system which we have and we know full well it can be defeated by cutting the line.....but thieves are lazy and will likely just go to an easier target).

Added: I think everyone should have a mobile with basic data these days. Basic plans are cheap (<$25/mo with Shaw Mobile for example) and can provide extraordinary benefits in times of crisis or need. It is a very small price to pay for not being penny wise and pound foolish. It took me until about 5 years ago of being stubborn and a holdout before I became enlightened.
 

·
Registered
Joined
·
4,416 Posts
Discussion Starter · #10 ·
Added: I think everyone should have a mobile with basic data these days. Basic plans are cheap (<$25/mo with Shaw Mobile for example) and can provide extraordinary benefits in times of crisis or need. It is a very small price to pay for not being penny wise and pound foolish. It took me until about 5 years ago of being stubborn and a holdout before I became enlightened.
I agree that having a smartphone is useful. But we don't need any type of monthly plan.

I checked Shaw, and their $25/mo plan may only be if you had internet with them. They may even have a cheaper mobile only program at $15/month. I didn't read the fine print except for the part that said mobile in BC and Alberta only. I also saw the part that if you wanted coverage in US and Mexico, it was $95/month.

Our Speakout phones cost us about $25-$35/YEAR :) They do provide extraordinary benefits like being able to call CAA if car breaks down! Also my wife & I can communicate when she or I need a pick up after a visit to hospital or doctor. Using smartphone on wifi can also be useful. However, we don't have cell service outside of Canada. We were able to use Google Voice or Hangups for calling anywhere in NA, but they seem to have discontinued use by Canadians.
 

·
Registered
Joined
·
12,135 Posts
My response was not intended to promote the best (least expensive). Only that basic mobile talk/text/data plans are rather inexpensive... less than one lunch/month at a casual restaurant. There is no longer any excuse NOT to have a basic talk/text/data plan.

If we are into competitive comparisons, my US 480 area code phone is on a legacy T-Mobile plan for US$25/year (since 2009 I think) and the minutes rollover as long as I do a $25 top up before each anniversary date. I've got something like 550 minutes accumulated with the number getting bigger every year.
 

·
Registered
Joined
·
4,416 Posts
Discussion Starter · #12 ·
basic mobile talk/text/data plans are rather inexpensive... less than one lunch/month at a casual restaurant. There is no longer any excuse NOT to have a basic talk/text/data plan.
????????????

You may think so from your personal viewpoint. Those of us who do not NEED such a plan, already have a very good reason not to have one.
We don't need an "excuse" to not comply with your viewpoint, do we ;)
It is our lifestyle, our money and we spend it as we see fit!

We have had numerous US paygo plans. No way we would keep adding $$ for airtime when we have no NEED. We found we rarely used the US paygo phone - It, like our Speakouts, was bought mainly in case of an emergency when travelling South & back as well as once there.

Just tallied how much we spend in total on phone service. Ooma home phone plus 2xSpeakout cell phones ~$125/yr. Or about C$175/yr if we spend several months in USA (unlikely these days!)
 

·
Registered
Joined
·
12,135 Posts
It is of course a personal choice of where one wishes to spend their money. Given your reaction, I think you misunderstood my intent, or I didn't articulate it well. Never intended it to be an argument. What I simply said is cost is no longer an excuse not to have a basic talk/text/data plan...equivalent to a lunch per month at a casual restaurant, or 2 tickets to a movie.

That level of expenditure fits into most people's definition of Miscellaneous in their budgets but this is getting off tangent to security factors like 2FA. credit card alerts and other such critical things these days.
 

·
Registered
Joined
·
4,416 Posts
Discussion Starter · #14 ·
That level of expenditure fits into most people's definition of Miscellaneous in their budgets but this is getting off tangent to security factors like 2FA. credit card alerts and other such critical things these days.
You are right that we have got away from the BMO 2FA issue. I will find out more in due course.

Regards the phone plans. I would definitely choose the lunches over the un-needed phone plan. At least I can eat a lunch :) BTW, $25 could buy me two casual lunches!
 

·
Registered
Joined
·
336 Posts
That level of expenditure fits into most people's definition of Miscellaneous in their budgets but this is getting off tangent to security factors like 2FA. credit card alerts and other such critical things these days.
You are right that we have got away from the BMO 2FA issue. I will find out more in due course.

Regards the phone plans. I would definitely choose the lunches over the un-needed phone plan. At least I can eat a lunch :) BTW, $25 could buy me two casual lunches!
I'm not a big fan of forcing technology on the user regardless of the price. Its PITA to carry or have a phone. That said, 2FA solutions have their problems as mention above. Next you will be needing to load MS authentication app on your phone.....
 

·
Registered
Joined
·
5,406 Posts
It's not just the cell phone plan

I used to be in different countries all the time where I couldn't receive SMS. That was when I found google authenticator app (I now prefer Authy app)

Also the SIM swapping is not hypothetical. It's happening in the US everyday now and it happens in Canada (I posted CBC articles before)

You just don't hear about it because we all pay for it with our legacy bank fees (dirt low yields)
 

·
Registered
Joined
·
5,406 Posts
Next you will be needing to load MS authentication app on your phone.....
Everyone should use an authenticator app (or a form of 2FA)

I like how Interactive Brokers built it into their own app. Also years ago Interactive Brokers provided a physical credit card sized list of codes (very low tech but gets the job done) German banks did the same

If you don't want to use it you should just lose full coverage protection if you are willing to accept the risk, like how Canadians do with 3rd party app logins because we don't have secure APIs yet like every other country has for eons.

BTW all those FB posts that boomers love to share "what's your fav ___" are to dox your backup "security" questions
 

·
Registered
Joined
·
12,135 Posts
Those who don't want to use SMS text for 2FA can sometimes select email for the sending of the 6 digit codes. The best institutions provide one to register 3-4 options, e.g.email and/or various phones, and depending where one is when they need to authenticate, select that one as primary. Just have to remember to make that selection before leaving home for example.

The real point is to get more serious about security. The challenge questions need to go since so many people default to easy to guess ones.
 

·
Registered
Joined
·
5,406 Posts
Ideally if you use email you need to have 2FA (Authy) setup for your email login anyways..

The more "options" you have to unlock your account.. the more "options" or attack vectors a hacker has as well. If your email uses the same login as random websites and apps with weak databases that have been previously hacked and available online to hackers.. If those backup questions can easily be guessed or doxxed..

I use a protonmail email account for all my financial services now. Free and encrypted. Good password managers like Bitwarden are also free and secure. Financial accounts are being hacked everyday. They target the whales and the insurance only goes so high

Legacy banks are about to be hollowed out by fintech with these archaic practices
 

·
Registered
Joined
·
12,135 Posts
I wouldn't use email as a 2FA but some (apparently) resistant to mobiles need another option. When I mentioned 3-4 options, I meant all related to email or phone numbers. FWIW, my main banking logins and my email addresses all have unique very complicated passwords managed by LastPass, and my master LastPass password is about as long as I can get it with a combination I can only conjure up and remember!

At the end of the day, all we can practically do is make it difficult for hackers and if the system breaks, then that is what the security guarantees of financial institutions are for. Pactice safe internet habits to satisfy the T's and C's of the various websites. I've been made whole by a big bank due to a hack that could have been an inside job.
 
1 - 20 of 69 Posts
Top