Are US Banks Protecting Your Data? A Security Review

I’ve had an account with the same bank for years, but in 2016, it still doesn’t offer two-factor authentication, EMV cards, or other modern security features. That got me wondering—how do other banks stack up? Are they actually doing better? Instead of relying on compliance audits, I decided to take a more open approach and examine two key areas of security: email protections and website security.

How I Evaluated Bank Security

Inspired by Mark Stanislav’s MASSACRE talk, I graded banks using the following four criteria:

1. Website Security Headers: Scanned the bank’s login page using securityheaders.io.
2. SSL Encryption Strength: Analyzed the site’s SSL/TLS implementation with ssllabs.com.
3. Email Security Policies: Checked for DMARC records to see how the bank protects against email spoofing.
4. Two-Factor Authentication (2FA): Verified if the bank offers 2FA using twofactorauth.org.

Each bank was assigned a letter grade in each category, with an overall average calculated at the end.

What Are Security Headers and Why Do They Matter?

Security headers are additional instructions sent by a website’s server to a user’s browser that help prevent attacks. Some of the most important ones include:

• Content Security Policy (CSP): Helps prevent cross-site scripting (XSS) attacks.
• HTTP Strict Transport Security (HSTS): Forces browsers to use HTTPS, reducing the risk of man-in-the-middle attacks.
• X-Frame-Options: Prevents clickjacking by blocking maliciously embedded iframes.

Banks with strong security headers make it significantly harder for attackers to exploit users through phishing or malicious scripts.

Why TLS Encryption Strength Is Critical for Banking Sites

Transport Layer Security (TLS) encryption protects data as it travels between your browser and the bank’s servers. Banks should be using modern encryption protocols like TLS 1.2 and TLS 1.3 while disabling outdated versions like TLS 1.0 and 1.1, which are vulnerable to exploits. Some banks fail to properly configure their TLS settings, leaving them open to attacks that could intercept login credentials or sensitive account data.

How Phishing Attacks Exploit Weak Email Security

Many phishing attacks rely on spoofed emails that appear to come from a legitimate bank. This is where DMARC (Domain-based Message Authentication, Reporting, and Conformance) records come in. A strict DMARC policy helps prevent fraudsters from sending fake emails that look like they’re from a bank’s domain. Banks without strong DMARC enforcement make it easier for attackers to trick customers into giving up sensitive information.

Types of Two-Factor Authentication & Why Some Are Safer

Not all 2FA methods are equal. Here’s how they compare:

• SMS-based 2FA: Sends a code via text message, but can be intercepted by SIM-swapping attacks.
• Authenticator apps (e.g., Google Authenticator, Authy): More secure, as the codes are generated locally on your device.
• Hardware security keys (e.g., YubiKey, FIDO2/WebAuthn): The most secure method, requiring physical access to authenticate.

Many banks that do offer 2FA only provide SMS-based options, which are better than nothing but still have security weaknesses.

How Do Online-Only Banks Compare to Traditional Banks in Security?

Fintech companies and online-only banks, like Chime, SoFi, and Ally, often implement security practices more aggressively than traditional banks. They may enforce stricter password policies, require app-based 2FA, and adopt newer web security technologies faster. However, they also face unique risks, such as account takeovers due to their reliance on digital-first identity verification.

The Findings

While Security Headers and SSL Labs assign their own grades, I adjusted scores for ineffective implementations. For example, Citibank opted out of SSL Labs scanning, so I downgraded their SSL score to an F. Similarly, Bank of America’s DMARC policy applied to subdomains but not their primary domain—earning them a D.

Surprisingly, very few banks offer two-factor authentication for consumer accounts, despite the significant security benefits.

The Best and Worst

The results show that no bank is perfect, but two stand out:

• Chase Bank
• USAA

These banks implemented stronger security measures across multiple areas, indicating a greater commitment to customer protection.

What Should You Do If Your Bank Has Poor Security?

If your bank lacks strong security protections, here’s what you can do:

1. Enable the strongest 2FA option available (preferably an authenticator app or security key).
2. Monitor your transactions regularly and set up alerts for unusual activity.
3. Use a password manager to generate and store strong, unique passwords.
4. Consider switching banks if yours doesn’t take security seriously.

Why This Matters

While this review doesn’t cover every aspect of a bank’s security program, it provides a useful window into how seriously they take customer data protection. If security matters to you, it may be time to reconsider where you bank.