Banks That Treat MFA as Optional Still Leave Customers Exposed to Account Takeovers

Financial institutions continue to allow some customers to log in without multi-factor authentication, a gap that can make account takeovers easier for criminals, according to a recent account of a re...

Financial institutions continue to allow some customers to log in without multi-factor authentication, a gap that can make account takeovers easier for criminals, according to a recent account of a retirement and banking theft involving an 84-year-old woman whose funds were drained from multiple accounts.

In the case described, fraudsters first appeared to compromise a retirement savings account, then moved on to checking and savings accounts at another bank. They also gained access to Gmail and created filters that pushed bank and retirement alerts into trash folders, limiting the chance that warnings would be seen quickly. While the stolen retirement funds were later recovered, the bank losses totaled about $30,000 before reimbursement.

Security gaps and user habits

The incident appears to have involved reused or similar passwords across several services, combined with the fact that MFA was not required on the affected accounts. Security experts say that pattern remains common: if one service is breached, attackers may reuse credentials elsewhere, a tactic often called credential stuffing.

Some banks, including large national institutions, still make MFA optional for many customers. In some cases, second-factor prompts are triggered only when sign-in activity looks unusual. Google accounts are also often left to the user to protect with stronger login methods.

Why banks hesitate

Industry observers say institutions often weigh security against convenience. Extra login steps can frustrate customers, increase support calls, and potentially affect sign-up or retention rates. That reluctance has slowed broader adoption of stronger authentication.

At the same time, banking rules and consumer protections do not guarantee an easy recovery if money is stolen. In the United States, dispute deadlines and investigation windows apply, but reimbursement is not automatic if a bank decides transactions appeared legitimate.

Stronger options exist

Security specialists say the best modern authentication method is passkeys, which rely on cryptographic keys stored on a user’s device and are designed to resist phishing. Traditional one-time codes sent by text or email are still widely used, but they can be intercepted or tricked out of users through social engineering.

  • Reused passwords remain a major risk for account compromise.
  • SMS and email codes are better than no second factor, but are not ideal.
  • Passkeys are increasingly viewed as a more secure alternative.
  • Some major banks are beginning to roll out stronger login options.

The broader message from the incident is straightforward: when banks leave MFA optional, they shift more of the burden to customers, even though the financial consequences of a breach can be severe.