On State Farm’s security page, they say “The Security of Your Personal Information is a Priority at State Farm” and “We work hard to make sure your account information stays secure. Learn more about how to protect yourself and how State Farm protects you.”
That’s all well and good to say, but the reality is not so simple.
State Farm supports 2FA on your account, which is good-ish. They don’t support Google Authenticator, or Duo. They do support SMS messages and email, in a way in which enabling 2FA enables both and you can’t disable SMS in the settings. This is not so good, as current industry advice is to avoid SMS as 2FA due to SIM swapping attacks and SS7 hacks.
But then it gets worse. The devil is in the details, or in this case the following sentences: “Use a verification code or answer public based questions every time I log in.” “Selecting Two-Factor Authentication means you’ll receive a unique verification code by email or text or you will answer a series of public based questions each time you log in.” This is where things get really scary. Verification by ‘public based questions’ is an absolute favorite for identity thieves. They can sit at their computer with a copy of your credit report and answer these with a high degree of success.
I tried complaining about lapse in security practice to State Farm, and they seem to have fully drunk the LexisNexis kool-aid on this. They stand by their use of a vulnerable verification tool that puts my accounts at risk.
Time to find a new insurance provider.