this post was submitted on 14 Sep 2024
1640 points (99.0% liked)
Technology
59401 readers
2559 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The fact that many banks still don't have at least app-based 2FA should be criminal.
App-based would be bad, as bank apps are notoriously unfriendly to people who don't own Google/Apple smartphones. Rather, a TOTP or Yubikey.
That's what I mean by app-based. Something like Authy or Google Authenticator, etc.
At least use Aegis ;-;
Thanks, I was about to suggest this too. Aegis is awesome. :) I can't understand why most banks sms a code instead of using something like this. It's insanity.
Probably certifications and paperwork for implementing this stuff + educating the customers with a significant higher entry cost than paying the 100k € for the SMS bill
Implementing the open source TOTP system would cost them money! They'll rather keep paying SMS egress instead.
To be fair it's probably way cheaper nowadays.
How would that help in this case? "Sir, please accept the pop up from our app"
I'm talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.
It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother
Yeah, I delayed setting up non-SMS 2FA because I didn't want to go through the hassle of installing and setting up Symantec VIP (requires a call to the bank). If they had supported regular TOTP, I would've had it configured when I set up the account years ago, and that would've prevented this issue since I know I'm never supposed to give out those codes. But SMS auth is used by phone agents to verify identity, as well as with automated systems, so it's easy to skim the message.
There are only a handful of banks that offer something other than SMS 2FA (and many don't even do that), and I picked this bank specifically because of that. However, I didn't realize they used Symantec VIP, so I put it off.