My bank requires SMS mfa
Comment on MFA
slazer2au@lemmy.world 10 months ago
At least it isn’t email or SMS MFA.
possiblylinux127@lemmy.zip 10 months ago
KairuByte@lemmy.dbzer0.com 10 months ago
Why?
Totp is easier, cheaper, and more secure. It makes no sense to go with SMS.
possiblylinux127@lemmy.zip 10 months ago
For one that requires more training and support. However I think the biggest reason is that it is predictable
KairuByte@lemmy.dbzer0.com 10 months ago
Poorly secured keys usually still require device access, unless they are secured so poorly that the individual would be compromised in one of many other ways regardless.
Stealing a phone number requires, at most, paying off an employee at a telco company. At best it just requires a call and some social engineering. And don’t forget, people who leave their phone laying around without a passcode exist.
Now, neither of these are really options for a dragnet approach, they’d need to be targeted. But the fact that one can be done fully remote should be a red flag.
viking@infosec.pub 10 months ago
My bank has its own authenticator app, which doesn’t work on my phone. Piece of crap. They now enabled fingerprint login without additional 2FA somehow, and I can also authorise payments with biometrics. Only to change my limits, update address etc. I have to use the app (on an old Pixel 3a as a standby device just for this purpose).
possiblylinux127@lemmy.zip 10 months ago
I would change banks. Stuff like this is a reminder why letting government run such services is a bad idea. (I’m sure your bank isn’t state owned but still)
viking@infosec.pub 10 months ago
I can’t, live abroad and no bank I contacted would open accounts for non-residents.
I have other accounts where I live, but all my investments and major holdings are sent back home.
wreckedcarzz@lemmy.world 10 months ago
Or email OFA. Burger King, Popeyes (I know they are the same company), and just a bit ago, BuyMeACoffee. They let you enter a password; fuck if I know what their requirements are. No tooltip, no failure text. 60 char with special chars? Nope. (a few moments later) 20 chars with no special chars? Nope. Fuck it, let’s try 2FA. Get seed, generate code code to page (on phone), first box, paste. ONLY THE FIRST NUMBER PASTES AND MY KEYBOARD CLOSES. SCREAMS
(only factor authentication)
drolex@sopuli.xyz 10 months ago
Nothing compared to BOFA, which is arguably even worse and a lot more stupid
grue@lemmy.world 10 months ago
For those who don’t know, the BofA app clears the username and password fields every time you switch to a different app, completely thwarting the use of password managers because Bank of America is apparently Hell-bent on forcing everyone to have easily-typed (and therefore easily-brute-forced) passwords.
Natanael@slrpnk.net 10 months ago
Android has password managers with keyboard app integration so you can paste both fields from the keyboard itself
I use Keepass2Android and it’s own keyboard app for this
Fosheze@lemmy.world 10 months ago
Thank you for clarifying because I was expecting a “BOFA dez nutz” joke.
Jimmycakes@lemmy.world 10 months ago
Dashlane has no problems filling out my bofa passwords on android
mutter9355@discuss.tchncs.de 10 months ago
What’s BOFA? (Apart from BOFA deez nuts)
einlander@lemmy.world 10 months ago
Bank OF America
drolex@sopuli.xyz 10 months ago
Aw you’re too good. Can’t you even let your guard down a little? I need this.