My bank has its own authenticator app, which doesn’t work on my phone. Piece of crap. They now enabled fingerprint login without additional 2FA somehow, and I can also authorise payments with biometrics. Only to change my limits, update address etc. I have to use the app (on an old Pixel 3a as a standby device just for this purpose).
Comment on MFA
possiblylinux127@lemmy.zip 11 months agoMy bank requires SMS mfa
viking@infosec.pub 11 months ago
possiblylinux127@lemmy.zip 11 months ago
I would change banks. Stuff like this is a reminder why letting government run such services is a bad idea. (I’m sure your bank isn’t state owned but still)
viking@infosec.pub 11 months ago
I can’t, live abroad and no bank I contacted would open accounts for non-residents.
I have other accounts where I live, but all my investments and major holdings are sent back home.
possiblylinux127@lemmy.zip 11 months ago
Oh, well that’s a tough situation.
KairuByte@lemmy.dbzer0.com 11 months ago
Why?
Totp is easier, cheaper, and more secure. It makes no sense to go with SMS.
possiblylinux127@lemmy.zip 11 months ago
For one that requires more training and support. However I think the biggest reason is that it is predictable
KairuByte@lemmy.dbzer0.com 11 months ago
Poorly secured keys usually still require device access, unless they are secured so poorly that the individual would be compromised in one of many other ways regardless.
Stealing a phone number requires, at most, paying off an employee at a telco company. At best it just requires a call and some social engineering. And don’t forget, people who leave their phone laying around without a passcode exist.
Now, neither of these are really options for a dragnet approach, they’d need to be targeted. But the fact that one can be done fully remote should be a red flag.