Be careful. - eviltoast
  • Telorand@reddthat.com
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    1
    ·
    2 months ago

    The fact that many banks still don’t have at least app-based 2FA should be criminal.

    • EngineerGaming@feddit.nl
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      2 months ago

      App-based would be bad, as bank apps are notoriously unfriendly to people who don’t own Google/Apple smartphones. Rather, a TOTP or Yubikey.

          • MonkeMischief@lemmy.today
            link
            fedilink
            English
            arrow-up
            3
            ·
            2 months ago

            Thanks, I was about to suggest this too. Aegis is awesome. :) I can’t understand why most banks sms a code instead of using something like this. It’s insanity.

            • Appoxo@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              3
              ·
              2 months ago

              Probably certifications and paperwork for implementing this stuff + educating the customers with a significant higher entry cost than paying the 100k € for the SMS bill

    • Kairos@lemmy.today
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 months ago

      Implementing the open source TOTP system would cost them money! They’ll rather keep paying SMS egress instead.

      To be fair it’s probably way cheaper nowadays.

    • LDerJim@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      2 months ago

      How would that help in this case? “Sir, please accept the pop up from our app”

      • Telorand@reddthat.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        I’m talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.

        • Trainguyrom@reddthat.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          2 months ago

          It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Yeah, I delayed setting up non-SMS 2FA because I didn’t want to go through the hassle of installing and setting up Symantec VIP (requires a call to the bank). If they had supported regular TOTP, I would’ve had it configured when I set up the account years ago, and that would’ve prevented this issue since I know I’m never supposed to give out those codes. But SMS auth is used by phone agents to verify identity, as well as with automated systems, so it’s easy to skim the message.

      There are only a handful of banks that offer something other than SMS 2FA (and many don’t even do that), and I picked this bank specifically because of that. However, I didn’t realize they used Symantec VIP, so I put it off.