1638
Be careful. (feddit.org)
submitted 1 month ago by 101@feddit.org to c/technology@lemmy.world
you are viewing a single comment's thread
view the rest of the comments
[-] Telorand@reddthat.com 23 points 1 month ago

The fact that many banks still don't have at least app-based 2FA should be criminal.

[-] EngineerGaming@feddit.nl 12 points 1 month ago

App-based would be bad, as bank apps are notoriously unfriendly to people who don't own Google/Apple smartphones. Rather, a TOTP or Yubikey.

[-] Telorand@reddthat.com 5 points 1 month ago

That's what I mean by app-based. Something like Authy or Google Authenticator, etc.

[-] Appoxo@lemmy.dbzer0.com 5 points 1 month ago
[-] MonkeMischief@lemmy.today 3 points 1 month ago

Thanks, I was about to suggest this too. Aegis is awesome. :) I can't understand why most banks sms a code instead of using something like this. It's insanity.

[-] Appoxo@lemmy.dbzer0.com 3 points 1 month ago

Probably certifications and paperwork for implementing this stuff + educating the customers with a significant higher entry cost than paying the 100k € for the SMS bill

[-] LodeMike@lemmy.today 8 points 1 month ago

Implementing the open source TOTP system would cost them money! They'll rather keep paying SMS egress instead.

To be fair it's probably way cheaper nowadays.

[-] LDerJim@lemmy.world 7 points 1 month ago

How would that help in this case? "Sir, please accept the pop up from our app"

[-] Telorand@reddthat.com 2 points 1 month ago

I'm talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.

[-] Trainguyrom@reddthat.com 2 points 1 month ago* (last edited 1 month ago)

It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother

[-] sugar_in_your_tea@sh.itjust.works 2 points 1 month ago

Yeah, I delayed setting up non-SMS 2FA because I didn't want to go through the hassle of installing and setting up Symantec VIP (requires a call to the bank). If they had supported regular TOTP, I would've had it configured when I set up the account years ago, and that would've prevented this issue since I know I'm never supposed to give out those codes. But SMS auth is used by phone agents to verify identity, as well as with automated systems, so it's easy to skim the message.

There are only a handful of banks that offer something other than SMS 2FA (and many don't even do that), and I picked this bank specifically because of that. However, I didn't realize they used Symantec VIP, so I put it off.

this post was submitted on 14 Sep 2024
1638 points (99.0% liked)

Technology

59242 readers
3349 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS