this post was submitted on 14 Sep 2024
1631 points (99.1% liked)

Technology

59161 readers
1925 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 24 points 1 month ago (4 children)

The fact that many banks still don't have at least app-based 2FA should be criminal.

[–] [email protected] 2 points 1 month ago

Yeah, I delayed setting up non-SMS 2FA because I didn't want to go through the hassle of installing and setting up Symantec VIP (requires a call to the bank). If they had supported regular TOTP, I would've had it configured when I set up the account years ago, and that would've prevented this issue since I know I'm never supposed to give out those codes. But SMS auth is used by phone agents to verify identity, as well as with automated systems, so it's easy to skim the message.

There are only a handful of banks that offer something other than SMS 2FA (and many don't even do that), and I picked this bank specifically because of that. However, I didn't realize they used Symantec VIP, so I put it off.

[–] [email protected] 11 points 1 month ago (1 children)

App-based would be bad, as bank apps are notoriously unfriendly to people who don't own Google/Apple smartphones. Rather, a TOTP or Yubikey.

[–] [email protected] 5 points 1 month ago (1 children)

That's what I mean by app-based. Something like Authy or Google Authenticator, etc.

[–] [email protected] 5 points 1 month ago (1 children)
[–] [email protected] 3 points 1 month ago (1 children)

Thanks, I was about to suggest this too. Aegis is awesome. :) I can't understand why most banks sms a code instead of using something like this. It's insanity.

[–] [email protected] 3 points 1 month ago

Probably certifications and paperwork for implementing this stuff + educating the customers with a significant higher entry cost than paying the 100k € for the SMS bill

[–] [email protected] 7 points 1 month ago

Implementing the open source TOTP system would cost them money! They'll rather keep paying SMS egress instead.

To be fair it's probably way cheaper nowadays.

[–] [email protected] 6 points 1 month ago (1 children)

How would that help in this case? "Sir, please accept the pop up from our app"

[–] [email protected] 2 points 1 month ago (1 children)

I'm talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother