this post was submitted on 14 Sep 2024
1623 points (99.1% liked)

Technology

58138 readers
4364 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
1623
Be careful. (feddit.org)
submitted 5 days ago by 101@feddit.org to c/technology@lemmy.world
178 comments fedilink hide all child comments
 

Source.

you are viewing a single comment's thread
view the rest of the comments
[–] Telorand@reddthat.com 23 points 5 days ago (4 children)

The fact that many banks still don't have at least app-based 2FA should be criminal.

[–] EngineerGaming@feddit.nl 12 points 5 days ago (1 children)

App-based would be bad, as bank apps are notoriously unfriendly to people who don't own Google/Apple smartphones. Rather, a TOTP or Yubikey.

[–] Telorand@reddthat.com 5 points 5 days ago (1 children)

That's what I mean by app-based. Something like Authy or Google Authenticator, etc.

[–] Appoxo@lemmy.dbzer0.com 5 points 5 days ago (1 children)

At least use Aegis ;-;

[–] MonkeMischief 3 points 5 days ago (1 children)

Thanks, I was about to suggest this too. Aegis is awesome. :) I can't understand why most banks sms a code instead of using something like this. It's insanity.

[–] Appoxo@lemmy.dbzer0.com 3 points 4 days ago

Probably certifications and paperwork for implementing this stuff + educating the customers with a significant higher entry cost than paying the 100k € for the SMS bill

[–] LodeMike 8 points 5 days ago

Implementing the open source TOTP system would cost them money! They'll rather keep paying SMS egress instead.

To be fair it's probably way cheaper nowadays.

[–] LDerJim@lemmy.world 7 points 5 days ago (1 children)

How would that help in this case? "Sir, please accept the pop up from our app"

[–] Telorand@reddthat.com 2 points 5 days ago (1 children)

I'm talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.

[–] Trainguyrom@reddthat.com 2 points 4 days ago* (last edited 4 days ago)

It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother

[–] sugar_in_your_tea@sh.itjust.works 2 points 4 days ago

Yeah, I delayed setting up non-SMS 2FA because I didn't want to go through the hassle of installing and setting up Symantec VIP (requires a call to the bank). If they had supported regular TOTP, I would've had it configured when I set up the account years ago, and that would've prevented this issue since I know I'm never supposed to give out those codes. But SMS auth is used by phone agents to verify identity, as well as with automated systems, so it's easy to skim the message.

There are only a handful of banks that offer something other than SMS 2FA (and many don't even do that), and I picked this bank specifically because of that. However, I didn't realize they used Symantec VIP, so I put it off.