Cybersecurity

23 readers

7 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

founded 2 years ago

MODERATORS

[email protected]

So, why do almost all banks, in the U.S. at least, only support the worst 2FA authentication method exclusively? And, this article doesn't mention SIM-swap attacks, which are unavoidable. It can't be (hear-me.social)

submitted 2 days ago by [email protected] to c/[email protected]

19 comments fedilink hide all child comments

https://gizmodo.com/feds-warn-sms-authentication-is-unsafe-after-worst-hack-in-our-nations-history-2000541129

#Cybersecurity

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 5 points 2 days ago

As much as I despise SMS in general, and 2FA over SMS in particular, I think the risk of SIM jacking in the US is pretty low overall for this use-case, which is probably part of why banks don't do more.

Add in (as others have said) the cost of proper 2FA and being able to off-load the risk (which is what banks do), and a VP of Risk Management doesn't have much motivation to drive such a change.

My own anecdotal experience with Sim-jacking and 2FA: I recently ported a number to a new service, properly, with multiple steps to verify I was authorizing the port. It broke every SMS 2FA - I had to login to every account and re-enter the same phone number as my 2FA number. Which required verifying my login with email or another number (that was already in the account).