So, why do almost all banks, in the U.S. at least, only support the worst 2FA authentication method exclusively? And, this article doesn't mention SIM-swap attacks, which are unavoidable. It can't be (hear-me.social)

submitted 8 months ago by Jerry@hear-me.social to c/cybersecurity@fedia.io

19 comments fedilink hide all child comments

https://gizmodo.com/feds-warn-sms-authentication-is-unsafe-after-worst-hack-in-our-nations-history-2000541129

#Cybersecurity

you are viewing a single comment's thread
view the rest of the comments

[-] BearOfaTime@lemm.ee 6 points 8 months ago

As much as I despise SMS in general, and 2FA over SMS in particular, I think the risk of SIM jacking in the US is pretty low overall for this use-case, which is probably part of why banks don't do more.

Add in (as others have said) the cost of proper 2FA and being able to off-load the risk (which is what banks do), and a VP of Risk Management doesn't have much motivation to drive such a change.

My own anecdotal experience with Sim-jacking and 2FA: I recently ported a number to a new service, properly, with multiple steps to verify I was authorizing the port. It broke every SMS 2FA - I had to login to every account and re-enter the same phone number as my 2FA number. Which required verifying my login with email or another number (that was already in the account).

this post was submitted on 20 Dec 2024

94 points (100.0% liked)

Cybersecurity

2 readers

3 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

founded 2 years ago

MODERATORS

shellsharks@fedia.io

tweedge@fedia.io