Online Banking Logins and 2FA

L3tstaxth1s on 06/07/2023 - 19:59
Last edited 06/07/2023 - 22:03 by 1 other user

Hi

Just in light of the recent news items centering about a particular bank and scam texts - shouldn't 2FA prevent this from being an issue? So even you logged into a fake portal via a dodgy link, so your login details were taken, the perp still couldn't actually log in anyway?

I'm guessing that the victims in these stories didn't have 2FA set up?

And secondly do you prefer 2FA required for all logins (outside of the secured device) or just when you're trying to create a new payee? Is the later specific action approach adequate?

General Discussion Banking Finance

Comments

  • Alan6984 on 06/07/2023 - 21:12
    +8

    2FA (or even MFA) per se isn't going to protect someone who is logging into their account at the behest of a third party 'fraudster'.

    1) I get you to go to AlsDodgyWebsiteThatLooksLikeYourBank (which has a valid site cert so you see the classic 'padlock')

    2) You enter your username and password

    3) I enter the same info in your actual bank

    4) Your bank requires another factor of authentication (doesn't matter what) so the real website asks you to enter a code

    5) You receive said code from whatever form the additional factor takes

    6) You enter that code to AlsDodgyWebsiteThatLooksLikeYourBank

    7) I enter it to your real bank

    8) You just gave me access to your bank account

    It is really hard to stop stupid / lazy / thoughtless people.

    For example: If you ever hear someone say, 'I'm not interested in the details - I just want it to work', that person is a prime candidate for getting scammed.

    In terms of where to use 2FA / MFA: It really has to come down to a risk assessment and your willingness to take a 'loss' of whatever it is you are looking at protecting.

    For bank accounts, and primary email accounts, I would always recommend 2FA / MFA, but the question to ask is how willing you are to take a risk on a given resource compared to the additional time / hassle to authenticate.

    • L3tstaxth1s on 06/07/2023 - 21:27

      Thanks Alan - knew I could count on you for an informative comment. And do you have a view on whether 2fa for all logins or just setting up new payees or specific actions? Personally I don't mind the extra time and hassle (I'm used to it via my work phone), but my SO does mind…

      • Alan6984 on 06/07/2023 - 21:39
        +1

        For your bank accounts - I would always recommend 2FA / MFA.

        To be blunt but realistic, your SO is a prime candidate to get scammed.

        I don't wish to be rude for no reason, but I feel it is fair to be blunt: They come across as being lazy. That's a decision they make for themselves, and that's fine - each to their own - but the the world is as it is, and being lazy has consequences they have to accept.

        The real problem I have, is not so much them getting 'hurt' because they have made a decision not to use 2FA / MFA, but the collateral damage to others around them (you for example) when it eventually happens to them.

        To my mind, that is being incredibly selfish, and not a risk to which I would expose someone I truly cared about.

        I have to be consistent, and also note that it is up to you how to respond to their choice(s) to expose you too. If you are happy being exposed to that risk (even if you don't share bank accounts), and potentially being put in a situation where you feel you have to 'underwrite' the risk they are exposing themselves to when it eventuates, then again, I have no problem with that, as long as you (and anyone else your SO might be putting in the similar position) are in it with your eyes open :-)

        • L3tstaxth1s on 06/07/2023 - 21:52

          On reflection, steps 6 and 7 are a scary thought.

          I should have been clearer, SO is comfortable with 2FA being required for setting up new payees and specific actions only instead of when logging in every time - whereas I'm in favour of full 2FA logging in each time (the bank in question offers both 2FA options).

          • Alan6984 on 06/07/2023 - 23:21
            +1

            @L3tstaxth1s: One is clearly safer, but more effort than the other - its a decision each person has to make (if your bank offers that option).

            I know which I would choose and, at least in part, I would say it is because I truly care about my family, so I am willing to incur a small cost for the additional protection it affords them. Everyone is different though.

          • Alan6984 on 06/07/2023 - 23:28
            +1

            @L3tstaxth1s:

            On reflection, steps 6 and 7 are a scary thought.

            2FA / MFA is good for stopping a third party either brute forcing authentication (scary if the provider of the resource would allow a significant number of failed attempts to login, but hey), and to forestall someone obtaining the two things you 'know' (username and password), and then being able to login - they would still require, say, the thing you have (phone or whatever).

            It was never designed nor intended to stop man-in-the-middle attacks as outlined above.

            The most basic way to stop a MITM attack is for the user to take responsibility for ensuring that they use a secure device and software, go to the correct site (and even use software to help ensure that), and pay attention to warnings that your device or software gives you.

            Consider again the clueless lazy attitude of 'I'm not interested in the details - I just want it to work'. That's just willful ignorance and selfishness when they hurt others too.

      • Seeker on 06/07/2023 - 21:57

        Not going to repeat what was said - just support what Alan said.
        Absolutely, 2FA or the like is required.
        I had a conversation earlier in the week with a colleague who couldn’t be bothered. Wouldn’t listen to reason or the techie stuff until I simply asked how he would feel at that very moment he notices his accounts have been drained and unrecoverable. Really think about that moment. It’s all gone. ALL of it.
        Not worth the risk.
        Stay alert and safe.

    • Alan6984 on 06/07/2023 - 21:15
      +1

      Just out of interest, what do you suggest they do, and if they are in, say, China, or India, or pick you own country of choice, who is holding them accountable, and what is THEIR incentive to do so?

      Things are rarely as simple as they might at first appear.

    • Grandma on 07/07/2023 - 09:55

      But text messages aren't (afaik) read by the telcos.

      Google messages does a pretty good job at identifying spam texts, it removes the notification that I normally get and just tells me 'hey you probably just received a spam message' (even if there are the odd false positives when companies try to be 'helpful' and include a link as well).

      Not sure about apple-land but surely they'd have something in place.

      Products like trend micro (only knowing this because of my ex retail days) open the stuff in a headless browser… but the last time I farted around an obvious scam one they were literally only using GET requests with parameters for card info and stuff. (also sent a few thousand randomized requests, hopefully slowed them down a bit) so that is a bit of a solution… but I also dont really want spark opening up a onedrive link or something.

      • Alan6984 on 07/07/2023 - 10:10

        A significant part of the issue is that many communications are encrypted (happily - else we'd have a much more serious 'hacking' / scamming problem), so the carrier / ISP does not have any ability to see what the message actually is.

        I don't believe SMS is generally encrypted, so if talking about that, then presumably they could if they wanted to, but SMS is the worst form of 2FA / MFA, partly due to this very fact.

        • Jexla on 07/07/2023 - 13:20

          And sim swapping. But SMS is 1000x better than no MFA.

          • Alan6984 on 07/07/2023 - 13:48

            @Jexla: I would anticipate that SIM swapping would bypass any encryption, even if it exists, entirely, but I agree that any 2FA / MFA is clearly better than none on a marginal basis.

            I could not quantify the difference myself.

  • CheapAzChips on 07/07/2023 - 23:35
    +1

    I have just been through this discussion with my son and wife. They both have, I suppose understandably, got the message from the media that to protect yourself you simply "Don't click links". While it's a nice soundbite, sadly I feel that's the wrong message and it won't appreciably stop people being scammed, it'll just slow the scammers down a little until the next wave hits.

    So what's the key message that should be getting out there? Three words: VERIFY, VERIFY and VERIFY.

    1) Independently verify that the person who called you or sent you X is who they say they are. Don't trust anything they have given you until you do: don't click their link, don't call the number they provided, don't give them anything and don't do what they say. It doesn't matter if the message looks like it came from them, and it doesn't matter if you recognise the voice on the other end of the phone. If they are asking you to do something risky then STOP and VERIFY. Somewhat counterintuitively you should especially take time to verify if there's a sense of urgency involved.
    2) VERIFY that websites you are using to enter sensitive details (logins, etc) are legitimate before you type a thing.
    3) If you are making a legitimate substantial transfer (say paying a supplier or putting down a house deposit) VERIFY through two independent channels that the recipient is correct. Don't just "trust" the trust account details that your supplier/lawyer has just sent. Call them on the number from their website (and again, don't click a link in their email to get to their website!) and get them to read it out to you.

    If you think I'm exaggerating, look up "spear phishing" and "whaling attack". You think losing $30k one go is bad? How about tens of millions?

    • Alan6984 on 08/07/2023 - 00:29

      I completely agree.

    • L3tstaxth1s on 08/07/2023 - 08:37

      Agree - independently verify - thanks for taking the time to write this. I've been having the same (heated) discussions. If there's a sense of "urgency", always take a step back to verify independently.

Login or Join to leave a comment
Login Join