this post was submitted on 03 Mar 2024
33 points (92.3% liked)
cybersecurity
3297 readers
66 users here now
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Community Rules
- Be kind
- Limit promotional activities
- Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Enjoy!
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Ok, email is terrible. It just offloads the onus of security to your email provider. SMS/Phone call however meets the “something you have” aspect of MFA, PIN now counting as “something you know” aspect. Ultimately it sounds super weak, but that weakness can be mitigated by other aspects such as device fingerprinting, geo blocking, locking out after failed attempts, etc.
The thing is, at some point, the bank will have a customers account get breached no matter what they do. If they want to be lax on security, they better provide top notch customer service when a breach occurs because they’ve taken the onus of security off the account holder and limited their options on being more secure.
I would argue that a phone number barely counts as “something you have” because of how easy it is for attackers to gain access if they really want it. It’s more like “something your cellphone company has and lets you use”. I would rather have email 2FA over SMS because that account actually has a strong password and real 2FA on it. The truly terrible part is you can’t disable either auth option so any attacker has two attack vectors.
Sim swapping is stupid easy and common
Sms 2fa is not real 2fa. My non techie buddy's business got hacked, he got got for over a hundred grand.