Major banks using SMS 2FA is pathetic
I’ve complained to my bank on multiple occasions about their shit password and 2FA policies and they just don’t care. The excuse I got one time was “don’t worry about it, if your account gets hacked you are covered”
Support for App based 2FA codes should be supported at minimum, but really they should also be supporting security keys. Especially if they are going to use insecure SMS 2FA as a reason to deny covering you for fraud.
What kind of cyber security expert doesn’t know banks would be using https.
… and the chair of a ‘cyber’ security programme at that!
Given she used the app and not even a browser, it’s not like even a DNS spoof could work here, redirecting to non-TLS spoofed servers, as the app should look for signed DNS for its upstream API and reject anything else.
I really think this is BMO victim-blaming.
I think most people waaay under estimate the risk of reusing passwords. I don’t know if that’s what happened here, but in the security incidents I’ve seen there will often be the initial “No, I only use this password for banking!” and then “well… it’s just for my important accounts.” I’ve also seen the misconception that a complex password means it’s ok to reuse it.
The other thing I’ve seen is people just mashing “agree,” "ok, “yes,” or any kind of prompt. This probably isn’t what happened here, but with device-based 2FA, like when Google sends you an “Allow device?” message, it’s pretty easy for someone to just mash “Allow” so they can get back to whatever it was they’re doing.
I don’t want to come off as victim-blaming, or as overly sympathetic to a big bank, but at some point I think it’s fair to expect individuals to have their own shit in order. I think a reasonable step towards this is that consumers should start demanding safer devices and software.
This is the best summary I could come up with:
An Alberta woman says she has to repay almost $10,000 — plus interest — after her line of credit was drained and the money transferred out of her Bank of Montreal account without her permission.
MacNeil said a few days after first reporting what happened, she spoke by phone to a bank employee who told her BMO had decided not to reimburse her for the amount but she could escalate her case to the customer complaint appeal office.
It said that the device used to access her bank account triggered a one-time passcode, which was sent by text to her phone number, successfully retrieved and entered.
John Zabiuk, chair of the cybersecurity program at the Northern Alberta Institute of Technology, said there are many ways bad actors can access others’ bank accounts.
As for MacNeil’s public Wi-Fi theory, Zabiuk said if a network is not secure, it is very easy for attackers to intercept a connection and watch everything that occurs on a device.
Zabiuk also recommends changing passwords every two months, signing up for multi-factor authentication, checking bank accounts regularly and researching applications before downloading them.
The original article contains 797 words, the summary contains 184 words. Saved 77%. I’m a bot and I’m open source!
new password every two months
Umm, no.
- Generate non-idiotic, unique password with letters(caps+small)+numbers+symbols+diacritic-letters if it will allow you
- Use credible password manager to store.
- Turn off text message display when phone is locked, only when unlocked.
- Don’t be a dumbass + use TouchID/FaceID for app login or only use in Safari with autofill from password manager.
I have no idea still how this happened