• EngineerGaming@feddit.nl
      link
      fedilink
      English
      arrow-up
      13
      ·
      3 months ago

      App-based would be bad, as bank apps are notoriously unfriendly to people who don’t own Google/Apple smartphones. Rather, a TOTP or Yubikey.

    • LDerJim@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      3 months ago

      How would that help in this case? “Sir, please accept the pop up from our app”

      • Telorand@reddthat.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        I’m talking about TOTP in something like Bitwarden or Authy. You can still social engineer your way to getting a code, but a scammer would have to convince the user to reveal that secret, not just pretend to send a code.

        • Trainguyrom@reddthat.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          3 months ago

          It sounds like in the above case the codes were real 2fa codes from his bank as the scammers were resetting their login credentials then adding an external account to initiate a transfer. Presumably they were simply reusing info from a breach to make the scam smoother

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Yeah, I delayed setting up non-SMS 2FA because I didn’t want to go through the hassle of installing and setting up Symantec VIP (requires a call to the bank). If they had supported regular TOTP, I would’ve had it configured when I set up the account years ago, and that would’ve prevented this issue since I know I’m never supposed to give out those codes. But SMS auth is used by phone agents to verify identity, as well as with automated systems, so it’s easy to skim the message.

      There are only a handful of banks that offer something other than SMS 2FA (and many don’t even do that), and I picked this bank specifically because of that. However, I didn’t realize they used Symantec VIP, so I put it off.