• oldfart@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      ·
      2 hours ago

      They will now push proprietary apps which steal your data, so you decide.

      In a sane world we would move to yubikeys or codes like Google authenticator, but we live in a post sane technological world

    • Routhinator@startrek.website
      link
      fedilink
      English
      arrow-up
      41
      arrow-down
      1
      ·
      8 hours ago

      The problem for me is that most Canadian Banks give you the choice of SMS or their shitty adware filled bank app that relies on Google Play Services and wont implement TOTP so I can use a true MFA app. And Im done with being forced to accept user policies I don’t agree with to do shit, and most of all done with Google Play Services on my device 😑

      • oldfart@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 hours ago

        My bank prides itself being the first in the country to support yubikeys for 2fa. I was so happy until i learned it’s just for logging in, transactions are still confirmed by SMS or their app. And security experts all say it’s better this way, using a regular 2fa solution would be insecure because you wouldn’t know what you’re confirming.

        There really is no hope.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        7
        ·
        5 hours ago

        This is the main reason I switched to Fidelity here in the US. It’s a brokerage, but it does basic bank things, like checks, debit card, etc, and they support SymantecVIP, which works w/o Google Play Services. TOTP support really isn’t that hard, I don’t understand why banks are so slow in adopting it…

        • ipkpjersi@lemmy.ml
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 hours ago

          The issue is, banks are only going to do what they’re required to do by law. The government is run by dinosaurs who don’t know what computers are, let alone what TOTP is.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            5
            ·
            3 hours ago

            No, they’re only going to do what they’re required to do by their insurance. The law is an option, but if insurance costs go way up if they don’t have proper MFA, they’ll get MFA.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 hours ago

            They’re fantastic. :)

            The only negative stories I’ve heard are from people who really push the boundaries, like people day trading and whatnot. If you’re a regular user looking for a bank alternative, you should be good.

            Just know their branches don’t really have any banking services, so you can’t go there to withdraw or deposit cash, get a cashier’s check, etc. I keep an account w/ a local institution and transfer money as needed for banking services.

        • Routhinator@startrek.website
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 hours ago

          Now you’ve got me wondering about this for Canada. Would be a pita to move mortgage and investments, but there must be a better way than the big banks.

      • HellsBelle@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        9
        ·
        8 hours ago

        Adding to this that my Canadian bank just updated their app and it doesn’t work with my older phone. So my only option is to use online services with SMS/call verification.

        It’s such a joy to know that my bank, who made $40.670 billion last year, takes care of every customer equally.

        • carpelbridgesyndrome@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          2 hours ago

          They support USB hardware tokens… but only for the website. Everything else is SMS which kinda defeats the point.

          Annoyingly, other than Vanguard, they are the only financial institution to support USB FIDO tokens

  • Uriel238 [all pronouns]@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    39
    arrow-down
    3
    ·
    edit-2
    9 hours ago

    Oh it turns out we needed NSA to do its actual fucking job after all rather than holding onto exploits for the surveillance state.

    Now — for the second time — we have an adversarial administration eager to weaponize government departments while Americans are vulnerable. Why? Because America is the good guys and would never abuse its extrajudicial powers (say, by detaining, rendering and torturing Americans with names similar to those of POIs.)

    We could have had twenty-four years of robust communications security developments if NSA didnt sell the public out like Judas.

  • umbrella@lemmy.ml
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    1
    ·
    9 hours ago

    of course it is. forced 2fa BY SMS OF ALL THINGS is one of the stupidest ideas

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      ·
      5 hours ago

      Even stupider is supporting hardware keys for MFA, but having SMS fallback which can’t be disabled (looking at you, Vanguard). I’d much rather have email as my second factor than SMS, and I literally abandoned a bank (Ally) for removing email as an alternative to SMS.

    • capital@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      6 hours ago

      I assume businesses only jumped at the chance to enable SMS 2FA to get their greedy little fingers on our phone numbers.

  • rarbg@lemmy.zip
    link
    fedilink
    English
    arrow-up
    50
    ·
    13 hours ago

    Oh man it sure would be nice if the feds had the power to regulate something like this /s

    • Peter L@lemmings.world
      link
      fedilink
      English
      arrow-up
      47
      arrow-down
      3
      ·
      12 hours ago

      They did. That’s the reason for this hack, they wanted Lawful Interception, they got their backdoor. It’s what professionals and privacy advocates said all along, if it exists it will be abused.

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        5 hours ago

        This isn’t a hack in the way you’re thinking of, nor is it a product of government mandated interception, or a back door. The salt typhoon event you’re referring to is nothing more than the tip of the iceberg of a much bigger problem, which is abuse of the dated SS7 system we’ve known about for decades.

          • capital@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            6 hours ago

            Thanks for bringing receipts. In stark contrast to my experience on Reddit, Lemmings usually seem allergic to showing their work for some reason.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 hours ago

              Yeah, I don’t get it. I go out of my way to provide sources even before being asked.

              What’s really frustrating is when others users criticize me for providing evidence that could be used to counter my claim. I’m not trying to win arguments, I’m trying to show my work so others can correct me if I missed something. I’m here to learn and educate, in that order, yet so many only seem interested in engaging in discussion that jives w/ their existing opinions. That was a problem on Reddit too, but at least someone would chime in w/ sources much of the time.

  • someguy@pleroma.someotherguy.xyz
    link
    fedilink
    arrow-up
    179
    arrow-down
    1
    ·
    19 hours ago

    @return2ozma @technology
    10 years ago, the Feds wanted backdoors to all of phones so they could read all of our text messages. Now, the Feds want everyone not to use software that has backdoors so the Chinese cannot read our phones. The Feds don’t want competition.

    • Screen_Shatter@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      5 hours ago

      SMS spoofing and SIM swapping have been around for ages. It was never secure and that’s always been known. The number of companies that rely on it despite sending me a zillion other fucking useless emails is too damn high! Email, or better yet, an authenticator app, are far more secure. Not perfect, but better.

      • shortwavesurfer@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 hours ago

        One big reason I’m hesitant to keep my money in banks is because banks think the best form of two-factor authentication is text message based 2FA and I’m like that’s barely any 2FA at all.

        • Screen_Shatter@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 hours ago

          My banks are like that too. Of course I can’t speak to anyone who might influence that decision. Steam has better security than almost any other account I have. I appreciate them for that but it also seems ludicrous to me that my video games are more secure than my bank accounts.

          • shortwavesurfer@lemmy.zip
            link
            fedilink
            English
            arrow-up
            3
            ·
            4 hours ago

            I keep my money in Monero. That way, it’s me who has to be targeted instead of an institution. And if I fuck up and lose it, it’s my own damn fault.

            • Screen_Shatter@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 hours ago

              I have some crypto, some stocks, etc. For many things I still need standard banking though. Crypto just isn’t there yet. Maybe someday… But having money distributed is still smart either way, so I have many baskets for my eggs.

  • phoneymouse@lemmy.world
    link
    fedilink
    English
    arrow-up
    25
    ·
    edit-2
    17 hours ago

    Thank god, give me my HMAC hash please.

    Nothing more terrifying than losing your phone number these days because of all the accounts tied to it via 2FA.

  • communism@lemmy.ml
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    1
    ·
    18 hours ago

    I wish Signal stopped using it. I know you can set a Signal PIN but a lot of the non-techy friends I speak to on Signal probably wouldn’t think to, or look through the settings (not that you need to be “techy” to set it, but you know the kind of learned helplessness most people have about tech). At least a prompt for all users to set an account PIN so their account can’t just be stolen by anyone with their SIM card.

    • EngineerGaming@feddit.nl
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 hours ago

      Another thing is that even if you set a PIN, you’d still have to log into your account relatively regularly so that if you lose access to your number, you wouldn’t lose an account. It’s logical, given that numbers are reused… But that means that if you want to register without effectively tying your account to your ID (KYC when buying numbers is mandatory in a lot of the world, remember!), you’d have to pay for another phone bill (expensive given that the number’s practically doing nothing!) or use a one-time rental… Which guess what, puts your account at constant risk!

      • ChillPill@lemmy.world
        link
        fedilink
        English
        arrow-up
        19
        ·
        16 hours ago

        They abandoned letting you use the Signal app to send and recieve SMS. You still need to get a code via SMS to activate your Signal account. I believe this is what they are referring to.

        • communism@lemmy.ml
          link
          fedilink
          English
          arrow-up
          4
          ·
          6 hours ago

          Yep, I was referring to that. You can stick someone else’s SIM in your phone and log into their signal account if they’ve not set a Signal PIN. You don’t see message history but new messages to that person will go to you.

    • Telorand@reddthat.com
      link
      fedilink
      English
      arrow-up
      47
      ·
      18 hours ago

      The novelty is the fact that it’s ongoing. They haven’t mitigated the hack. The threat actors are still inside the networks, which is why the government is telling people to switch to E2EE apps.