I just got an email from my credit union that they're "transitioning from email passcode delivery to more secure methods such as phone calls and text messages". I need to send them this video.<p>That credit union is awful for many other reasons, so I don't keep much in that account, but I wonder why banking in the US is so bad at security. I don't think I have a single bank or credit card online account that allows for TOTP. It's all SMS or phone call, with one bank allowing for app push notifications.<p>Is there a compliance check box that requires SMS over something with at least some security?
Therefore, by adding multiple ways to log in/recover an account, each additional one lowers the safety?<p>Also, worse: does this mean that by just having one bad 2FA/recovery method like SMS along with more secure ones like TOTP/RFC 6238 or hardware keys, the overall security level is as low/bad as the worst method undermining the rest? Why do companies still allow or even encourage multiple methods (and SMS)?<p>I love the convenience of SMS sometimes, but if it doesn't add any security at all, just a sense of fake security that they won't even need an IMEI from me, just my phone number, jeez. This should be solved or forbidden by major institutions and services.
Can we stop requesting sms “authentication” for everything. Holy hell I don’t want my cell number to a back door into everything, so many services are making this account backdoor mandatory
Feels like SS7 was deliberately left vulnerable from requests within the country for tracking purposes. A lot of the security seems to be done with firewalls within the walled garden so it's easier for the five eyes to track cell phones live without giving direct access to the databases.<p>That said, the real world example Veratasium used was chilling.<p>Having LinusTechTips as a 2nd example (whos showing off his new apple phone) was a nice counter too. I'm pretty sure LTT uses multi factor+user auth though so I'm guessing that sms 2fa email was an alt email for personal use.<p>Gonna have to watch that 2014 presentation on ss7 it seems.
The video actually shows this only applies to 2G and 3G. And while it stated that EU ( as usual ) used 2G for every car sold. They can stop supporting all 2G and 3G on Mobile.<p>To quote a report from GSA;<p>>192 operators in 68 countries and territories have completed, planned, or are in the process of switching off their 2G and 3G networks.<p>So it is not as bad as most people thinks. My only wish is that we could do the 5.5G transition a lot faster and switch off 2G / 3G ASAP.