The article describes the "sophisticated" attack<p>* Phish the users. The user must fall for this attack.<p>* Prompt the user to MANUALLY download AND install an application on their pc.<p>* Then (if that's not enough) download and MANUALLY install an app on your phone.<p>That's a whole lot of poor decisions on the end user's part. I wouldn't be surprised if these user's wouldn't have just replied to an email with their account number and PIN. Better yet just ask them to mail you cash, seems like something they would do too.<p>Think people. C'mon.
Jesus christ. How incompetent are the banks?<p>Surely you're going to notice sudden repeated transfers to a (presumably foreign) bank account and at least query them? If these guys are able to open hundreds of accounts to spread out the funds then that's another problem, and the banks responsible should be simply blocked.
People always laugh at me when they notice I use a paper sheet with one time passes instead of sms notification, but this is the precise reason I do it. The coupling between your pc and your phone is too great to really rely on it for being the second phase of your authentication.<p>I even like to check my bank account on my phone. Completely removing the use of sms as a second phase.