this post was submitted on 09 Dec 2024
780 points (99.7% liked)
Privacy
32442 readers
587 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Transmitting an OTP to the user is a security risk.
Banks in the EU are, in fact, forced to implement 2FA using phone numbers as part of "dynamic linking" requirement of PSD2, which makes more secure methods of 2FA (like TOTP) not allowed
Ah, I see.
Your point is that the use of a secondary channel for a One Time Pass is still an insecure method versus the use of a time-based one time password (for example as generated in a mobile phone app or, even more secure, a dedicated device). Well, I did point out all the way back in my first post that SMS over GSM is insecure and SMS over GSM seems to be the secondary channel that all banks out there chose for their 2FA implementation.
So yeah, I agree with that.
Still, as I pointed out, challenge-response with smartchip signature is even safer (way harder to derive the key and the process can actually require the user to input elements that get added to the input challenge, such as the amount being paid on a transfer, so that the smartchip signs the whole thing and it all gets validated on the other side, which you can't do with TOTP). Also as I said, from my experience with my bank in The Netherlands, a bank using that system doesn't require 2FA, so clearly there is a bit more to the Revised Payment Systems Directive than a blanked requirement for dynamic linking.
Oh the smart chip is best, its just not an option for CNP or bank transfers online
If you send a large wire transfer from your Dutch bank to an acffount outside the EU, I guarantee your bank is going to demand a transaction confirmation. 99% of the time that's going to be a SMS, unleee you're using their (closed source) app on your (insecure) phone
Well, I haven't really made any large wire transfers to accounts outside the EU from that bank in over a decade so can't really confirm or deny.
I do know that in past experience with banks in general, the people checking the validity of suspicious transations (and large transfers to accounts outside the EU tend to fall into that classification given the prevalence of online scams from countries were the Law is a bit of a joke) will actually call you, or at least they did in the UK some years ago (pre-Brexit) which was the last time I had experience with something like that.
(At one point I also worked in a company that made Fraud Detection software).
Maybe they switched to SMS to save money, I don't know.