[older news = | | | | | | | | | ]
And here's Roll Over Beethoven from October 1963 - enjoy!
In any case, the phone-text second channel pretty much requires that the attacker be in the vicinity of the victim, to evesdrop or spoof*. This reduces the number of possible attackers by many orders of magnitude, and greatly increases their risk of being caught. This should be enough to keep the bank accounts of ordinary people secure.
What the hell - let the guys have fun.
If they have to type in a PIN from the text into the computer, it becomes harder. Not only do we have to intercept the text (stolen or spoofed phone, or evesdrop if communication is unencrypted) but we have to relay this information to our trojan in a timely manner for it to pass on to the bank.
Posted by on September 4, 2016 at 6:30pm
In the end I think it comes back to the stance that Bruce is taking wrt two factor authentication. Which as I understand it, is that in the face of the specific attacks he mentions, active Man-in-the-Middle attacks (works by user not verifying server) and active Trojan attacks (works by user installing bad code), two factor authentication doesn't provide a lot of additional value. With this I would have to agree.
Posted by on December 18, 2017 at 9:08pm
What you are suggesting is exactly what ABN-Amro in holland is using. I think it is fool proof with regards that nobody can wire money to an account that I have not given authorisation for. Viewing my private information like saldo etc. is a different Story.
As long as this is part of the key, the key will have its faults.
However, one has to take into consideration the "work factor" of moving from passive attacks to active attacks. I think that two factor authentication is a great technology that will overall increase security by "raising the bar", forcing the attacks to get much more sophisticated (which will tend to filter out all but the most determined attackers).