Two-factor annoyances

When I need to bank online I started with needing; Account Number, Rememberable Data and a 6 digit code number of witch I need to enter 3 digits each time I log in. That seemed like a very good scheme but hay we have to keep the coders/programmers employed so the bank like every one is changing to “Two-Factor” using a SMS sent to a phone on every login. So now all someone needs to access my account is my account number and access to the SMS sent to a phone. Note I say “a phone” and not “MY phone”. Yes I may own the phone but it’s a device any one can grab/fine/have access to. Is a phone really secure and liked to a single person. My phone is a basic flip phone without a lock. I don’t have nore want a smartphone and even if I did having to unlock it to use it is a annoyance. Understanding what I am saying about phones is Two-factor really more safe than the above scheme?

On top of that my bank will not send SMS’s to my phone as the bank is in the UK and the phone is on a Greek network with a Greek number and the bank claim they can not know if the phone is my phone because of this LOL LOL LOL I don’t know how they can know the phone and number is mine if it was a UK number. When they send a SMS how can they know who is looking at the SMS on the phone? (they can not)

Having 2 factor is more secure than not having 2 factor. Though SMS isn’t the best IMO. It subscribes to the model of “something you know plus something you have”, however SIM jacking is a big problem. But it is more than likely easier for normies to use since there is essentially zero setup for them. If I had to guess, it is likely the easiest way for a company to fend off credential stuffing attacks on people’s accounts so that’s why they use SMS.

The question was NOT “is it better than not having it” but is it better than what I have. I would also argue that with the ability to “clone” phones, it is not as safe as we are all conned in to thinking. At the moment my brain can not be “cloned” an so info(like code/pin numbers and passwords) that I keep in my brain is safer/not hackable* than info not.

*asuming that I am not being tortured, but if that is the case then I think I have more to panic about than if my password, pins, memorable data and numbers are safe LOL

Might be hard to guarantee this. But both Android and IOS are currently the most secure OS’es most people have in their live.

They are also encrypting your phone by default. So if you find an iphone on the street it’s not really all that simple to get in there at all.

The bank where I am somewhat insists you use their authenticator app instead. Though, I’m guessing if your bank had the option to do that you can’t because you don’t have a smartphone.

“Androide and IOS” Re-read my first post. I and others do not have/do not want a smartphone.

Yeah it does not matter. It’s relevant because it’s part of the reason phones are so popular for 2FA. If you read the post to the end you would have known that I acknowledged you not having a smartphone.


Either way if your PC is compromised (as in hacked) or a server for a service where you used the same password (second hopefully won’t apply to your bank account). Then 2FA can safe you. An inhumanly long password won’t.

The two factor method is better in terms of phishing and possibly MIM attacks IMO. Sending account number and answers to security questions to login means you’re sending sensitive and immutable data every time you log in. If the user is sent to a spoofed site and inputs their credentials, the attacker would ALSO have to have access to their phone or a cloned SIM. Unless it is a targeted attack, that is much less likely.

To be clear I’m not saying you specifically would fall for such attacks. Only that you’re not the only customer at that bank.

Far easier to intercept a PIN/Password than a SMS.

SMS intercept would require them to know your… international? phone number to begin with, assuming you only have the 1 number. You seem like the kind of person who doesn’t exactly post it online or use it when filling out forms.

SMS would be targeted, PIN/Password intercept would be a drag net.

Are you not sending sensitive data with two-factor method as well? (You still need to let the system know what account you want too access). Is not the line you use to exchange such data encrypted? (I thought it was). Yes I agree with the point of the data being immutable and that the mitigation of asking for 3 random digits out of the 6 each time is not 100% of a mitigation. One mitigation that was/is 100% is the use of a card reader where the pass number changes with every login and I use that at home. How ever my bank have plans to stop even that.

As for phishing, surely the best way to deal with that is to teach people the best ways of using the internet. (One should NEVER go to a site linked in an e-mile or ad and always use the address you know to be the propper one).

There comes a point where security outweighs use (for me at least being dyslexic I hate change and often change leads to mistakes. Getting locked out of an account when your not in your home country can be a nightmare).

I’m thing more along the lines of, not having my phone in the same place as my computer or when the phone can be accessed by someone else, or times when the phone is lost or stolen or lost/stolen and returned after being cloned. Example. I am not in my home country and my phone is lost. I need to get a new/replacement phone and to do that I need to move some money from my savings account to my current account but my bank will not let me in because they use two-factor and keep sending SMS’s to my old phone I no longer have. I find some way of contacting them with a new phone number but as the phone number is a Greek one they can’t/want send a SMS to it and I still can’t get in. Ammm what a good idea.

What you have and what you know.

Probably put that one in authy tho.

Ah so it’s that dang old pesky security getting in the way of convenience that’s the annoyance then. Age old dilemma.

Sure, somebody could pickup your phone but they’d still need to know who you bank with, your account number, and still your pin/pw (it’s not 2fa otherwise).

Maybe not convenient, but you can move money around at an ATM. Or in a dire emergency, whip out the old credit card and payback before the month’s end to avoid interest.

Not necessarily. Your username could contain some sort of information such as name or email. It would be a good idea on a company’s part would be to let the person pick a username that isn’t easily obvious to script kiddies where to try your credentials next if they got them.

To you’re there point, yes education to people is wonderful. I believe everyone should have the opportunity to learn good internet habits. There are just too many people out there that haven’t a clue though. That is how large companies like Apple and Google are able to lull people into their ecosystem. To give them a sense of security while incessantly spying on them…and unfortunately a lot of people are seemingly okay with that.

LOL you clearly have not tried using a ATM in Greece with a UK bank. As for credit card use… you assume too much (we are not all in the same financial situation), The “assumptions” that people make is another gripe for another channel but what I will say is that assumptions is something that the IT world often get wrong.

username(No username with my bank account, most UK banks use account numbers as far as I know) and e-mail is never part of the login ether.

As for those that haven’t a clue or worse don’t want to get a clue… I am not going to say what I wish to say but I will say I would try and teach them.

Not sure what you are getting at. For me “have” referees to objects you can hold. Where as “you know” referees to information in your mind. There not one and the same thing.