Batman:

 

So i guess the solution is don't use SMS 2FA for banking?

 

The solution is do not use SMS 2FA for *anything*

Batman:

I heard from a friend that their direct relation had their phone number ported to another carrier, by thieves and then their bank account was drained after using the phone number as bank account verification for log in.

How does one prevent that?

(Just realised while typing that this may not be android related, though the phone was an android)

jjnz1: 
Access to my bank:
Need username and pass and access to text message to activate new device. (This can't be changed I think) then there is no limit to what I can do IMO.

This raises an interesting question; for banks like BNZ which have app based 2FA, what exactly is required to install the app on a new device? I assume that if someone has managed to compromise your internet banking username and password then it wouldn't be hard to also get the 2FA app working?

I DONT have $1000 limits on my accounts, 10x that seem to go fine (on the very odd occasion I have done that).

What's not easy about this?

I am surprised at the $1000 limit because I had no problem doing the transfer last time I bought a car.

alasta:

 

This raises an interesting question; for banks like BNZ which have app based 2FA, what exactly is required to install the app on a new device? I assume that if someone has managed to compromise your internet banking username and password then it wouldn't be hard to also get the 2FA app working?

 

NetGuard card is required to activate BNZ app. Until the app is activated it doesn't do 2FA, doesn't allow to create payees, etc.

networkn:

 

Batman:

 

So i guess the solution is don't use SMS 2FA for banking?

 

 

The solution is do not use SMS 2FA for *anything*

 

I disagree. SMS 2FA is better than no 2FA at all.

As mentioned before, people reuse password or passwords are intercepted by malware. No one is advocating to not use passwords for anything.

It is a balance. But most importantly, since SMS is only one of a factors the question that should be asked is actually "how did the Bad Actor get hold of the original bank customer account number, bank customer password and phone number?"

The answer could be good old social engineering ("Hello, Mr Gullible Client. I am from The Bank. We need to make sure all is good with your account so first we need to verify your identity. Could I please have your account number and password to confirm you are the account owner?"). 

If this was a random call to a landline, it could be followed up with a "Great Mr Gullible Client, now that we know it's you, we have a mobile number here as 0319347273 is that still the best way to contact you?" at which point Mr Gullible Client will say "Oh, no something is mixed there because this is not my number - here is the correct number..."

Alternatively, it could be malware installed when someone calls saying "I am from your ISP. Our systems identified a problem with your computer and we need to check it for viruses. Can I please remote access your computer now to check it?"

SMS 2FA is only one thing - there is more to it.

I see. That's reassuring ...

But I thought maybe with certain banks - can you get a new password with SMS?

Batman:

 

I see. That's reassuring ...

 

But I thought maybe with certain banks - can you get a new password with SMS?

 

Then that wouldn't be a second authentication factor. Password resets would be via email, which would have its own authentication scheme.