July 14, 2021

Are banks liable if a 2fa SMS is intercepted?


It’s been [well known](https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html) for [years](https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/) that [SMS](https://www.techrepublic.com/google-amp/article/top-5-reasons-not-to-use-sms-for-multi-factor-authentication/) is [terribly insecure](https://www.cnet.com/google-amp/news/do-you-use-sms-for-two-factor-authentication-heres-why-you-shouldnt/) as a [2FA method](https://www.zdnet.com/google-amp/article/microsoft-urges-users-to-stop-using-phone-based-multi-factor-authentication/). There have been [high-profile](https://www.coindesk.com/mobile-employee-sim-swap-crypto-hacks) documented cases of [text codes](https://www.theregister.com/AMP/2020/02/26/crypto_theft_att_judge/) being intercepted via [SIM swap](https://krebsonsecurity.com/tag/michael-terpin/) to gain access to an account.

Yet banks still use it universally.

I’d venture a guess that the only way to get banks to switch to something like OTP is to light a fire under them. Is there a legal case to be made that it’s willful negligence at this point?

(To clarify: I’m talking about U.S. banks here.)

Comments

Andazah

Can you explain how SMS is insecure as a 2FA? Is it the phishing element or is their inherent technical flaw in it?

Thanks in advance

Tattoodmatt7486

A lot of banks are moving away from SMS as a second factor. Most UK banks now use TOTPs. The bank i use is online only and it uses biometrics on mobile and it uses Push Notifications from the mobile app for desktop logins.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.