You are reading a single comment by @beseku and its replies.
Click here to read the full conversation.
-
Can you actually get in using only the SMS code on a fresh install on another phone? It may be that the bank is remembering you’ve used that install of the app with that account before.
Much like locking a bike with a D-lock, SMS isn’t there to make an account truly secure, it’s there to make the risk of compromise acceptable (to the bank) and deter unsophisticated attackers.
grams
@beseku
For any cyber security experts, I have a question ...
I opened an account with a challenger bank yesterday via their app. The sign up flow was to ask for some details (email, name etc.) and then a phone number to text you a six digit code. Moved through the rest of the process no worries.
However when logging in after opening the account, via their app, it asks for your phone number and then sends a code, which you enter to log in. Also, if you go to "Create account" instead of "Log in" and enter an existing phone number, it sends you the code which then logs you in upon entering it.
I was under the impression that SMS was incredibly insecure, and that at best it should be used as an additional factor in signing in, not as the only factor. Furthermore, requiring someone to just know a telephone number to sign in, (rather than me entering my email or username and then it sending the code to the number on file) seems like it would allow a bad actor to test compromised numbers for access and easily sniff out accounts?
I'm not naming the bank because I'll disclose to them if I am right, but does this not seem like an incredibly insecure way of securing a bank account?