Oh, got ya. In that case it's even better to use the same app for authentication. I though mobile app was not an option for that bank.
You're absolutely right - SIM swapping is a major threat in many parts of the world. If you're a target and the attacker is determined, you could be in serious trouble. However, it's more cost-effective for bad guys to…
What about the transactions authorization?
Authentication is one thing. When it comes to banking - the authorization is the key (no pun intended ;) Believe it or not, SMS is still one of the best ways to authorize sensitive transactions, even when compared to…
> The private key is stored on your device, say on iOS it would be stored encrypted in the secure enclave and accessible via TouchID/FaceID. What's important is that even though they are stored in the SE, they are no…
Seems like it :) but I would be more pragmatic and didn't bash the system for the reasons you brought up :) ad 1 - IMO, it's still sufficient at scale with some basic infra. hardening ad 2 - AFAIK the "secret" was never…
> You didn’t explain how this gives you any protection akin to a physical chip on a debit card… In both cases you (an admin) control how many attempts you wish to accept before sacrificing the usability over security…
You're over complicating this. In fact it might provide a similar kind of protection the physical chip provides for debit cards. Let me explain: 1. Someone (anyone) initiates the login flow 2. The user record in a DB…
Oh, got ya. In that case it's even better to use the same app for authentication. I though mobile app was not an option for that bank.
You're absolutely right - SIM swapping is a major threat in many parts of the world. If you're a target and the attacker is determined, you could be in serious trouble. However, it's more cost-effective for bad guys to…
What about the transactions authorization?
Authentication is one thing. When it comes to banking - the authorization is the key (no pun intended ;) Believe it or not, SMS is still one of the best ways to authorize sensitive transactions, even when compared to…
> The private key is stored on your device, say on iOS it would be stored encrypted in the secure enclave and accessible via TouchID/FaceID. What's important is that even though they are stored in the SE, they are no…
Seems like it :) but I would be more pragmatic and didn't bash the system for the reasons you brought up :) ad 1 - IMO, it's still sufficient at scale with some basic infra. hardening ad 2 - AFAIK the "secret" was never…
> You didn’t explain how this gives you any protection akin to a physical chip on a debit card… In both cases you (an admin) control how many attempts you wish to accept before sacrificing the usability over security…
You're over complicating this. In fact it might provide a similar kind of protection the physical chip provides for debit cards. Let me explain: 1. Someone (anyone) initiates the login flow 2. The user record in a DB…