Online bank One Finance removed my account's password in favor of _only_ phone/email OTP and a 4 digit pin
from Rexios@lemm.ee to cybersecurity@infosec.pub on 03 Mar 2024 17:12
https://lemm.ee/post/25615754

How is this legal? This has to be the most insecure login method I’ve ever seen. They removed the password from my account without consent and have no way to go back to requiring a password. Literally all an attacker has to do it gain control of either my phone/email and brute force a 4 digit pin. I’m going to have to change banks because of this.

Oh also I posted this on the bad version of Lemmy and the mod tried to claim that this method of auth is actually more secure than a password, posted a Wikipedia article about passkeys, and then locked the post… In no reality is it at all possible that this is more secure than a password.

So stay away from One Finance if you value your money

#cybersecurity

threaded - newest

wesker@lemmy.sdf.org on 03 Mar 2024 17:18 next collapse

I don’t think that person that commented on your reddit post accurately understands the article they linked. From your description this doesn’t seem like passwordless auth.

Rexios@lemm.ee on 03 Mar 2024 17:29 collapse

Well technically there is no password… but it’s not what passwordless auth is supposed to mean

key@lemmy.keychat.org on 03 Mar 2024 17:39 collapse

It’s password and MFA with your Pin acting as a super duper insecure password.

abacabadabacaba@lemm.ee on 03 Mar 2024 18:23 next collapse

troyhunt.com/banks-arbitrary-password-restriction…

cm0002@lemmy.world on 03 Mar 2024 18:41 collapse

If banks have some top notch backend security checks, then WHY do so many not let you choose a fucking user name? I absolutely DESPISE any bank that makes me use some dumbass customer/account/user number like 94023382 that I’m NEVER able to remember and always have to go scouring my house for some old paper statement.

But would I stop using a bank (as I’ve seen suggested in the past) solely due to their password policy?

I have.

invertedspear@lemm.ee on 03 Mar 2024 19:01 next collapse

Ok, email is terrible. It just offloads the onus of security to your email provider. SMS/Phone call however meets the “something you have” aspect of MFA, PIN now counting as “something you know” aspect. Ultimately it sounds super weak, but that weakness can be mitigated by other aspects such as device fingerprinting, geo blocking, locking out after failed attempts, etc.

The thing is, at some point, the bank will have a customers account get breached no matter what they do. If they want to be lax on security, they better provide top notch customer service when a breach occurs because they’ve taken the onus of security off the account holder and limited their options on being more secure.

Rexios@lemm.ee on 03 Mar 2024 19:13 next collapse

I would argue that a phone number barely counts as “something you have” because of how easy it is for attackers to gain access if they really want it. It’s more like “something your cellphone company has and lets you use”. I would rather have email 2FA over SMS because that account actually has a strong password and real 2FA on it. The truly terrible part is you can’t disable either auth option so any attacker has two attack vectors.

misanthropy@lemm.ee on 03 Mar 2024 23:05 collapse

Sim swapping is stupid easy and common

Sms 2fa is not real 2fa. My non techie buddy’s business got hacked, he got got for over a hundred grand.

shortwavesurfer@monero.town on 03 Mar 2024 20:24 next collapse

Yeah, no, I would not stand for that. I would be switching banks as soon as possible.

homesweethomeMrL@lemmy.world on 03 Mar 2024 22:23 next collapse

Sometimes you just have to walk away.

recursive_recursion@programming.dev on 04 Mar 2024 04:34 next collapse

huh didn’t take them that long to devolve into another stack overflow it seems.

x3i@kbin.social on 04 Mar 2024 06:10 collapse

Switch banks. I recently did so too after the previous one tried to force a TAN app on me without any way to use a physical generator. Security part aside; I use a custom OS on my phone and these stupid banking apps all love their safety net checks.
New bank was able to just send me a generator and everything works fine.