[jechamt]

The attack described is two-part:

1. The criminals launch a phishing campaign against you specifically to get your bank username and password. This is defensible, although the harder step, by being vigilant, not clicking links, regularly changing your password, ensuring your password is unique so they won't be able to find it on a database of another breached web service, etc.

2. They intercept your SMS-based 2FA. This is not possible if you are not using SMS-based 2FA. Switch to a more secure method of 2FA, or communicate your concerns to your bank if none is available (really, make it public, because this is a big deal), or switch banks.

I believe there are things you can do to defend yourself, although having to do these things is clearly not ideal. Hopefully just knowing about it will improve a person's defensive posture against such types of attacks.

Edit: formatting (for anyone who's ever wondered: https://news.ycombinator.com/formatdoc)

[tabhygfr3]

"Switch to a more secure method of 2FA"

If you can... All the institutions (bank, 401K, IRA) I use will fall back to SMS even if you have a more secure method. I gave up trying to find one that didn't.

Instead I got a burner phone with cash. Don't really know if it helps but it seems less likely that some database dump has my name associated with that number.

[SiVal]

"Switch to a more secure method of 2FA"

What would you suggest? I've heard that using your phone for 2FA is a bad idea several times now, but I'm not hearing suggested alternatives. Clearly your alternatives are limited by what you're offered, but I would still welcome advice for what practical alternatives I should try to use instead of phone.

[mutagen]

An app or hardware generating TOTP or HOTP codes is generally considered better than SMS based authentication but is susceptible to phishing and requires planning around phone upgrades or backup measures in case of a lost device. Google Authenticator app, Yubikey, or the like.

[sakopov]

I'm not claiming this is more secure by any means but I started using a Google Phone number for 2FA associated with a Google account which uses a hardware token for authentication. My reasoning being that a Google phone number cannot be transferred without logging into the account and releasing the number. So I figured if I used the most secure 2FA method for that account it would be safer than relying on my telco which doesn't employ any serious security measures and is likely more susceptible to social engineering than Google.

[firebird84]

I think there needs to be a larger effort to shame the banks into fixing their MFA support. Some of them sign onto FIDO2 for example but don't enable it for their customers. I've looked for every bank I do business with and NONE of them support non-SMS MFA.