Hacker News new | ask | show | jobs
by gtkspert 404 days ago
You have to think of a Bank's threat model though.

Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...

Therefore, they don't want to use standard TOTP because that's easy to automate. Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.) And requiring a special app is quite difficult to automate.
6 comments
sedatk 404 days ago
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.

Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.

I don't even know how recovery scenarios work for passkeys.

link
sir_brickalot 404 days ago
Counter: Backups for TOTP are easy and you can use multiple devices/services for a single TOTP login.
link
kube-system 404 days ago
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
link
TingPing 404 days ago
You aren’t wrong. It is built in to Googles and Apples though, should be widely used.
link
raron 404 days ago
> Losing TOTP is easy. Lose your phone and it's gone.

That is the main point of it. That's why it is called a second factor.

> It means game over for a regular person.

It just means you have to go to the nearest branch.

link
sneak 404 days ago
Precisely nobody is suggesting that there be no recovery mechanism. This criticism is a red herring.
link
sedatk 404 days ago
What do you think such a recovery mechanism would look like without SMS?
link
Uvix 404 days ago
Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.

As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.

link
sedatk 404 days ago
Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.

Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.

SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.

link
Uvix 404 days ago
SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.
link
loeg 404 days ago
Show up in person with ID.
link
kube-system 404 days ago
That's not necessarily possible. Many banks do not have physical locations, and many people do banking business while physically away from a bank.

https://en.wikipedia.org/wiki/Direct_bank

link
loeg 403 days ago
We're talking about recovery mechanisms, not day to day regular banking interactions. Ultimately, if there isn't a physical branch you can show up to easily, your access recovery time might be pretty inconvenient. This would be a good thing to consider when selecting a bank.
link
sedatk 404 days ago
Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.
link
loeg 403 days ago
> There is nowhere to show up.

There's Canada. And yes, re-enabling a SIM and paying a handful of roaming SMS charges might easily be more convenient than traveling to Canada.

link
mixmastamyk 404 days ago
MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.
link
Detrytus 404 days ago
Password managers, such as KeePassX can generate TOTP codes. And Keepass database is just a file, you can have as many backups of it as you want.
link
sedatk 404 days ago
You overestimate a regular person's technical skills and their capability of planning resilient backup strategies.
link
dfxm12 404 days ago
The banks' real threat model is around what punishments will come from the government. If there's no real regulation with teeth, banks will not care.
link
gruez 404 days ago
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
link
nunez 404 days ago
There are ways of getting phone numbers that can be used in automation. Then there's SIM cloning, which is apparently very easy to do and very hard to defend against given how often this happens.
link
speckx 404 days ago
I was surprised that Bank of America still does SMS based 2FA.
link
dmoy 404 days ago
BoA is one of the very few US banks that do any modern auth - they support fido2 security keys.

Of course effectively 0% of their customers actually use it, and instead rely on sms

link
kccqzy 404 days ago
Huh I set up SMS 2FA for BofA back in 2016 and I never knew they now support fido2.
link
dmoy 403 days ago
They don't let you get rid of sms fallback, so it's not immune to sim theft

It does help vs phishing though

link
charcircuit 404 days ago
Why would a bank care about money laundering?
link
Muromec 404 days ago
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.

Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.

link
charcircuit 404 days ago
There is a difference between caring about reducing legal risk and caring about money laundering.
link
jszymborski 404 days ago
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].

[0] https://www.investopedia.com/stock-analysis/2013/investing-n...

link
hiatus 404 days ago
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.

> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.

https://edition.cnn.com/2024/10/10/investing/td-bank-settlem...

link
rs186 404 days ago
I think you can easily answer that question yourself by doing a simple search.
link
josephthejoe 404 days ago
It's a long-complicated story but it essentially boils down to this: https://en.wikipedia.org/wiki/Bank_Secrecy_Act
link
gruez 404 days ago
If they're not seen as doing enough, they can be fined by regulators.
link