|
|
|
|
|
|
by robhlt
35 days ago
|
|
|
Plaid's login flow also requires a 2FA code if your bank requires it. The same 2FA code that banks say to never provide to anyone else. They're literally proxying the bank's login page just like a phishing site would, and I assume they're also selecting the "trust this computer" option so their access is more persistent. My bank does require re-2FA for larger transfers, but there's still a lot of damage I can do on a "trusted" computer without triggering another 2FA prompt. |
|
|
Doing re-2FA for every outbound transfer, and mentioning the consequences of entering the 2FA code out of band (e.g. "enter code 123456 to confirm transfer of x$ to y" or "press OK to confirm transfer..." in a mobile app) should be the bare minimum these days.