[wiradikusuma]

Just FYI, there are many cases of malware (presumably browser extensions) targeting online bankings in Indonesia recently. The typical flow is like this:

  1. The user logs in to his/her online banking website.
  2. The malware gets triggered and phones home with user's credentials.
  3. The bad guy logs in using user's credentials in own computer.
  4. The bad guy initiates bank transfer from user's account to his account.
  4. The bad guy is presented with "enter auth code" to confirm the transaction.
  5. The malware pops up "Verify your auth code" into user's computer.
  6. Thinking "it must be new method from my bank", user types his/her auth code.
  7. The auth code gets sent to the bad guy, allowing him to complete transaction.
  8. Profit.

Even tech savvy people can be a victim if he's being careless.

[IkmoIkmo]

Ew, bank fail. My bank will send me a 2FA code to my phone, it'll explain what it's for first. So the message will say 'you're trying to send $200 to xyz at date yxz. Enter this code'.

You'd then have to go to a screen on your computer with that particular transaction, find it, and enter the code. You don't suddenly get some kind of authentication pop up, and know to enter a particular code that authorises anything that isn't your password. That's the whole point of 2FA?

Beyond that, it's surprising that bank fraud still happens seeing as in most countries there are very strict KYC/AML requirements, meaning you can only open a bank acc with an ID in person, with a registered address. I got hit by this myself a while ago when I sent some money for an online purchase that never delivered. I was really bummed out, got scammed but thought at least I had an acc number with a name and address. I looked into it more and it turns out there's a big network of low-end criminals who will approach some 16 year old on his way home from High School. He'll have $50 on his account. Is given $100 straight up, and promised $200 additionally later on, in exchange for his debit card. Youth thinks 'why the hell not, got $50 to lose, just gained $100 and potentially more'. The criminal will use that bank acc to collect money, retrieves it from an ATM with the card, then disappears. Police investigation into the scam will turn up with a 16 year old unaware of the risk of 'identity theft' (weird semi-bs concept itself) who lent out his card and didn't understand the consequences. The criminal goes free without a trace.

[r00fus]

Even contextual messages are game-able - the default text "enter your verification code" showing up on the website will likely catch a LOT of people, since they're thinking it's from the bank.

Extensions are Apps.

Without a meaningfully robust (and mandatory) security model and some basic security audits to prevent over-reaching security defaults/requests, you might as well be running Windows XP.

[13]

Doesn't even have to be that complicated, the malware can just rewrite the destination to the malware author's silently and wait for people to be sending money there anyway. It's a reasonably dangerous property of Google-style 2FA that they can be transposed without any warning. My bank attempts to get around this by only using SMS based tokens, and the first line of the SMS says exactly what is being sent and where.

[aianus]

On the other hand, it's much easier to reroute a cell phone number through social engineering than to steal TOTP secrets.

[13]

Is it really possible from an evil standpoint to get SMS rerouted to another number? I was looking into that a while ago (I wanted a prettier number, but didn't want to lose things associated with the old one) and the answer I got was that it's not something anybody can do. I get how the phone call rerouting stuff would go down, but not SMS rerouting.

[seanp2k2]

GrandCentral / Google Voice used to be able to do this, along with tons of other awesome stuff for VoIP nerds. You could bring whatever DIDs you had (IIRC they also sold them for a reasonable fee) and set up routing however you wanted, and you could trunk to your own SIP server if you wanted to e.g. Set up a phone menu to drive your home automation.

Not sure if any of that still works with GVoice, but if not, I'd look into doing it with Twilio possibly.