Hacker News new | past | comments | ask | show | jobs | submit login

A while back, I heard about a scam where individuals were targeted by someone at one of the mobile phone providers. They logged in with their bank details, rerouted the authentication messages to their phone, and proceeded to do as they pleased. The "victim" had no idea it was happening as all the auth and notification SMS's being sent to their mobile number were being routed to someone else entirely.

How should the bank handle that. Sounds like one needs to send a crypto signed ACK before the bank enable access with the reauth code. Good companies at least send an ack email after the fact.

Not much seems to have been done about verifying the receiving end of communications - when I call a company on the phone there's no default protocol to confirm their credentials (like per user passwords for the business).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact