Hacker News new | past | comments | ask | show | jobs | submit login

My bank has two-factor using some special applet thingy on my phone (not a regular app, it's tied into the SIM card somehow). It shows me the details (amount and destination account) which I have to confirm using my password (in combination with a key from the SIM).

Much more difficult to circumvent, assuming the user pays attention...

Then, the malicious script can just pop up an official looking dialog box with a message saying that they are 'testing' the confirmation system, and please accept/agree to the next sms/alert from the app.

Having direct control of the user interface is very powerful.

Of course one has to have a minimum of awareness for any protection mechanism to work.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact