I disagree. 2FA makes it profoundly more difficult to compromise an account. Most people are using a phone as a second factor, so even if the apps don't store files and credentials directly on the device (always in doubt, as seen here), if you have root on a phone you can compromise an account without any user interaction.
What's more, every time you download a banking app on your phone, you have to place a little bit of trust in the competence of whoever the bank outsourced the programming job to. At least with a laptop, a poorly designed website site is not (by itself) a threat to everything on your computer or other sites you visit.
Even when it comes to "more 0-days", I think you're probably missing the point. There's a lot more software written for computers that can be compromised than just the handful of programs that comprise iOS, so the raw count is not very meaningful. More practically, I'm willing to bet the odds my (Linux) laptop is compromised are far lower than my phone. I don't install apps I don't trust on my computer, but I have little choice but to on my phone.
> What's more, every time you download a banking app on your phone, you have to place a little bit of trust in the competence of whoever the bank outsourced the programming job to. At least with a laptop, a poorly designed website site is not (by itself) a threat to everything on your computer or other sites you visit.
Both would require a 0-day exploit to be a threat.
Even then; substitute the transaction they want for another transaction.
If the device you are using is compromised, you're in for a bad time.
You could send some simple transaction summary to the other device to acknowledge, which is getting better. Even so that doesn't completely eliminate the opportunity for tomfoolery.
If you sign with a 2FA I can not see how a compromised computer can make that insecure. Though I will say, the UX on 2FA signing needs to get better, but it is secure enough.
If the 2FA doesn't contain the actual transaction detail, pretty simply.
When user tries to transfer $1,000 of cash from user's investment account to user's bank account, instead, initiate transferring $100,000 to EvilGuy's bank account. Rewrite elements so it appears that $1,000 is being transferred to user's bank account, and wait for user to receive their 2FA code and authenticate. This may be as easy as string replacement both ways.
What's more, every time you download a banking app on your phone, you have to place a little bit of trust in the competence of whoever the bank outsourced the programming job to. At least with a laptop, a poorly designed website site is not (by itself) a threat to everything on your computer or other sites you visit.
Even when it comes to "more 0-days", I think you're probably missing the point. There's a lot more software written for computers that can be compromised than just the handful of programs that comprise iOS, so the raw count is not very meaningful. More practically, I'm willing to bet the odds my (Linux) laptop is compromised are far lower than my phone. I don't install apps I don't trust on my computer, but I have little choice but to on my phone.