Hacker News new | past | comments | ask | show | jobs | submit login

All banks in the EU are required to use 2FA, I'm curious how these hackers get around that.



1. One SMS every 90 days, because the security teams have no idea how MFA works (I know, I work there). Even if you hop devices. See https://try.popho.be/psd2.html

2. It's just a little dev step away: http://blog.cmpxchg8b.com/2020/07/you-dont-need-sms-2fa.html . Phish kits will evolve, UX will still be bad, and phishing will still happen.

See also https://sakurity.com/blog/2015/07/18/2fa.html


> 1. One SMS every 90 days,

Wow that's bad.

Here in Norway we use a system called BankID that uses the SIM in your mobile and it does it every time I log in.


Some banks know security better than others

And yes the login one might be every 90 days, but to do a transaction there might be an extra one

(yes Germany did away with paper tans (2fa codes) in 2019 yay - thankfully not all banks are that stupid)


For quite a long time my bank used cargo culted 2FA i.e. 2x things that you know. Pretty embarrassing really. Thankfully they now have a card reader device but it's only used for certain actions (like adding new payees).


In the EU? That definitely wouldn't be compliant, unless we're talking about 90s or something.


I didn't have internet banking in the 90s but it's probably been 10 years or so since they sent out the card readers.

Found some random blog which suggests it was circa 2007. http://www.craigmurphy.com/blog/?p=634


"required to use 2FA" for login, or "required to use 2FA" to conduct transactions?

I'm asking because my (German) bank only very recently changed to requiring 2FA every X days for login. I'm very curious if they are actually compliant, since I used to be able to log in just with 1 factor to see my current balance (but not conduct any transactions).


Currently 2FA (legally known as "strong customer authentication") for logging to payment services (like banks) when one wasn't performed in 90 days is required in EEA.

IMO implementing the bare minimum this does nothing for security. However, often banks do that, and even if you try to look intentionally suspicious (say, use a VPN in United States with another web browser on another operating system) they don't care and won't ask you for 2FA.


For me its only 2FA for transactions.


That's why the second, more advanced phishing page was trying to immediately log in with the just acquired login credentials.

If a 2FA challenge is presented, it is relayed to the victim on the phishing website, and as soon as the code is submitted, is it relayed to the real banks website in turn.


In this case (with the second page) it looked like after you put in your credentials they put you in a loop while they tried to use your logins.

I assume that if the banking backend told them the verification sms or whatever is sent, they would have asked the user about it and just forwarded it


Wouldn't a phishing site be able to proxy the challenge and then record and proxy the response which the user types in? I.e. MITM the 2fa?


Yes, there is existing software to automate this, I presume that competent bad guys already use that.

However you can't do this to WebAuthn (or its non-standard predecessor U2F). The WebAuthn challenge is bound to a DNS name, by the client browser. So https://fake-bank.example/important/urgent/thing/ignore/the/... can't get credentials for real-bank.example even if the human is utterly convinced the fake site is their real bank, because you need to fool the web browser not just a human.

AFAIK zero banks use WebAuthn...


Depends what you want to achive. With wire transfers there's usually (always?) info about amount and last few digits of the account you're transfering money to on your 2FA provider.


If they are already sending you an SMS maybe they can try to fake that as well and access your account immediately with the expiring token.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: